AWS Collection Module

Note: AWS Collection is currently in BETA.  Please contact your account manager or platformsupport@riscnetworks.com to request access.

Purpose and Requirements

The AWS collection module provides inventory and performance data collection for entities hosted in the Amazon Web Services cloud (currently limited to EC2 instances).  Data is requested by the RN150 appliance from the AWS API.  As such, access to the AWS API must be provided from the RN150.  An AWS access key and secret must be provided to the appliance and this credential must have the following permissions at a minimum:

IAM Minimum Policy Definition
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeElasticGpus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        }
    ]
}

The "Resource" element may be restricted in order to limit the scope of access.  Instructions for creating a new IAM user account.  After creating the account, you can attach a policy directly to that account using the JSON above.

Performance Polling

EC2 API calls (used for inventory data) are free, but there is a cost associated with the CloudWatch performance metric calls.  To reduce this cost, we will performance data pull only once per day.

A separate API call must be made for each device, metric, and aggregation type being requested.

The metrics we collect are:

  • CPUUtilization
  • NetworkIn
  • NetworkOut
  • DiskReadBytes
  • DiskReadOps
  • NetworkPacketsIn
  • NetworkPacketsOut
  • DiskWriteBytes
  • DiskWriteOps

The aggregation types are:

  • Hourly
  • Daily
  • 95th percentile

This yields 27 API calls per device per day.  Assuming that nothing else is using the CloudWatch API, the free 1,000,000 monthly calls would suffice for just over 1,200 instances.  Beyond that, charges would be incurred (approximately $0.0081 per device per month based on $0.01/1000 calls).

Note: 95th percentile metric is only available when detailed monitoring is enabled

Per AWS documentation, with basic monitoring, the metric interval is 5 minutes.  With detailed monitoring it is 1 minute.  These assumptions are made when converting absolute metrics to per second units (eg network bytes in to KBps).  Because of this, the monitoring state is checked at the beginning of performance collection.  If the current state is different than the state when we last collected, we will update the state and not collect performance at this interval.  There can still be a problem if the state is changed and changed back within an interval.

For instance:

  • Device is set up for basic monitoring at the polling time of 00:00 on day 1
  • At 02:00 on day 1, the device is changed to detailed monitoring
  • At 20:00 on day 1, the device changes back to basic monitoring
  • At 00:00 on day 2, we go to poll again and see no change

This will cause some metrics to be incorrect during the hours of 02:00 - 20:00.  All metrics except CPUUtilization are affected.

Visibility as Assets

EC2 instances will appear in the list of virtual machines.  Their device type will either be 'AWS EC2' or, if we were able to directly inventory the device as well, 'Virtual-AWS-other collection type' (eg 'Virtual-AWS-Generic Server' or 'Virtual-AWS-Windows Server').