Connect an AWS Account

Sysdig Platform can collect both general metadata and various types of CloudWatch metrics from your AWS environment.

Use one of the following methods to connect an AWS account to Sysdig:

By using CloudWatch Metric Streams. You can do this in the following ways:
- By using the CloudFormation template that Sysdig provides. Sysdig recommends using CloudFormation because it automatically creates all the resources required and it allows for setting up metric streams in multiple AWS regions simultaneously. See Using the CloudFormation Template.
- By using your own CloudFormation template. See Case 2: Using the AWS Console.
- By manually entering an AWS access key and secret key, and manually managing/rotating them as needed. See Connecting Manually.
- By configuring AWS Role Delegation. Role delegation is an alternative to the existing integration methods using the access keys. This method is considered secure as sharing developer access keys with third-parties is not recommended by Amazon. See Connecting Manually.
By using AWS CloudWatch APIs. You can do this in the following ways:
- Using an AWS access key and secret key, and manually managing/rotating them as needed.
- Using AWS Role Delegation.

After connecting an AWS account, data will become visible in the Sysdig Monitor UI after a 10-15 minute delay.

Access Cloud Accounts

Log in to Sysdig Monitor as an administrator.
In the management section of the left-hand sidebar, select Integration > Cloud Metrics.
The Cloud Metrics page is displayed. Continue with connecting an AWS account.

Connect an AWS Account

On the Cloud Metrics screen, click Add Account.
Click Start Installation. The New AWS Account screen is displayed.
Select one of the following integration methods.
- CloudWatch Metric Streams
  - Use CloudFormation Template: Sysdig provides a CloudFormation template you can easily fill in. Select this option to open an AWS console for creating a stack. You will be given a pre-populated template to help you set up a stack to forward the data to Sysdig.
  - Configure Manually: Set up metric streams using the AWS console.
- CloudWatch API
  - Role delegation
  - Access Key
Complete the installation and click Confirm.

Connect with CloudWatch Metric Streams

You can connect an AWS account using CloudWatch Metric Streams either by using the CloudFormation template provided by Sysdig, or manually setting up all the metric streams resources by yourself.

Using the CloudFormation Template

On Sysdig Monitor UI

On the Cloud Metrics page, click Add Account.
Click Start Installation. The New AWS Account screen is displayed.
Select CloudWatch Metric Streams.
Click Use CloudFormation Template. You are redirected to log in to your AWS account. Continue with On AWS Console.

On AWS Console

Sysdig provides a CloudFormation Template to create stack corresponding to CloudWatch Metric Streams. The metric stream you create feeds data to Sysdig in each region specified in the template, and the role you specified run and monitor the metric stream.

Log in to your AWS account.
Specify the following in the CloudFormation QuickCreate page.
- Stack Name: The default name is Sysdig-CloudwatchMetricStream. This is the unique name to identify the stack you create for the CloudWatch Metric Streams.
- API Key: Your Sysdig API key.
- SysdigSite: The Sysdig Monitor URL associated with your region is auto-populated. Edit if you want to change the Sysdig URL.
- Regions: The regions where you want to enable metric streaming. Enter them in a comma-separated list.
- MonitoringRoleName: The default role name is SysdigCloudwatchIntegrationMonitoringRole. You can specify a different role if you wish to.
Click Acknowledge that AWS CloudFormation might create IAM resources with custom names.
Click Create Stack. Expect a 10-15 minute delay to complete the creating the stack.

Connecting Manually

Case 1: Using the Sysdig CloudFormation Template

If you’ve already deployed the Sysdig CloudWatch Streams CloudFormation Template and are receiving metric streams, you can manually associate your AWS account for verifying the status of your CloudWatch Streams and namespace sources.

On Sysdig Monitor UI

On the New AWS Account screen, select one of the methods:
- Role Delegation: Specify the following:
  - Account ID: Your AWS account ID.
  - Role: The name you entered for MonitoringRoleName. This role will be used by Sysdig to monitor status of the stream. The Parameter tab on the Stack details page gives you the MonitoringRoleName. For more information on Role Delegation, see Role Delegation.
- Access Key: Specify the following:
  - Access Key ID: Your AWS access key ID.
  - Secret Access Key: The secret access key associated with your account. For more information, see Integrate AWS Account and CloudWatch Metrics.
Click Confirm.

Case 2: Using the AWS Console

You can choose to set up CloudWatch Metric Streams manually instead of using the Sysdig CloudFormation template. To do so, perform the following steps for each AWS region.

On AWS Console

Log in to your AWS account.
Create Kinesis Data Firehose Delivery Stream:
1. Specify the following:
  - Source: Select Direct PUT or Other Sources.
  - Destination: Select HTTP endpoint.
2. Specify the destination settings:
  - HTTP endpoint URL: Enter https://<your-sysdig-URL>/api/awsmetrics/v1/input.
  Based on your Sysdig URL associated with your region, replace <your-sysdig-URL> with one of the following:
  - app.sysdigcloud.com
  - us2.app.sysdig.com
  - eu1.app.sysdig.com
  For more information on regions, see SaaS Regions and IP Ranges.
  - Access key: Enter your Sysdig Monitor API Token. For more information, see Retrieve the Sysdig API Token.
  - Content encoding: Select Disabled.
  - Retry duration: Enter 60 seconds.
  - HTTP Buffer hints: Specify the following:
    - Buffer size: Enter 5MB.
    - Buffer interval: Enter 60 seconds.
3. Specify the backup settings:
  - Source record backup in Amazon S3: Select Failed data only and choose an appropriate S3 bucket for backup.
  - HTTP Buffer hints: Specify the following:
    - Buffer size: Enter 5MB.
    - Buffer interval: Enter 60 seconds.
  - S3 compression: Select GZIP.
4. For advanced settings, select Enable error logging.
5. Click Create delivery stream.
Create a new CloudWatch Metric Stream:
1. Specify the following:
  - Metrics to be streamed: Either select all CloudWatch metrics, or choose specific namespaces with Include or Exclude lists.
2. Specify the Configuration:
  - Choose Select an existing Firehose owned by your account and specify the Kinesis Data Firehose delivery stream created earlier for sending the metrics to Sysdig.
  - Service access to write to Kinesis Data Firehose: Select Create and use a new service role.
  - Change the output format: Select OpenTelemetry 0.7.
3. Specify a meaningful name for the new metric stream.
4. Click Create metric stream.

On Sysdig Monitor UI

Log in to Sysdig Monitor, and add a new account by using Role Delegation or Access Key. Ensure that you configure the IAM Policy while setting up CloudWatch Metric Streams.

Using CloudWatch API

On the Cloud Metrics page, click Add Account.
Click Start Installation. The New AWS Account screen is displayed.
On the New AWS Account screen, select one of the methods:
- Role Delegation: Specify the following:
  - Account ID: Your AWS account ID.
  - Role: The name you entered for MonitoringRoleName. This role will be used by Sysdig to monitor status of the stream. The Parameter tab on the Stack details page gives you the MonitoringRoleName. For more information, see Role Delegation.
- Access Key: Specify the following:
  - Access Key ID: Your AWS access key ID.
  - Secret Access Key: The secret access key associated with your account.
For more information, see Integrate AWS Account and CloudWatch Metrics.
Click Confirm.

Topics in This Section

Enable CloudWatch Metric Streams in On-Prem Deployments

Filter CloudWatch Metrics

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.