Skip to main content

Using keys

  1. Prerequisites: Have your AWS credentials ready, including access key and secret access key, with permissions to access.
  2. Configuring DrDroid: In the DrDroid platform, navigate to Integrations > CloudWatch. Enter your AWS access key ID, secret access key, and specify the region your CloudWatch logs are stored in.
  3. Testing the Integration: Test the integration.
Note: For security reasons, some teams prefer to create a new user with access attached to these permissions.

Steps to create a new user:

Step 1: Create a new user in your CloudWatch

Go to this link within your AWS account IAM and create a new user.

Step 2: Attach one policy of CloudWatchReadOnlyAccess to the user.

You don’t need to add any group to the user.

Step 3: Once the user is created, create an access key by going to “Security Credentials”.

Step 4: Select “Third-party service” or “Application running on an AWS compute service” while creating the key.

Step 5: Copy paste the access key and secret key in Integrations page.

Using AssumeRole

To connect using AssumeRole, we recommend setting up a call with our team as it requires multiple to & fro.
  1. Share your AWS Account Number with Doctor Droid team.
  2. Create a new role in your account with the following Trust Policy. ({{Role_ARN}} to be shared by Doctor Droid team) 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{{Role_ARN}}"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  3. Attach the following Policy to the role: 
    PolicyName: CloudWatchReadOnlyAccessPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'cloudwatch:Describe*'
                  - 'cloudwatch:Get*'
                  - 'cloudwatch:List*'
                  - 'logs:Get*'
                  - 'logs:Describe*'
                  - 'logs:List*'
                  - 'logs:StartQuery'
                  - 'logs:StopQuery'                  
                  - 'logs:GetQueryResults'
                  - 'logs:FilterLogEvents'
                Resource: '*'
  4. Share the ARN of the role created with Doctor Droid team.

Cost Exploration Reports

To generate cost exploration reports, we recommend assigning this custom policy to the user whose credentials are added for the connector. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "InfrastructureInventoryReadOnly",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "eks:Describe*",
        "eks:List*",
        "ecs:Describe*",
        "ecs:List*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "rds:Describe*",
        "elasticache:Describe*",
        "fsx:Describe*",
        "kafka:Describe*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ObservabilityAndUsageReadOnly",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "cloudwatch:Describe*",
        "cloudwatch:GenerateQuery",
        "logs:Get*",
        "logs:List*",
        "logs:Describe*",
        "logs:FilterLogEvents",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:StartLiveTail",
        "logs:StopLiveTail",
        "xray:Get*",
        "xray:List*",
        "xray:BatchGet*",
        "synthetics:Get*",
        "synthetics:List*",
        "synthetics:Describe*",
        "rum:Get*",
        "rum:List*",
        "rum:BatchGet*",
        "sns:Get*",
        "sns:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CostExplorerAndBillingReadOnly",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetUsageForecast",
        "ce:GetReservationUtilization",
        "ce:GetReservationCoverage",
        "ce:GetSavingsPlansUtilization",
        "ce:GetSavingsPlansCoverage",
        "ce:ListCostCategoryDefinitions",
        "aws-portal:ViewBilling",
        "aws-portal:ViewUsage",
        "aws-portal:ViewAccount"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CostAllocationTagsReadOnly",
      "Effect": "Allow",
      "Action": [
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues"
      ],
      "Resource": "*"
    },
    {
      "Sid": "OptimizationInsightsReadOnly",
      "Effect": "Allow",
      "Action": [
        "compute-optimizer:Get*",
        "compute-optimizer:Describe*",
        "trustedadvisor:Get*",
        "trustedadvisor:Describe*",
        "trustedadvisor:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRReadOnly",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:Describe*",
        "ecr:List*",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IAMReadOnly",
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PerformanceInsightsReadOnly",
      "Effect": "Allow",
      "Action": [
        "pi:Get*",
        "pi:Describe*",
        "pi:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ServiceQuotasReadOnly",
      "Effect": "Allow",
      "Action": "servicequotas:GetServiceQuota",
      "Resource": "*"
    },
    {
      "Sid": "CURAndAthenaReadOnly",
      "Effect": "Allow",
      "Action": [
        "cur:DescribeReportDefinitions",
        "athena:Get*",
        "athena:List*",
        "glue:Get*",
        "glue:List*",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "*"
    }
  ]
}