Amazon Web Services (AWS)

Signals Provided

• Infrastructure Entities - Complete infrastructure topology including compute, storage, and networking resources
• Metrics - Performance metrics from applications and infrastructure
• Service Discovery - Automatic discovery of services, workloads, and infrastructure components
• Symptoms - Automatic symptom detection from metrics, traces, and external monitoring systems

Overview

Causely provides comprehensive native integration with Amazon Web Services (AWS) to help you identify and resolve infrastructure and service performance issues before they impact your users.

Instead of just monitoring symptoms, Causely analyzes real-time signals from your AWS infrastructure to surface the actual causes of problems across your entire AWS ecosystem.

By setting up the AWS integration, you will be able to:

• Identify causes for reliability issues originating from your AWS infrastructure and services, including:

  • Service Congestion and Service Malfunction
  • Application Load Balancer Misconfiguration issues
  • Authentication and Network Policy misconfigurations
  • Memory Pressure and CPU Congested issues
  • Disk Pressure and I/O congestion

• Observe AWS services as entities in the Topology Graph, including their relationships to Kubernetes services and dependencies

• Monitor performance metrics from CloudWatch with automatic correlation to service health and user impact

Supported AWS Services

Causely integrates with the following AWS services to provide comprehensive observability and causal inference:

• Amazon Elastic Block Store (EBS)
• Amazon Elastic Compute Cloud (EC2)
• Amazon Elastic Container Service (ECS)
• Amazon ElastiCache
• Amazon Managed Streaming for Apache Kafka (MSK)
• Amazon OpenSearch Service
• Amazon Relational Database Service (RDS)
• Amazon Simple Notification Service (SNS)
• Amazon Simple Queue Service (SQS)
• Application Load Balancer (ALB)
• AWS Lambda
• Network Load Balancer (NLB)

Database-specific setup

For AWS RDS databases, see the database-specific documentation for detailed setup and configuration verification:

• PostgreSQL
• MySQL
• OpenSearch / Elasticsearch

Setup Guide

Authentication Options

Causely supports two authentication methods for AWS integration. Choose the method that best fits your security requirements.

Option 1: IAM Role

IAM roles for service accounts in Amazon EKS enhance security by enabling least privilege access, isolating credentials between Pods, and improving auditability.

AWS security best practices promote the use of EKS Pod identity.

For more details see the AWS documentation for EKS Pod Identity and the for IAM Roles for Service Accounts.

1. Create an IAM role in the source account

Select the Custom trust policy as trusted entity type and paste the following trust policy with your account id, your region and your OIDC provider id:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111111111111:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:causely:causely-mediator",
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

2. Name the role

Enter a name for the role, for example: CauselyMediation

3. Register the OIDC provider in the target account

Run the following command to register the OIDC provider in the target account:

aws iam create-open-id-connect-provider \
    --url "https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" \
    --client-id-list "sts.amazonaws.com" \
    --thumbprint-list "AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT"

4. Create an IAM role in the target account

Select the Custom trust policy as trusted entity type and paste the following trust policy with your source account id:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::222222222222:assumed-role/CauselyMediation/CauselyMediatorSession"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

5. Name the target account role

Enter a name for the role, for example: CauselyAccess

6. Assign policies to the role

For comprehensive access (recommended):

• ReadOnlyAccess

For granular access, assign these specific policies:

• AmazonEC2ReadOnlyAccess
• AmazonECS_FullAccess
• AmazonElastiCache ReadOnlyAccess
• AmazonMSK ReadOnlyAccess
• AmazonRDS ReadOnlyAccess
• AmazonSNS ReadOnlyAccess
• AmazonSQS ReadOnlyAccess
• AWSLambda_ReadOnlyAccess
• AWSResourceGroupsReadOnlyAccess
• ElasticLoadBalancingReadOnly

7. Create Kubernetes secret

Create the following Kubernetes secret in the same namespace as the Causely mediator:

aws-secret.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-secret
  namespace: causely
stringData:
  AWS_REGION: region-code
  AWS_ROLE_ARN: arn:aws:iam::222222222222:role/CauselyAccess

8. Update Causely mediator configuration

Update the Causely mediator with the following helm values

causely-values.yaml

mediator:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/CauselyMediation

scrapers:
  aws:
    enabled: true
    accounts:
      - arn: arn:aws:organizations::222222222222:account/o-pyxgi8opc5/123456789012
        secretName: aws-secret

Option 2: IAM User

For simpler setups or development environments, you can use IAM user credentials.

1. Create an IAM user

Create an IAM user with the following policies:

• ReadOnlyAccess

Or for more granular access, assign the following predefined policies to the user:

• AmazonEC2ReadOnlyAccess
• AmazonECS_FullAccess
• AmazonElastiCache ReadOnlyAccess
• AmazonMSK ReadOnlyAccess
• AmazonRDS ReadOnlyAccess
• AmazonSNS ReadOnlyAccess
• AmazonSQS ReadOnlyAccess
• AWSLambda_ReadOnlyAccess
• AWSResourceGroupsReadOnlyAccess
• ElasticLoadBalancingReadOnly

2. Create Kubernetes secret

Create the following Kubernetes secret in the same namespace as the Causely mediator:

aws-secret.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-secret
  namespace: causely
stringData:
  AWS_REGION: region-code
  AWS_ACCESS_KEY_ID: YYY
  AWS_SECRET_ACCESS_KEY: ZZZ

3. Update Causely configuration

Update the Causely mediator with the following helm values

causely-values.yaml

scrapers:
  aws:
    enabled: true
    accounts:
      - arn: arn:aws:organizations::222222222222:account/o-pyxgi8opc5/123456789012
        secretName: aws-secret

Alternative: Enable Credentials Autodiscovery

Causely supports credentials autodiscovery for simplified management:

kubectl --namespace causely label secret aws-secret "causely.ai/scraper=AWS"

What Data is Collected

Causely collects comprehensive metadata and performance information from your AWS infrastructure. Among others, Causely collects the following data:

• Application Load Balancer (ALB) / Network Load Balancer (NLB)
  • Load balancer entities with DNS names and ARNs
  • Request metrics including total requests, error rates (4xx, 5xx)
  • Performance metrics including response times and target health
  • Target group mappings to backend services
  • Connection error tracking and timeout analysis
  • Authentication metrics and configuration validation
  • Network endpoint mapping to Kubernetes services
  • External DNS hostname integration for custom domains
• Amazon ECS
  • Cluster entities with service mappings and task definitions
  • Service performance including CPU and memory utilization
  • Task health and container metrics
  • Resource capacity and utilization tracking
  • Service-to-workload relationship mapping
  • Compute resource allocation and usage
• AWS Lambda
  • Function entities with ARNs and configurations
  • Invocation metrics and error rates
  • Performance data including duration and memory usage
  • Function URL mappings and network endpoints
  • Compute resource tracking for serverless workloads
• Amazon RDS
  • Database instance entities with connection details
  • Performance metrics including CPU, memory, and I/O utilization
  • Connection usage and capacity tracking
  • Database engine information and version details
  • Storage metrics including free space and IOPS utilization
  • Slow query identification and analysis
  • Network endpoints for database connectivity
• Amazon MSK (Managed Streaming Kafka)
  • Cluster entities with broker information
  • Broker performance including CPU, memory, and storage usage
  • Network endpoints for Kafka connectivity
  • Storage metrics and capacity utilization
  • Cluster health and broker status tracking
• Amazon ElastiCache
  • ElasticCache Compute, Network and Cache metrics including connection usage and cache hits
• Amazon SNS and SQS
  • SNS Topics and subscribed SQS queues
  • Number of messages available for retrieval from the queue
• Amazon EC2
  • Virtual machine entities with instance details
  • Resource utilization including CPU, memory, and network
  • Instance type information and capacity planning
  • Performance metrics from CloudWatch
  • Instance state and health monitoring
  • Storage relationships to EBS volumes
• Amazon EBS
  • Volume entities with capacity and performance characteristics
  • I/O performance including IOPS and throughput metrics
  • Storage utilization and capacity tracking
  • Volume attachment relationships to EC2 instances
  • Performance optimization recommendations
• CloudWatch Integration
  • Real-time metrics collection from all supported services
  • Historical data analysis for trend identification
  • Custom metric support for application-specific monitoring
  • Automatic correlation between infrastructure metrics and service health
  • Threshold monitoring and anomaly detection