Amazon Web Services (AWS)

Overview

Causely provides comprehensive native integration with Amazon Web Services (AWS) to help you identify and resolve infrastructure and service performance issues before they impact your users.

Instead of just monitoring symptoms, Causely analyzes real-time signals from your AWS infrastructure to surface the actual root causes of problems across your entire AWS ecosystem.

By setting up the AWS integration, you will be able to:

• Identify root causes originating from your AWS infrastructure and services, including:

  • Service Congestion and Service Malfunction
  • Application Load Balancer Misconfiguration issues
  • Authentication and Network Policy misconfigurations
  • Memory Pressure and CPU Congested issues
  • Disk Pressure and I/O congestion

• Observe AWS services as entities in the Topology Graph, including their relationships to Kubernetes services and dependencies

• Monitor performance metrics from CloudWatch with automatic correlation to service health and user impact

Supported AWS Services

Causely integrates with the following AWS services to provide comprehensive observability and root cause analysis:

• Application Load Balancer (ALB)
• Network Load Balancer (NLB)
• Amazon ECS
• AWS Lambda
• Amazon RDS
• Amazon MSK
• Amazon EC2
• Amazon EBS
• AWS OpenSearch

tip

For AWS RDS and AWS OpenSearch, also read the OpenSearch documentation, MySQL documentation and PostgreSQL documentation.

Setup Guide

Authentication Options

Causely supports two authentication methods for AWS integration. Choose the method that best fits your security requirements.

Option 1: IAM Role

IAM roles for service accounts in Amazon EKS enhance security by enabling least privilege access, isolating credentials between Pods, and improving auditability.

AWS security best practices promote the use of EKS Pod identity.

For more details see the AWS documentation for EKS Pod Identity and the for IAM Roles for Service Accounts.

1. Create an IAM role in the source account

Select the Custom trust policy as trusted entity type and paste the following trust policy with your account id, your region and your OIDC provider id:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111111111111:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:causely:causely-mediator",
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

2. Name the role

Enter a name for the role, for example: CauselyMediation

3. Register the OIDC provider in the target account

Run the following command to register the OIDC provider in the target account:

aws iam create-open-id-connect-provider \
    --url "https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" \
    --client-id-list "sts.amazonaws.com" \
    --thumbprint-list "AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT"

4. Create an IAM role in the target account

Select the Custom trust policy as trusted entity type and paste the following trust policy with your source account id:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::222222222222:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:causely:causely-mediator",
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

5. Name the target account role

Enter a name for the role, for example: CauselyAccess

6. Assign policies to the role

For comprehensive access (recommended):

• ReadOnlyAccess

For granular access, assign these specific policies:

• AmazonEC2ReadOnlyAccess
• AmazonECS_FullAccess
• AmazonMSKReadOnlyAccess
• AmazonRDSReadOnlyAccess
• AWSLambda_ReadOnlyAccess
• ElasticLoadBalancingReadOnly

7. Create Kubernetes secret

Create the following Kubernetes secret in the same namespace as the Causely mediator:

aws-secret.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-secret
  namespace: causely
stringData:
  AWS_REGION: region-code
  AWS_ROLE_ARN: arn:aws:iam::222222222222:role/CauselyAccess

8. Update Causely mediator configuration

Update the Causely mediator with the following helm values

causely-values.yaml

mediator:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/CauselyMediation

scrapers:
  aws:
    enabled: true
    accounts:
      - arn: arn:aws:organizations::222222222222:account/o-pyxgi8opc5/123456789012
        secretName: aws-secret

Option 2: IAM User

For simpler setups or development environments, you can use IAM user credentials.

1. Create an IAM user

Create an IAM user with the following policies:

• ReadOnlyAccess

Or for more granular access, assign the following predefined policies to the user:

• AmazonEC2ReadOnlyAccess
• AmazonECS_FullAccess
• AmazonMSKReadOnlyAccess
• AmazonRDSReadOnlyAccess
• AWSLambda_ReadOnlyAccess
• ElasticLoadBalancingReadOnly

2. Create Kubernetes secret

Create the following Kubernetes secret in the same namespace as the Causely mediator:

aws-secret.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-secret
  namespace: causely
stringData:
  AWS_REGION: region-code
  AWS_ACCESS_KEY_ID: YYY
  AWS_SECRET_ACCESS_KEY: ZZZ

3. Update Causely configuration

Update the Causely mediator with the following helm values

causely-values.yaml

scrapers:
  aws:
    enabled: true
    accounts:
      - arn: arn:aws:organizations::111111111111:account/o-pyxgi8opc5/123456789012
        secretName: aws-secret

Alternative: Enable Credentials Autodiscovery

Causely supports credentials autodiscovery for simplified management:

kubectl --namespace causely label secret aws-secret "causely.ai/scraper=AWS"

What Data is Collected

Causely collects comprehensive metadata and performance information from your AWS infrastructure. Among others, Causely collects the following data:

• Application Load Balancer (ALB) / Network Load Balancer (NLB)
  • Load balancer entities with DNS names and ARNs
  • Request metrics including total requests, error rates (4xx, 5xx)
  • Performance metrics including response times and target health
  • Target group mappings to backend services
  • Connection error tracking and timeout analysis
  • Authentication metrics and configuration validation
  • Network endpoint mapping to Kubernetes services
  • External DNS hostname integration for custom domains
• Amazon ECS
  • Cluster entities with service mappings and task definitions
  • Service performance including CPU and memory utilization
  • Task health and container metrics
  • Resource capacity and utilization tracking
  • Service-to-workload relationship mapping
  • Compute resource allocation and usage
• AWS Lambda
  • Function entities with ARNs and configurations
  • Invocation metrics and error rates
  • Performance data including duration and memory usage
  • Function URL mappings and network endpoints
  • Compute resource tracking for serverless workloads
• Amazon RDS
  • Database instance entities with connection details
  • Performance metrics including CPU, memory, and I/O utilization
  • Connection usage and capacity tracking
  • Database engine information and version details
  • Storage metrics including free space and IOPS utilization
  • Slow query identification and analysis
  • Network endpoints for database connectivity
• Amazon MSK (Managed Streaming Kafka)
  • Cluster entities with broker information
  • Broker performance including CPU, memory, and storage usage
  • Network endpoints for Kafka connectivity
  • Storage metrics and capacity utilization
  • Cluster health and broker status tracking
• Amazon EC2
  • Virtual machine entities with instance details
  • Resource utilization including CPU, memory, and network
  • Instance type information and capacity planning
  • Performance metrics from CloudWatch
  • Instance state and health monitoring
  • Storage relationships to EBS volumes
• Amazon EBS
  • Volume entities with capacity and performance characteristics
  • I/O performance including IOPS and throughput metrics
  • Storage utilization and capacity tracking
  • Volume attachment relationships to EC2 instances
  • Performance optimization recommendations
• CloudWatch Integration
  • Real-time metrics collection from all supported services
  • Historical data analysis for trend identification
  • Custom metric support for application-specific monitoring
  • Automatic correlation between infrastructure metrics and service health
  • Threshold monitoring and anomaly detection