AWS Probe EC2 Factory Template Being Applied not getting ECS metrics

Document ID : KB000116786
Last Modified Date : 12/10/2018
Show Technical Document Details
Issue:
Made a copy of the EC2 Default template, modified  it and activated a few other services like ECS.  See that the new EC2 template is being applied, but the probe is not collecting any of the ECS data that was activated in the modified template.  Also, the aws Dashboards are no populating with CPU and Network data for EC2 instances even though all the metrics are turned on to collect the data.

Message seen in the aws.log when running the connection test are similar to the following:

EC2Discovery::EC2 DescribeInstance Caught Exception for Region: [ap-northeast-1]You are not authorized to perform this operation. (Service: AmazonEC2; ; Request ID: <request ID>)


Using AWS global user policies for user authentication in AWS.
Environment:
UIM 8.51
aws: 5.40
Cause:
Insufficient permissions defined in AWS for the user associated with the configured Access Key and Secret Access Key values
The aws probe through the 5.40 release uses
AWS Identity and Access Management (IAM) authentication.
 
Resolution:
Policies that may need to be enabled in AWS for the user associated with the configured Access Key Id in the aws probe configuration file for AWS Identity and Access Management (IAM) authentication:

The following policies should be checked:

- AmazonReadOnlyAccess ***
- AmazonDynamoDBReadOnlyAccess
- AmazonEC2ReadOnlyAccess
- AmazonElastiCacheReadOnlyAccess
- AmazonRDSReadOnlyAccess
- AmazonRoute53ReadOnlyAccess
- AmazonS3ReadOnlyAccess *** (Note: The probe requires the AmazonS3FullAccess *** policy to monitor S3 Write performance)
- AmazonSNSReadOnlyAccess
- AmazonSQSReadOnlyAccess

To monitor root account billing details, in addition to ReadOnly access for CloudWatch service the probe requires the following policies:

- AWSAccountUsageReportAccess ***
- AWSAccountActivityAccess ***

To monitor EC2 containers:

- AmazonEC2ContainerServiceFullAccess

If the following policies exist (the documentation may be a little bit lacking), these should also be checked:

- AmazonECSReadOnlyAccess
- AmazonLambdaReadOnlyAccess

Policies marked with *** are the only ones called for in the Installation Consideration section of the aws (Amazon Web Services Monitoring Release Notes