Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/cloud/AWS/aws_http?at=release/7.0
AWS by HTTP
Overview
This template is designed for the effortless deployment of AWS monitoring by Zabbix via HTTP and doesn't require any external scripts.
Requirements
Zabbix version: 7.0 and higher.
Tested versions
This template has been tested on:
- AWS by HTTP
Configuration
Zabbix should be configured according to the instructions in the Templates out of the box section.
Setup
Before using the template, you need to create an IAM policy for the Zabbix role in your AWS account with the necessary permissions.
Add the following required permissions to your Zabbix IAM policy in order to collect metrics.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeRegions",
"rds:DescribeEvents",
"rds:DescribeDBInstances",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:ListTasks",
"ecs:ListClusters",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetMetricsConfiguration",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"ec2:DescribeSecurityGroups",
"lambda:ListFunctions"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
For using assume role authorization, add the appropriate permissions to the role you are using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::{Account}:user/{UserName}"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeRegions",
"rds:DescribeEvents",
"rds:DescribeDBInstances",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:ListTasks",
"ecs:ListClusters",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetMetricsConfiguration",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"ec2:DescribeSecurityGroups",
"lambda:ListFunctions"
],
"Resource": "*"
}
]
}
Next, add a principal to the trust relationships of the role you are using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{Account}:user/{UserName}"
},
"Action": "sts:AssumeRole"
}
]
}
If you are using role-based authorization, add the appropriate permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<<--account-id-->>:role/<<--role_name-->>"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeRegions",
"rds:DescribeEvents",
"rds:DescribeDBInstances",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:ListTasks",
"ecs:ListClusters",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetMetricsConfiguration",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"ec2:DescribeSecurityGroups",
"lambda:ListFunctions"
],
"Resource": "*"
}
]
}
Next, add a principal to the trust relationships of the role you are using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
Note, Using role-based authorization is only possible when you use a Zabbix server or proxy inside AWS.
To gather Request metrics, enable Requests metrics on your Amazon S3 buckets from the AWS console.
Set the macros: {$AWS.AUTH_TYPE}
. Possible values: access_key
, assume_role
, role_base
.
If you are using access key-based authorization, set the following macros: {$AWS.ACCESS.KEY.ID}
, {$AWS.SECRET.ACCESS.KEY}
.
If you are using access assume role authorization, set the following macros: {$AWS.ACCESS.KEY.ID}
, {$AWS.SECRET.ACCESS.KEY}
, {$AWS.STS.REGION}
, {$AWS.ASSUME.ROLE.ARN}
.
For more information about managing access keys, see official documentation.
Refer to the Macros section for a list of macros used for LLD filters.
Additional information about the metrics and used API methods:
- Full metrics list related to EBS
- Full metrics list related to EC2
- Full metrics list related to RDS
- Full metrics list related to Amazon Aurora
- Full metrics list related to S3
- Full metrics list related to ECS
- Full metrics list related to ELB ALB
- DescribeAlarms API method
- DescribeVolumes API method
- DescribeAlarms API method
- DescribeLoadBalancers API method
Macros used
Name | Description | Default |
---|---|---|
{$AWS.DATA.TIMEOUT} | A response timeout for an API. |
60s |
{$AWS.PROXY} | Sets HTTP proxy value. If this macro is empty then no proxy is used. |
|
{$AWS.ACCESS.KEY.ID} | Access key ID. |
|
{$AWS.SECRET.ACCESS.KEY} | Secret access key. |
|
{$AWS.AUTH_TYPE} | Authorization method. Possible values: |
access_key |
{$AWS.REQUEST.REGION} | Region used in GET request |
us-east-1 |
{$AWS.DESCRIBE.REGION} | Region used in POST request |
us-east-1 |
{$AWS.STS.REGION} | Region used in assume role request. |
us-east-1 |
{$AWS.ASSUME.ROLE.ARN} | ARN assume role; add when using the |
|
{$AWS.EC2.LLD.FILTER.NAME.MATCHES} | Filter of discoverable EC2 instances by namespace. |
.* |
{$AWS.EC2.LLD.FILTER.NAME.NOT_MATCHES} | Filter to exclude discovered EC2 instances by namespace. |
CHANGE_IF_NEEDED |
{$AWS.EC2.LLD.FILTER.REGION.MATCHES} | Filter of discoverable EC2 instances by region. |
.* |
{$AWS.EC2.LLD.FILTER.REGION.NOT_MATCHES} | Filter to exclude discovered EC2 instances by region. |
CHANGE_IF_NEEDED |
{$AWS.ECS.LLD.FILTER.NAME.MATCHES} | Filter of discoverable ECS clusters by name. |
.* |
{$AWS.ECS.LLD.FILTER.NAME.NOT_MATCHES} | Filter to exclude discovered ECS clusters by name. |
CHANGE_IF_NEEDED |
{$AWS.ECS.LLD.FILTER.STATUS.MATCHES} | Filter of discoverable ECS clusters by status. |
ACTIVE |
{$AWS.ECS.LLD.FILTER.STATUS.NOT_MATCHES} | Filter to exclude discovered ECS clusters by status. |
CHANGE_IF_NEEDED |
{$AWS.S3.LLD.FILTER.NAME.MATCHES} | Filter of discoverable S3 buckets by namespace. |
.* |
{$AWS.S3.LLD.FILTER.NAME.NOT_MATCHES} | Filter to exclude discovered S3 buckets by namespace. |
CHANGE_IF_NEEDED |
{$AWS.RDS.LLD.FILTER.NAME.MATCHES} | Filter of discoverable RDS instances by namespace. |
.* |
{$AWS.RDS.LLD.FILTER.NAME.NOT_MATCHES} | Filter to exclude discovered RDS instances by namespace. |
CHANGE_IF_NEEDED |
{$AWS.RDS.LLD.FILTER.REGION.MATCHES} | Filter of discoverable RDS instances by region. |
.* |
{$AWS.RDS.LLD.FILTER.REGION.NOT_MATCHES} | Filter to exclude discovered RDS instances by region. |
CHANGE_IF_NEEDED |
{$AWS.ECS.LLD.FILTER.REGION.MATCHES} | Filter of discoverable ECS clusters by region. |
.* |
{$AWS.ECS.LLD.FILTER.REGION.NOT_MATCHES} | Filter to exclude discovered ECS clusters by region. |
CHANGE_IF_NEEDED |
{$AWS.ELB.LLD.FILTER.NAME.MATCHES} | Filter of discoverable ELB load balancers by name. |
.* |
{$AWS.ELB.LLD.FILTER.NAME.NOT_MATCHES} | Filter to exclude discovered ELB load balancers by name. |
CHANGE_IF_NEEDED |
{$AWS.ELB.LLD.FILTER.REGION.MATCHES} | Filter of discoverable ELB load balancers by region. |
.* |
{$AWS.ELB.LLD.FILTER.REGION.NOT_MATCHES} | Filter to exclude discovered ELB load balancers by region. |
CHANGE_IF_NEEDED |
{$AWS.ELB.LLD.FILTER.STATE.MATCHES} | Filter of discoverable ELB load balancers by status. |
active |
{$AWS.ELB.LLD.FILTER.STATE.NOT_MATCHES} | Filter to exclude discovered ELB load balancer by status. |
CHANGE_IF_NEEDED |
{$AWS.LAMBDA.LLD.FILTER.REGION.MATCHES} | Filter of discoverable Lambda functions by region. |
.* |
{$AWS.LAMBDA.LLD.FILTER.REGION.NOT_MATCHES} | Filter to exclude discovered Lambda functions by region. |
CHANGE_IF_NEEDED |
{$AWS.LAMBDA.LLD.FILTER.RUNTIME.MATCHES} | Filter of discoverable Lambda functions by Runtime. |
.* |
{$AWS.LAMBDA.LLD.FILTER.RUNTIME.NOT_MATCHES} | Filter to exclude discovered Lambda functions by Runtime. |
CHANGE_IF_NEEDED |
{$AWS.LAMBDA.LLD.FILTER.NAME.MATCHES} | Filter of discoverable Lambda functions by name. |
.* |
{$AWS.LAMBDA.LLD.FILTER.NAME.NOT_MATCHES} | Filter to exclude discovered Lambda functions by name. |
CHANGE_IF_NEEDED |
LLD rule S3 buckets discovery
Name | Description | Type | Key and additional info |
---|---|---|---|
S3 buckets discovery | Get S3 bucket instances. |
Script | aws.s3.discovery |
LLD rule EC2 instances discovery
Name | Description | Type | Key and additional info |
---|---|---|---|
EC2 instances discovery | Get EC2 instances. |
Script | aws.ec2.discovery |
LLD rule RDS instances discovery
Name | Description | Type | Key and additional info |
---|---|---|---|
RDS instances discovery | Get RDS instances. |
Script | aws.rds.discovery |
LLD rule ECS clusters discovery
Name | Description | Type | Key and additional info |
---|---|---|---|
ECS clusters discovery | Get ECS clusters. |
Script | aws.ecs.discovery |
LLD rule ELB load balancers discovery
Name | Description | Type | Key and additional info |
---|---|---|---|
ELB load balancers discovery | Get ELB load balancers. |
Script | aws.elb.discovery |
LLD rule Lambda discovery
Name | Description | Type | Key and additional info |
---|---|---|---|
Lambda discovery | Get Lambda functions. |
Script | aws.lambda.discovery |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template, or ask for help at ZABBIX forums