AWS KMS Monitoring Extension

Use Case

Captures the number of seconds remaining until imported key material expires and displays them in the AppDynamics Metric Browser..This metric is valid only for CMKs whose origin is EXTERNAL and whose key material is or was set to expire.

This extension works only with the standalone machine agent.

Prerequisites

Before the extension is installed, the prerequisites mentioned here need to be met. Please do not proceed with the extension installation if the specified prerequisites are not met.

Installation

1. Download and unzip AWSKMSMonitor-<version>.zip into <machine_agent_dir>/monitors/
2. Edit config.yaml file in AWSKMSMonitor/conf and provide the required configuration (see Configuration section)
3. Restart the Machine Agent.

Configuration

Note: Please avoid using tab (\t) when editing yaml files. You may want to validate the yaml file using a yaml validator.

Edit the file config.yml located at <MachineAgent_Dir>/monitors/

1. The metricPrefix of the extension has to be configured as specified here. Please make sure that the right metricPrefix is chosen based on your machine agent deployment, otherwise this could lead to metrics not being visible in the controller.

2. For other fields, please check the following table:

   Section	Fields	Description	Example
   accounts		Fields under this section can be repeated for multiple accounts config
   	awsAccessKey	AWS Access Key
   	awsSecretKey	AWS Secret Key
   	displayAccountName	Display name used in metric path	"AWSKMS"
   	regions	Regions where AWS-KMS is registered	Allowed values: "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "eu-central-1", "eu-west-1", "us-east-1", "us-west-1", "us-west-2", "sa-east-1"
   credentialsDecryptionConfig	-----	-----	-----
   	enableDecryption	If set to "true", then all aws credentials provided (access key and secret key) will be decrypted - see AWS Credentials Encryption section
   	decryptionKey	The key used when encypting the credentials
   proxyConfig	-----	-----	-----
   	host	The proxy host (must also specify port)
   	port	The proxy port (must also specify host)
   	username	The proxy username (optional)
   	password	The proxy password (optional)
   metricsConfig	-----	-----	-----
   metricTypes		Fields under this section can be repeated for multiple metric types override
   	metricName	The metric name	"SecondsUntilKeyMaterialExpiration"
   	statType	The statistic type	Allowed values: "ave" "max" "min" "sum" "samplecount"
   	-----	-----	-----
   	excludeMetrics	Metrics to exclude - supports regex
   metricsTimeRange
   	startTimeInMinsBeforeNow	The no of mins to deduct from current time for start time of query	5
   	endTimeInMinsBeforeNow	The no of mins to deduct from current time for end time of query. Note, this must be less than startTimeInMinsBeforeNow	0
   	-----	-----	-----
   	maxErrorRetrySize	The max number of retry attempts for failed retryable requests	1
   concurrencyConfig
   	noOfAccountThreads	The no of threads to process multiple accounts concurrently	3
   	noOfRegionThreadsPerAccount	The no of threads to process multiple regions per account concurrently	3
   	noOfMetricThreadsPerRegion	The no of threads to process multiple metrics per region concurrently	3
   	-----	-----	-----
   	metricPrefix	The path prefix for viewing metrics in the metric browser.	"Custom Metrics|AWS KMS|"

Below is an example config for monitoring multiple accounts and regions:

accounts:
  - awsAccessKey: "XXXXXXXX1"
    awsSecretKey: "XXXXXXXXXX1"
    displayAccountName: "TestAccount_1"
    regions: ["us-east-1","us-west-1","us-west-2"]

  - awsAccessKey: "XXXXXXXX2"
    awsSecretKey: "XXXXXXXXXX2"
    displayAccountName: "TestAccount_2"
    regions: ["eu-central-1","eu-west-1"]

credentialsDecryptionConfig:
    enableDecryption: "false"
    decryptionKey:

proxyConfig:
    host: 
    port:
    username:
    password:    

metricsConfig:
    metricTypes:
      - metricName: "SecondsUntilKeyMaterialExpiration"
        statType: "max"
        
    excludeMetrics: []

    metricsTimeRange:
      startTimeInMinsBeforeNow: 5
      endTimeInMinsBeforeNow: 0

    maxErrorRetrySize: 0

concurrencyConfig:
  noOfAccountThreads: 3
  noOfRegionThreadsPerAccount: 3
  noOfMetricThreadsPerRegion: 3

metricPrefix: "Custom Metrics|AWS KMS|"

AWS Credentials Encryption

To set an encrypted awsAccessKey and awsSecretKey in config.yaml, follow the steps below:

1. Download the util jar to encrypt the AWS Credentials from here.

2. Run command:

   java -cp appd-exts-commons-1.1.2.jar com.appdynamics.extensions.crypto.Encryptor EncryptionKey CredentialToEncrypt
   
   For example: 
   java -cp "appd-exts-commons-1.1.2.jar" com.appdynamics.extensions.crypto.Encryptor test myAwsAccessKey
   
   java -cp "appd-exts-commons-1.1.2.jar" com.appdynamics.extensions.crypto.Encryptor test myAwsSecretKey
   

3. Set the decryptionKey field in config.yaml with the encryption key used, as well as the resulting encrypted awsAccessKey and awsSecretKey in their respective fields.

Metrics

Please refer to AWS KMS Metrics for the available metrics from this extension.

Contributing

Always feel free to fork and contribute any changes directly via GitHub.

Troubleshooting

Please look at the troubleshooting document and make sure that everything is followed correctly.

Compatibility