AWS recommends that customers adopt a multi-account strategy as a best practice to achieve higher isolation of resources and help meet security, regulatory, and compliance needs. Customers must address questions around tracking their operational cost, identify security improvements, and ensure reliability and performance efficiency. Full-stack observability offers the troubleshooting tools needed, regardless of where problems occur.

AWS Control Tower helps customers build a scalable, secure, well-architected, multi-account environment, referred to as a landing zone. Account Factory automates the provisioning of new accounts in your AWS environment. You can enable self-service for your teams to configure and provision new accounts by using AWS Service Catalog. After you have set up your landing zone, you need visibility into your multi-account environment.

Dynatrace is an AWS Partner Network (APN) Advanced Technology Partner focused on delivering AI-powered automatic and intelligent observability as a platform monitors your AWS accounts and is available in AWS Marketplace. In this blog post, Rob and I show you how to deploy, activate, and configure Dynatrace’s monitoring solution for AWS Control Tower. This solution automates the integration of Dynatrace with your AWS accounts vended and enrolled by Account Factory.

Solution overview

The Dynatrace integrated solution for AWS Control Tower provides a way to establish Dynatrace monitoring for multi-account AWS environments. This solution automates the configuration process when AWS managed accounts are created. By ingesting metrics published to Amazon CloudWatch (CloudWatch) for databases, networks, and compute services, Dynatrace provides a picture of your environment.

Dynatrace AWS monitoring requires an AWS monitoring policy and a role configured for each AWS account in Dynatrace. After the AWS account and role are configured in Dynatrace, Dynatrace makes calls to the Amazon CloudWatch API using this configuration to continuously ingest CloudWatch metrics into the Dynatrace platform. The solution is open source, and the code is available in Dynatrace’s GitHub repository. You must deploy Dynatrace’s AWS integrations in your AWS Control Tower management account in the home Region. Your home Region is the Region where you set up the AWS Control Tower landing zone.

This solution uses the following AWS services. Most of the resources are set up for you with the AWS CloudFormation stack.

• AWS Control Tower
• AWS Lambda
• Amazon CloudWatch
• Amazon EventBridge
• AWS Secrets Manager

The following diagram shows the process flow steps for new managed accounts.

1. Invisible to the end user, when Account Factory creates a new AWS Control Tower managed account, a CreateManagedAccount AWS Control Tower lifecycle event is triggered.
2. These lifecycle events are delivered to the Amazon EventBridge and Amazon CloudWatch Events services.
3. The Lambda function handles the CreateManagedAccount event and does two things:
   • Create an AWS CloudFormation StackSet that in turn creates an IAM role that monitors Dynatrace for the new managed account.
   • Configure the AWS monitoring settings in Dynatrace using the Dynatrace API URL and token that is stored in AWS Secrets Manager.
4. Dynatrace begins to ingest metrics published to AWS CloudWatch and makes these metrics available within the Dynatrace Web user interface.

Prerequisites

You need the following prerequisites to implement Dynatrace’s integration with AWS Control Tower.

• AWS Control Tower, fully deployed. For information about setting up an AWS Control Tower landing zone, see Getting Started with AWS Control Tower in the AWS Control Tower User Guide.
• Administrator privileges in the AWS Control Tower management account.
• An active Dynatrace SaaS account.

If you are new to Dynatrace and want to evaluate the platform, you can do so at no cost as a 15-day SaaS trial. Dynatrace licenses are available in AWS Marketplace. By procuring Dynatrace in AWS Marketplace, you gain consolidated billing from AWS. If you’re part of the AWS Enterprise Discount Program (EDP), you can also retire your spend commitment. To discuss pricing and terms that fit your specific technical and business needs, contact Dynatrace sales.

Solution overview

The deployment and configuration steps are done in the Dynatrace User Interface (UI) and the AWS CloudFormation console. The Dynatrace UI is available as soon as your SaaS tenant is provisioned. Use the Dynatrace UI to generate the API token used by the AWS Control Tower workflow and to view collected AWS metrics. Use the AWS CloudFormation console to deploy the solution and review creation status.

Here’s a summary of the setup process for the administrator.

1. Create the Dynatrace API Token – In the customer’s Dynatrace SaaS environment, the administrator creates a that is used as a parameter to the AWS CloudFormation template.
2. Deploy the AWS CloudFormation template – On the AWS CloudFormation console, the administrator deploys an AWS CloudFormation template that creates resources for the Dynatrace solution, passing in the Dynatrace environment URL and API token.
3. Validate the solution setup – After the administrator deploys the AWS CloudFormation template, the following resources are added to the AWS Control Tower management account.

• • A StackSet for creating an IAM role that monitors Dynatrace in managed accounts
  • An event rule for capturing the CreateManagedAccount AWS Control Tower event
  • A Lambda function that handles CreateManagedAccount events
  • A secret (in Secrets Manager) to store the Dynatrace API URL and token

Solution walkthrough

Step 1: Create the Dynatrace API token

Once you sign up for a trial or obtain an environment from Dynatrace sales, you will be provided with a URL to your Dynatrace SaaS environment. The Dynatrace SaaS URL has the following format: https://{your-environment-id}.live.dynatrace.com. Each Dynatrace SaaS environment is identified with a unique character string. This is referred to as your environment ID.

1. In a browser window, open the URL of your environment ID. Log in to Dynatrace as a user with administrator access.
2. In the navigation pane, choose Settings.
3. Under Integration, choose Dynatrace API.
4. On the Dynatrace API page, under My Dynatrace API Tokens, choose Generate Token. Enter a name for the token.
5. For API v1, select Read configuration and Write configuration.
6. Choose Generate.
7. To save the token value for the next section, choose Copy.

Keep the Dynatrace UI open in your browser for the next section of this walkthrough, Using Dynatrace observability for new AWS managed accounts.

Step 2: Deploy the AWS CloudFormation template

A. Get the template and log in to the AWS CloudFormation console. To do that, do the following:

• Download the AWS CloudFormation template from GitHub.
• Open the AWS CloudFormation console and log in with the AWS Control Tower primary account as a user with administrator access.
• On the navigation bar, choose the Region selector and select the Region where AWS Control Tower is enabled.

B. Start creating a stack by uploading the template.

• In the navigation pane, choose Stacks.
• On the Stacks page, choose Create Stack.
• For Step 1: Specify template, for Prepare template, select Template is ready.
• For Template source, select Upload a template file and choose the template that you downloaded.
• Choose Next.

C. Configure the stack and create it. To do that, do the following:

1. For Step 2: Specify stack details, specify values for the following parameters.
   • Stack name – Any name that follows your organization’s naming convention
   • DynatraceApiKey – The value of the API token that you generated in step 1
   • DynatraceUrl – The URL for the Dynatrace tenant endpoint that you received by email in step 1
2. Choose Next.
3. For Step 3: Configure stack options, accept the default values or optionally specify any option such as tags.
4. Choose Next.
5. For Step 4: Review, review the stack details.
6. Choose Create stack.

Step 3: Validate the solution setup

On the Stacks summary page, verify that stack was created successfully by looking for the CREATE_COMPLETE status.

Using Dynatrace observability for new AWS managed accounts

Now that you have integrated AWS Control Tower with Dynatrace, you can use the full-stack observability capabilities of Dynatrace. In this section, Rob and I show you how to use the prebuilt dashboards for AWS accounts.

AWS account summary

Prebuilt AWS dashboards are available in the Dynatrace UI. To see them, open your environment ID URL and in the navigation pane, choose AWS.

The Dynatrace AWS page gives you a high-level overview of the number of AWS services in your AWS account and varies based on your Amazon account configuration and the services that you’re running in your environment. The following image shows an example account summary page. In the middle of the diagram, it shows 627 EC2 instances in 17 Availability Zones and 14 Lambda functions. On the left, it shows five supporting services, 22 load balancers, and 488 S3 buckets. On the right, it shows four RDS instances, three DynamoDB tables, and 1,634 EBS volumes.

To see more details about an AWS service in your account, choose that service. For example, the EC2 summary page shows a summary of instance state, size, resource utilization, and whether they have the Dynatrace OneAgent deployed.

The following screenshot is an example page for a selected Region, us-east-1a. The first top of the page shows a count of 188 instances by EC2 instance type, their service state of stopped or terminated, and whether they have the Dynatrace OneAgent installed for deep visibility. The right side shows a pie chart of the active and terminated instances over the past seven days. Refer to the following screenshot.

Cleanup

Step 1: Remove Dynatrace AWS monitoring configuration

1. In a browser window, open your environment ID URL and login to Dynatrace as a user with administrator access.
2. In the navigation pane, choose Settings.
3. Under Cloud and virtualization, choose AWS.
4. For each configured AWS account, choose the delete button and choose save changes.

Step 2: Remove Dynatrace API token

1. In the navigation pane, choose Settings.
2. Under Integration, choose Dynatrace API.
3. On the Dynatrace API page, choose the delete button and choose save changes for the API token used in the AWS monitoring configuration.

Step 3: Remove AWS CloudFormation stacks

1. Open the AWS CloudFormation console and log in with the AWS Control Tower primary account as a user with administrator access.
2. On the navigation bar, choose the Region selector and select the Region where AWS Control Tower is enabled.
3. In the navigation pane, choose CloudFormation and the choose the Stacks.
4. Select each Stack to be deleted, then choose the Delete.
5. Monitor to ensure the Stack(s) status changed to reflect that it was deleted.
6. Open the StackSets section with the CloudFormation page to ensure that each StackSet status changed to reflect that it was deleted.

Conclusion

In this blog post, Rob and I showed you how to gain full-stack observability across your multi-account AWS environment with Dynatrace’s integration with AWS Control Tower. We described the architecture and implementation of the integration solution. We showed examples of the prebuilt dashboards to gain visibility into AWS resources.

We showed you how to integrate Dynatrace with zero configuration or code change into new AWS accounts consistently, with proper configurations, and enforced by the AWS Control Tower policies. For more information, see Dynatrace in AWS Marketplace.

About the authors

James Ferguson is a Senior Solutions Architect at AWS and an AWS Control Tower ambassador. James has been involved in key leadership and technological advances from mobile to data applications and provides support to AWS customers daily.

Rob Jahn is a technical partner manager at Dynatrace supporting market research, shaping strategic technology partner roadmaps, and growing the day-to-day business relationships with key strategic technology partners such as AWS.