Amazon Managed Grafana FAQs

General

Amazon Managed Grafana is a fully managed multicloud, cross-project service with rich, interactive data visualizations to help customers analyze, monitor, and alarm on metrics, logs, and traces across multiple data sources. You can create interactive dashboards and share them with anyone in your organization with an automatically scaled, highly available, and enterprise-secure service. With Amazon Managed Grafana, you can manage user and team access to dashboards across AWS accounts, AWS regions, and data sources. Amazon Managed Grafana provides an intuitive resource discovery experience to help you easily onboard your AWS accounts across multiple regions and securely access AWS services such as Amazon CloudWatch, AWS X-Ray, Amazon Elasticsearch Service, Amazon Timestream, AWS IoT SiteWise, and Amazon Managed Service for Prometheus.

Grafana is an open source data visualization and operational dashboarding solution used by hundreds of thousands of organizations and millions of users. Grafana’s rich visualization library and broad support for multiple data sources makes it simple for customers to query, visualize, and alert on a wide variety of operational data, including metrics, logs, and traces in a single console. Amazon Managed Grafana provides fully managed Grafana workspaces compatible with the open source project and developed in partnership with Grafana Labs, parent company of the open source project.

A workspace is a logically isolated Grafana server. Once you have created a workspace, you can integrate it with data sources and then query and visualize metrics from these data sources. You can create multiple workspaces per Region, per account, so that you can create isolated Grafana workspaces for monitoring your Prod and Dev workloads separately.

Amazon Managed Grafana integrates with AWS Organizations to discover the AWS accounts and resources in your Organizational Units. Using AWS CloudFormation StackSets, Amazon Managed Grafana will automatically create the IAM policies needed to grant read-only access to your AWS Services data for the accounts and Regions you choose. Using the Amazon Managed Grafana console, you can easily add or remove accounts, Organizational Units, and Regions that you want to add to each Grafana workspace.

Amazon Managed Grafana provides users access to open source Grafana features as well as enhanced features, such as single sign-on via SAML 2.0 and AWS Single Sign-On, audit logging, and team sync. If you need access to Enterprise data source plugins that are developed by Grafana Labs, then you will need to purchase a Grafana Enterprise license via AWS marketplace. This is a one-click process and can be done via the Amazon Managed Grafana console.

In the Amazon Managed Grafana console, you can select the workspace you’d like to upgrade to Grafana Enterprise. You can optionally upgrade one or more workspaces; each upgraded workspace will have access to Enterprise plugins. This enables you to query and visualize data from AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake.

Yes. You can use AWS CloudFormation templates to create, update, and delete your Amazon Managed Grafana workspaces, as well as manage or update workspace SAML authentication settings. To learn more about manage Amazon Managed Grafana workspaces and configuring workspace SAML authentication with CloudFormation, see the Amazon Managed Grafana resource type reference in the CloudFormation user guide. To create Amazon Managed Grafana workspaces using AWS CloudFormation, follow the reference templates.

Yes, Amazon Managed Grafana supports Terraform for dashboard management.

There are three user types in Grafana: Administrators, Editors, and Viewers. Administrators have add, edit, and delete permissions to manage data sources, users, teams, folders, and dashboards. Editors have view, add, edit, and delete permissions to dashboards and alerts. Viewers can view dashboards to which they have been granted access, but cannot add, edit, or delete data sources, dashboards, or alerts.

Amazon Managed Grafana provides native integrations for multiple AWS Services, including Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon OpenSearch Service, AWS IoT SiteWise, Amazon Timestream, and AWS X-Ray. Amazon Managed Grafana also supports installation of Grafana community plugins for other cloud providers, including Azure Monitor and Google Analytics, and self-managed data sources such as Graphite, InfluxDB, and more. You can browse all supported data sources plugins directly from the Plugins Catalog within your workspace. Directly from the Amazon Managed Grafana console, you can optionally upgrade to paid third-party, enterprise plugins made available with a Grafana Enterprise license purchase, which enables access to plugins for applications such as AppDynamics, Datadog, Dynatrace, MongoDB. Click here to learn more about Plugins in Amazon Managed Grafana.

Teams provide a grouping mechanism to organize users in Amazon Managed Grafana. You can use teams to group individual users into entities that are granted access to shared resources such as dashboards, data sources, and alerts. Teams can also be mapped to your LDAP groups. With Team Sync enabled, you can keep team membership and user identities in sync with your Identity Provider's user directories such as Azure Active Directory, Microsoft Active Directory, CyberArk, Okta, OneLogin, and Ping Identity.

Grafana alerting is an opt-in Amazon Managed Grafana feature that allows you to visualize alerts from Prometheus Alertmanager data sources in a searchable alerting interface in your Grafana workspace.

In the Amazon Managed Grafana console, you can select the workspace where you’d like to enable Grafana Alerting to visualize your Prometheus Alertmanager alerts in your Grafana workspace.

Yes, Amazon Managed Grafana can connect to OpenSearch clusters, RDS Postgres databases, or self-managed data sources directly from your VPC without using public IPs or requiring traffic to traverse the Internet. To learn more, see user guide for Connecting to Amazon VPC from Amazon Managed Grafana.

Currently, you can connect one Amazon Managed Grafana workspace to one VPC endpoint in the same region and same account. However, you can use Virtual Private Cloud peering or AWS Transit Gateway to connect the cross-region or cross-account VPCs, then connect the select the VPC endpoint that’s in the same account and same region as your Amazon Managed Grafana workspace. In this way, data sources from different accounts or different region can all be connected to a single Amazon Managed Grafana workspace. If Virtual Private Clouds peering is not an option for you, please share your use cases with your Account Manager, or email us directly at aws-grafana-feedback@amazon.com.

Yes, you can still connect to public data source after you configure the VPC connection in Amazon Managed Grafana workspace. Requests to public data sources must traverse your VPC. If your workspace was previously connected to data sources prior to configuring a VPC endpoint, ensure that the VPC is able to reach the previously connected data sources as all traffic will now route through the VPC connection.

Yes. We provide AWS PrivateLink support between Amazon VPC and Amazon Managed Grafana. You can control access to the Amazon Managed Grafana service from the virtual private cloud (VPC) endpoints by attaching an IAM resource policy for Amazon VPC endpoints. Amazon Managed Grafana supports two different kinds of VPC endpoints. You can connect to the Amazon Managed Grafana service, providing access to the Amazon Managed Grafana APIs to manage workspaces. Or you can create a VPC endpoint to a specific workspace. For information about creating a VPC endpoint for your Grafana workspaces, see Interface VPC endpoints.

Not necessarily. You have granular security controls over the rollout of Amazon Managed Grafana workspaces by defining customer-managed prefix lists and VPC endpoints to help you restrict the inbound network traffic that can reach your Grafana workspaces.  Amazon Managed Grafana supports two modes for user and host access of your Grafana workspace: open access and restricted access. The open access mode is the default access setting for Grafana workspaces when there are no VPC endpoints or managed prefix list restrictions to reach your Grafana workspace URL; however, users must still authenticate with the configured identity provider(s) in order to log in to the workspace. The restricted access mode enables you to specify the inbound network traffic that is allowed to reach your workspace. To restrict access, you can configure prefix lists to specify IP address ranges from which users and hosts can reach your Grafana workspace. You can also create an interface VPC endpoints to allow AWS resources such as Amazon EC2 instances to access the Amazon Managed Grafana API to manage resources, or you can use a VPC endpoint as part of limiting network access to your Amazon Managed Grafana workspaces.

Yes, you can install up to 50 data source, app, or visualization panel plugins, out of all pre-built plugins listed in the Plugin catalog, in addition to the core plugins that are pre-installed in your workspace. You can also update the plugin to a version that works for you. Grafana community plugins, not listed in the Plugin catalog or custom built plugins can not be installed in Amazon Managed Grafana.

Your Amazon Managed Grafana workspace includes a page that shows all of your installed plugins and a list of all plugins that are available to install in your workspace. You can access the plugin catalog here.

Pricing

You are billed monthly for the total number of active users that have logged in to each Grafana workspace, with a minimum of one Editor user license per workspace per month. There are two tiers of users: an Editor user price that can be assigned Administrator or Editor roles, and a Viewer user price that can be assigned a Viewer role. For detailed pricing information, please reference the Amazon Managed Grafana pricing page

An “Active user” has logged in to an Amazon Managed Grafana workspace or made an API request at least once during a monthly billing cycle. Users who are provisioned with access to Grafana workspaces but have not used the service at least once in the monthly billing cycle will not be charged. If no users log into a workspace for a month, you will be billed for one minimum Editor user license per workpsace per month. 

Yes, you can create multiple workspaces. Users are billed per workspace per month. For example, if User A belongs to both Workspace 1 and Workspace 2, User A will be billed for using Workspace 1 and separately billed for using Workspace 2.

There are three types of API requests when working with an Amazon Managed Grafana workspace. The first type are Amazon Managed Grafana APIs that are used to create, edit, and delete workspaces. These do not incur charges. The second type are Grafana API keys that are used to manage workspace resources such as dashboards, alerts, and data sources are billed per API user license, and can be granted Administrator, Editor, or Viewer permissions. If multiple API keys are associated with the same API user license, then the higher price will be applied to the API user license. Charges for Grafana API user licenses will appear on your AWS bill under the Amazon Managed Grafana section. The third type are Amazon Managed Grafana data queries made to other AWS Services and third-party ISVs that may charge fees for using their APIs. These API fees are charged by the respective AWS service or third-party ISV and not charged by Amazon Managed Grafana. For example, a dashboard in Amazon Managed Grafana that contains CloudWatch metrics will make requests to Amazon CloudWatch, and this will incur API fees on your CloudWatch bill.

You can optionally upgrade to Grafana Enterprise directly from the AWS Console, enabling you to access Enterprise plugins that connect to a wide variety of third-party ISVs, as well as access support and training directly from Grafana Labs. By upgrading to Grafana Enterprise, you can continue to use your existing Amazon Managed Grafana workspaces, and receive additional features in the upgraded workspace, all fully managed on Amazon Managed Grafana. If you decide to unsubscribe Grafana Enterprise from a workspace, this will disable Grafana Enterprise features for that workspace; however, you can continue to use the workspace and access Amazon Managed Grafana features.

You will receive one bill with your Amazon Managed Grafana usage, based on active Editor and active Viewer users per workspace per month. If you upgrade your Amazon Managed Grafana workspace(s) to Grafana Enterprise, you will see charges for Grafana Enterprise on your AWS Marketplace bill. Grafana Enterprise pricing is in addition to Amazon Managed Grafana's per Editor and per Viewer pricing.