AWS KMS Monitoring Extension

Use Case

Captures the number of seconds remaining until imported key material expires and displays them in the AppDynamics Metric Browser..This metric is valid only for CMKs whose origin is EXTERNAL and whose key material is or was set to expire.

Prerequisites

1. Before the extension is installed, the prerequisites mentioned here need to be met. Please do not proceed with the extension installation if the specified prerequisites are not met.
2. Please give the following permissions to the account being used to with the extension.

   cloudwatch:ListMetrics
   cloudwatch:GetMetricStatistics

3. In order to use this extension, you do need a Standalone JAVA Machine Agent or SIM Agent. For more details on downloading these products, please visit here.
4. The extension needs to be able to connect to AWS Cloudwatch in order to collect and send metrics. To do this, you will have to either establish a remote connection in between the extension and the product using access key and secret key, or have an agent running on EC2 instance, which you can use with instance profile.

Agent Compatibility:

Note : This extension is compatible with Machine Agent version 4.5.13 or later.

1. If you are seeing warning messages while starting the Machine Agent, update the http-client and http-core JARs in {MACHINE_AGENT_HOME}/monitorsLibs to httpclient-4.5.9 and httpcore-4.4.12 to make this warning go away.
2. To make this extension work on Machine Agent < 4.5.13:
   The http-client and http-core JARs in {MACHINE_AGENT_HOME}/monitorsLibs has to be manually be updated to httpclient-4.5.9 and httpcore-4.4.12.

Installation

1. Run mvn clean install from aws-kms-monitoring-extension
2. Copy and unzip KMSMonitor-<version>.zip from target directory into <machine_agent_dir>/monitors/
3. Edit the file config.yml located at <MachineAgent_Dir>/monitors/KMSMonitor The metricPrefix of the extension has to be configured as specified here. Please make sure that the right metricPrefix is chosen based on your machine agent deployment, otherwise this could lead to metrics not being visible in the controller.
4. Restart the Machine Agent. Please place the extension in the "monitors" directory of your Machine Agent installation directory. Do not place the extension in the "extensions" directory of your Machine Agent installation directory.

Configuration

In order to use the extension, you need to update the config.yml file that is present in the extension folder. The following is a step-by-step explanation of the configurable fields that are present in the config.yml file.

1. Edit the file config.yml located at <MachineAgent_Dir>/monitors/AWSKMSMonitor The metricPrefix of the extension has to be configured as specified here. Please make sure that the right metricPrefix is chosen based on your machine agent deployment, otherwise this could lead to metrics not being visible in the controller.

2. Provide accessKey(required) and secretKey(required) of your account(s), also provide displayAccountName(any name that represents your account) and regions(required). If you are running this extension inside an EC2 instance which has IAM profile configured then you don't have to configure accessKey and secretKey values, extension will use IAM profile to authenticate. You can provide multiple accounts and regions as below -

   accounts:
     - awsAccessKey: "XXXXXXXX1"
       awsSecretKey: "XXXXXXXXXX1"
       displayAccountName: "TestAccount_1"
       regions: ["us-east-1","us-west-1","us-west-2"]
     - awsAccessKey: "XXXXXXXX2"
       awsSecretKey: "XXXXXXXXXX2"
       displayAccountName: "TestAccount_2"
       regions: ["eu-central-1","eu-west-1"]

3. If you want to encrypt the awsAccessKey and awsSecretKey then follow the "Credentials Encryption" section and provide the encrypted values in awsAccessKey and awsSecretKey. Configure enableDecryption of credentialsDecryptionConfig to true and provide the encryption key in encryptionKey. For example,

   #Encryption key for Encrypted password.
   credentialsDecryptionConfig:
       enableDecryption: "true"
       encryptionKey: "XXXXXXXX"

4. To report metrics only from specific dimension values, configure the dimesion section. Dimensions for AWS KMS are KeyId

   dimensions:
     - name: "KeyId"
       displayName: "KeyId"
       values: [".*"]

   If .* is used, all dimension values are monitored and if empty, none are monitored.

5. Configure the metrics section.

   For configuring the metrics, the following properties can be used:

   Property	Default value	Possible values	Description
   alias	metric name	Any string	The substitute name to be used in the metric browser instead of metric name.
   statType	"ave"	"AVERAGE", "SUM", "MIN", "MAX"	AWS configured values as returned by API
   aggregationType	"AVERAGE"	"AVERAGE", "SUM", "OBSERVATION"	Aggregation qualifier
   timeRollUpType	"AVERAGE"	"AVERAGE", "SUM", "CURRENT"	Time roll-up qualifier
   clusterRollUpType	"INDIVIDUAL"	"INDIVIDUAL", "COLLECTIVE"	Cluster roll-up qualifier
   multiplier	1	Any number	Value with which the metric needs to be multiplied.
   convert	null	Any key value map	Set of key value pairs that indicates the value to which the metrics need to be transformed. eg: UP:0, DOWN:1
   delta	false	true, false	If enabled, gives the delta values of metrics instead of actual values.

   For example, 
     - name: "SecondsUntilKeyMaterialExpiration"
       alias: "SecondsUntilKeyMaterialExpiration"
       statType: "sum"      aggregationType: "AVERAGE"
       timeRollUpType: "AVERAGE"
       clusterRollUpType: "INDIVIDUAL"
       delta: false
       multiplier: 1

Config.yml

Note: Please avoid using tab (\t) when editing yaml files. You may want to validate the yaml file using a yaml validator.

AWS Credentials Encryption

Please visit this page to get detailed instructions on password encryption. The steps in this document will guide you through the whole process.

Metrics

Please refer to metrics available from this extension as given in the link below:

• KMS Metrics

Extensions Workbench

Workbench is an inbuilt feature provided with each extension in order to assist you to fine tune the extension setup before you actually deploy it on the controller. Please review the following document on How to use the Extensions WorkBench

Troubleshooting

Please look at the troubleshooting document and make sure that everything is followed correctly.

Support Tickets

If after going through the Troubleshooting Document you have not been able to get your extension working, please file a ticket and add the following information.

1. Stop the running machine agent.
2. Delete all existing logs under `/logs`.
3. Please enable debug logging by editing the file `/conf/logging/log4j.xml`. Change the level value of the following `` elements to debug.
4. Start the machine agent and please let it run for 10 mins. Then zip and upload all the logs in the directory `/logs/*`
5. Attach the zipped `/conf/*` directory here.
6. Attach the zipped `/monitors/ExtensionFolderYouAreHavingIssuesWith` directory here.

For any support related questions, you can also contact help@appdynamics.com.

Contributing

Always feel free to fork and contribute any changes directly via GitHub.

List of changes to this extension can be found here