AWS KMS Monitoring Extension

Use Case

Captures the number of seconds remaining until imported key material expires and displays them in the AppDynamics Metric Browser..This metric is valid only for CMKs whose origin is EXTERNAL and whose key material is or was set to expire.

This extension works only with the standalone machine agent.


Before the extension is installed, the prerequisites mentioned here need to be met. Please do not proceed with the extension installation if the specified prerequisites are not met.


  1. Download and unzip AWSKMSMonitor-<version>.zip into <machine_agent_dir>/monitors/
  2. Edit config.yaml file in AWSKMSMonitor/conf and provide the required configuration (see Configuration section)
  3. Restart the Machine Agent.


Note: Please avoid using tab (\t) when editing yaml files. You may want to validate the yaml file using a yaml validator.

Edit the file config.yml located at <MachineAgent_Dir>/monitors/

  1. The metricPrefix of the extension has to be configured as specified here. Please make sure that the right metricPrefix is chosen based on your machine agent deployment, otherwise this could lead to metrics not being visible in the controller.
  2. For other fields, please check the following table:

    accountsFields under this section can be repeated for multiple accounts config
    awsAccessKeyAWS Access Key
    awsSecretKeyAWS Secret Key
    displayAccountNameDisplay name used in metric path"AWSKMS"
    regionsRegions where AWS-KMS is registeredAllowed values:
    enableDecryptionIf set to "true", then all aws credentials provided (access key and secret key) will be decrypted - see AWS Credentials Encryption section
    decryptionKeyThe key used when encypting the credentials
    hostThe proxy host (must also specify port)
    portThe proxy port (must also specify host)
    usernameThe proxy username (optional)
    passwordThe proxy password (optional)
    metricTypesFields under this section can be repeated for multiple metric types override
    metricNameThe metric name"SecondsUntilKeyMaterialExpiration"
    statTypeThe statistic typeAllowed values:
    excludeMetricsMetrics to exclude - supports regex
    startTimeInMinsBeforeNowThe no of mins to deduct from current time for start time of query5
    endTimeInMinsBeforeNowThe no of mins to deduct from current time for end time of query.
    Note, this must be less than startTimeInMinsBeforeNow
    maxErrorRetrySizeThe max number of retry attempts for failed retryable requests1
    noOfAccountThreadsThe no of threads to process multiple accounts concurrently3
    noOfRegionThreadsPerAccountThe no of threads to process multiple regions per account concurrently3
    noOfMetricThreadsPerRegionThe no of threads to process multiple metrics per region concurrently3
    metricPrefixThe path prefix for viewing metrics in the metric browser."Custom Metrics|AWS KMS|"

Below is an example config for monitoring multiple accounts and regions:

  - awsAccessKey: "XXXXXXXX1"
    awsSecretKey: "XXXXXXXXXX1"
    displayAccountName: "TestAccount_1"
    regions: ["us-east-1","us-west-1","us-west-2"]

  - awsAccessKey: "XXXXXXXX2"
    awsSecretKey: "XXXXXXXXXX2"
    displayAccountName: "TestAccount_2"
    regions: ["eu-central-1","eu-west-1"]

    enableDecryption: "false"


      - metricName: "SecondsUntilKeyMaterialExpiration"
        statType: "max"
    excludeMetrics: []

      startTimeInMinsBeforeNow: 5
      endTimeInMinsBeforeNow: 0

    maxErrorRetrySize: 0

  noOfAccountThreads: 3
  noOfRegionThreadsPerAccount: 3
  noOfMetricThreadsPerRegion: 3

metricPrefix: "Custom Metrics|AWS KMS|"

AWS Credentials Encryption

To set an encrypted awsAccessKey and awsSecretKey in config.yaml, follow the steps below:

  1. Download the util jar to encrypt the AWS Credentials from here.
  2. Run command:

    java -cp appd-exts-commons-1.1.2.jar com.appdynamics.extensions.crypto.Encryptor EncryptionKey CredentialToEncrypt
    For example: 
    java -cp "appd-exts-commons-1.1.2.jar" com.appdynamics.extensions.crypto.Encryptor test myAwsAccessKey
    java -cp "appd-exts-commons-1.1.2.jar" com.appdynamics.extensions.crypto.Encryptor test myAwsSecretKey
  3. Set the decryptionKey field in config.yaml with the encryption key used, as well as the resulting encrypted awsAccessKey and awsSecretKey in their respective fields.


Please refer to AWS KMS Metrics for the available metrics from this extension.


Always feel free to fork and contribute any changes directly via GitHub.


Please look at the troubleshooting document and make sure that everything is followed correctly.


Agent Compatiblity3.7+
Last Update18 May 2017