In this lecture, I want to discuss how the AWS Data Provider for SAP is able to collect metrics and data from Amazon EC2 instances and Amazon CloudWatch.  As you’re probably aware, information like this is not freely available to any agent that needs it, and so of course the Data Provider agent will need to be given the appropriate and relevant permissions to read and retrieve this data.  This access is granted through the use of IAM Roles.  

If you are unfamiliar with IAM roles, then please see our existing course here for more information. During the creation of your role, which will be an AWS Service role type, with EC2 as the selected service, you can create a new permissions policy.  It’s these permissions that define what the AWS Data Provider for SAP can access within your environment.  AWS recommends using the following policy shown here: 

Let’s take a closer look at what is actually happening here. Firstly, we have two Statement IDs (SID): VisualEditor0 and VisualEditor1. Under the SID of VisualEditor0, we can see that it allows 3 actions to be performed on ANY resource, these being:

• EC2:DescribeInstances - This will allow a great deal of information to be returned to the Data Provider about EC2 instances, more information on this API can be found here.
• Cloudwatch:GetMetricStatistics - This allows the retrieval of statistics for specified metrics, and so the Data Provider will use this to pull metric data back from CloudWatch
• EC2:DescribeVolumes - Finally, this will enable the Data Provider to see information and data relating to your EBS volumes.

The 2nd SID, VisualEditor1 allows the API of s3:GetObject from a particular resource residing in Amazon S3.  You might be wondering what this resource is, and why it’s required as a part of the permissions policy. Well, as a part of the AWS Data Provider for SAP, there are some elements and components that you can customize within a configuration file known as config.properties, such as known EC2 types, or EBS volumes.  When a new EC2 instance type is released, or a new EBS volume type, it can be added to this config.properties file to make the Data Provider aware of its existence.  

When the Data Provider is running it generates a database by reading the available config.properties file, which can be read from a number of different sources, and it's read in a particular order. 

1. Firstly, it will try to read the config.properties file directly from the Data Provider application, via a JAR file
2. Next, it will try to read the config.properties file from the S3 resource location we see in policy, which is why we have this permission in the policy! This is a file that AWS manages and updates
3. And lastly, the file is read from default locations on Linux and Windows instances as shown here.

Once the permissions are granted, they can then be associated with your EC2 instance running the AWS Data Provider for SAP.