# Setup Metrics Collection Memory Metrics in OneLens allows you to monitor memory usage across your AWS accounts. While the feature is **enabled by default in your OneLens tenant**, you’ll need to **perform a one-time setup in each AWS account** where you want to start collecting memory metrics. ## Steps to Connect an AWS Account 1. Log in to [OneLens UI](https://app-in.onelens.cloud/). 2. Navigate to **Integrations** from the left sidebar. 3. Under **Cloud Integration**, select **AWS** and click **View Details**. 4. Switch to the **Memory Metrics** tab. You'll see a list of AWS accounts along with their current connection status.

5. Click **Connect** next to the account you want to set up. A dialog box appears with two setup ways: {% tabs %} {% tab title="Ask Someone" %} Use this when you want another team member to complete the setup. * You’ll be prompted to **enter the user's email address** and optionally **add a comment** (e.g., “Please complete memory metrics setup for this account”). * OneLens will send the setup instructions to the specified email. {% endtab %} {% tab title="Connect Yourself" %} Use this when you want to perform the setup directly. * You’ll be guided through the exact setup steps based on your AWS environment. {% endtab %} {% endtabs %} ## Setup Options Based on Your AWS Environment Depending on your AWS environment, you will need to follow one of the setup paths outlined below: ### 1. Master–Child Setup (AWS Organizations) Use this method when you want to track memory metrics across an entire AWS Organization with one configuration step on the master account. {% hint style="warning" %} ## Important To begin, click **Connect** next to the **master account** in the Memory Metrics tab. {% endhint %} {% stepper %} {% step %} [**Setup Delegate Account**](#set-up-delegated-account-and-enable-change-manager) Within your AWS Organization, assign a **delegate account** that will manage deployments across all child accounts using AWS Systems Manager and StackSets. {% hint style="danger" %} ## **Important** The **master/payer account cannot be used as a delegated account**. Ensure you create the delegated account from the master account, not as the master account itself. {% endhint %} {% endstep %} {% step %} [**Enable AWS Change Manager**](#set-up-delegated-account-and-enable-change-manager) In the delegate account, activate AWS **Change Manager** to allow auditable and secure execution of automated deployments. {% endstep %} {% step %} [**Deploy CloudFormation Template as a StackSet for Child Accounts**](#id-2.-deploy-childcft-as-a-stackset) Use **StackSets** to roll out the same configuration to all child accounts (including master account). **Child CFT Link:** {% code overflow="wrap" %} ``` https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-child.template.json ``` {% endcode %} {% endstep %} {% step %} [**Deploy CloudFormation Template as a Stack**](#id-1.-deploy-master-cft-as-a-stack) Deploy the provided CloudFormation Template (CFT) in the delegate account to configure required IAM roles and data collection setup. **Master CFT Link:** {% code overflow="wrap" %} ```url https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-master.template.json ``` {% endcode %} {% endstep %} {% endstepper %} {% hint style="info" %} ## Output of CFT Installation * IAM roles required for SSM automation and data collection are created. Check [#permissions-required](#permissions-required "mention") * Runbooks for enabling/disabling memory metrics are registered in AWS Change Manager. * OneLens is now set to manage memory metrics automatically. {% endhint %} ### 2. Individual Account Setup Use this if you prefer to configure memory metrics on a per-account basis or do not use AWS Organizations. {% stepper %} {% step %} [**Enable AWS Change Manager**](#enable-change-manager) Enable **AWS Change Manager** within the selected account to safely manage and track CloudFormation deployments. {% hint style="warning" %} ## **Note** For individual accounts, you can skip directly to **Step 6: Setup Change Manager** and continue the setup from there. {% endhint %} {% endstep %} {% step %} [**Deploy CloudFormation Template as a Stack**](#id-1.-deploy-master-cft-as-a-stack) Deploy the provided master CloudFormation Template (CFT) to configure the account for memory metrics collection. **Master CFT Link:** {% code overflow="wrap" %} ```url https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-master.template.json ``` {% endcode %} {% endstep %} {% endstepper %} {% hint style="success" %} Repeat these steps for each account you want to track independently. {% endhint %} ## Set Up Delegated Account & Enable Change Manager {% stepper %} {% step %} #### Locate Change Manager * Open the AWS Console in your Master Account. * Search for **`Change Manager`** and select **`Set up organization`**.\ Note: If you have already set up your AWS Organization, you can skip to **step 6: Setup Change Manager**.

{% endstep %} {% step %} #### Quick Setup * On the **`Quick Setup`** page, click **`Create`** under Change Manager.

{% endstep %} {% step %} #### Assign Delegated Account * From your accounts list, choose one to act as the central account for executing changes. {% hint style="warning" %} Note: The Master/Payer account cannot be used. {% endhint %}

{% endstep %} {% step %} #### Configure Permissions * In the **Permissions to request and make changes** section, create a temporary permission set:

Paste the following JSON Code in the editor. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:*", "Resource": "*" } ] } ``` * Now locate CloudShell on the bottom left of the screen.

* When CloudShell opened run these commands\ Before running the commands, ensure that you specify the correct region where you want to deploy. {% code overflow="wrap" %} ```sh aws iam create-service-linked-role --aws-service-name ssm.amazonaws.com --region {region} ``` {% endcode %} {% code overflow="wrap" %} ```sh aws iam create-service-linked-role --aws-service-name changemanagement.ssm.amazonaws.com ``` {% endcode %}

* If a command returns an error, first verify the region settings in both your environment and the command. If the region is correct, the error can be ignored.‍ {% endstep %} {% step %} #### Finalize Setup * Leave remaining fields blank (add tags if needed) and click **`Create`**.

* Wait for deployment to complete.

{% endstep %} {% step %} #### Setup Change Manager * Navigate to Change Manager, and select **`Settings`**

* In the settings page click **`Edit`**.

* In the edit page, make sure the Change Template review & approval permission is unchecked & save the settings.

{% endstep %} {% step %} #### Save Organization IDs * Go to AWS Organizations, **copy your Organization ID and Root ID**, and save them for deploying the CloudFormation Template (CFT).

{% endstep %} {% endstepper %} ## CloudFormation Templates Deployment ### **Permissions Required** To enable seamless automation while deploying this CloudFormation Template (CFT), we will acquire the necessary permissions for the **Executor** and **Requestor** roles. Please review the permissions below before proceeding with the deployment.

Executor Role Permissions

| Service | Summary | | --------------------- | ---------------------------------------------------------------------------------------------------------- | | IAM RoleManagement | Pass the Onyx-Execution-Role | | SSM Parameters | Get and put parameters under parameter/onyx/\* | | EventBridge Rules | Full access to EventBridge rules starting with Onyx-\* | | EC2 Operations | Read and write permissions for managing auto-scaling groups, EC2 instance profiles, IAM roles and policies | | SSM Parameters | Full access to all SSM operations | | SNS | Publish to SNS topics prefixed with Automation\* or onyx-\* | | S3 Bucket Access | Read access to S3 buckets/objects matching \*-onyx-\* | | SQS Queue Access | Full access to Onyx-Orchestrator-Queue | | Scheduler Permissions | Full access to schedule group Onyx-Orchestrator-Schedule-Group | | Auto Scaling & EC2 | Describe and manage Auto Scaling groups and EC2 instance profiles | | IAM | Manage IAM roles and policies, attach policies, and pass roles | | Lambda | Read and update Lambda functions and layers | | Tagging | Add and manage tags for resources | {% code title="JSON" fullWidth="false" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot", "ec2:DescribeInstanceStatus", "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeTags", "ec2:AssociateIamInstanceProfile", "ec2:DescribeAddresses", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeInstances", "ssm:*", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetRole", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:GetRolePolicy", "tag:TagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"] }, { "Effect": "Allow", "Action": "sqs:*", "Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue" }, { "Effect": "Allow", "Action": "sns:Publish", "Resource": ["arn:aws:sns:*:*:onyx-*", "arn:aws:sns:*:*:Automation*"] }, { "Effect": "Allow", "Action": "scheduler:*", "Resource": [ "arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group", "arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*" ] }, { "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:*:*:function:Automation*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::471112792234:role/Onyx-Execution-Role" }, { "Effect": "Allow", "Action": ["ssm:GetParameter", "ssm:PutParameter"], "Resource": "arn:aws:ssm:*:*:parameter/onyx/*" }, { "Effect": "Allow", "Action": "events:*", "Resource": "arn:aws:events:*:*:rule/Onyx-*" }, { "Effect": "Allow", "Action": ["iam:CreatePolicy", "iam:PutRolePolicy"], "Resource": [ "arn:aws:iam::471112792234:policy/Onyx-*", "arn:aws:iam::471112792234:role/Onyx-*" ] } ] }‍ ``` {% endcode %}

Requestor Role Permissions

| Service | Summary | | ---------------- | ------------------------------------------------------------------------ | | ECR | Get Image for Lambda Execution | | Organizations | List accounts for parent | | SSM (OpsItem) | Get OpsItem, list OpsItem events | | SSM (Documents) | Add tags, create, delete, get, and update documents prefixed with Onyx\* | | EventBridge | List tags for EventBridge rules prefixed with Onyx- | | SSM (Automation) | Start change request execution for automations prefixed with Onyx\* | | SSM (Automation) | Add tags, get automation execution details | | S3 Bucket Access | Get and list access for S3 buckets and objects matching \*-onyx-\* | | SQS Queue Access | Full access to Onyx-Orchestrator-Queue | | SNS | Publish to SNS topics prefixed with onyx-\* | {% code title="JSON" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "ecr:BatchCheckLayerAvailability", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "organizations:ListAccountsForParent", "ssm:GetOpsItem", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": ["arn:aws:s3:::*-onyx-*", "arn:aws:s3:::*-onyx-*/*"] }, { "Effect": "Allow", "Action": "sqs:*", "Resource": "arn:aws:sqs:ap-southeast-1:471112792234:Onyx-Orchestrator-Queue" }, { "Effect": "Allow", "Action": "sns:Publish", "Resource": "arn:aws:sns:*:*:onyx-*" }, { "Effect": "Allow", "Action": "scheduler:*", "Resource": [ "arn:aws:scheduler:*:*:schedule-group/Onyx-Orchestrator-Schedule-Group", "arn:aws:scheduler:*:*:schedule/Onyx-Orchestrator-Schedule-Group/*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::471112792234:role/Onyx-Orchestrator-Role", "arn:aws:iam::471112792234:role/Onyx-Execution-Role" ] }, { "Effect": "Allow", "Action": [ "ssm:AddTagsToResource", "ssm:CreateDocument", "ssm:DeleteDocument", "ssm:GetDocument", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:UpdateDocumentMetadata", "ssm:UpdateOpsItem" ], "Resource": "arn:aws:ssm:*:471112792234:document/Onyx*" }, { "Effect": "Allow", "Action": "events:ListTagsForResource", "Resource": "arn:aws:events:*:*:rule/Onyx-*" }, { "Effect": "Allow", "Action": "ssm:StartChangeRequestExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/Onyx*:*" }, { "Effect": "Allow", "Action": ["ssm:AddTagsToResource", "ssm:GetAutomationExecution"], "Resource": "arn:aws:ssm:*:*:automation-execution/*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/Onyx-Execution-Role*" } ] } ``` {% endcode %}

### 1. Deploy Master CFT as a Stack 1. Log in to the Delegated Account chosen while setting up the Change Manager. 2. Navigate to CloudFormation and click **`Create Stack`**.

3. Choose **`Use an existing template`**. 4. Use this URL to paste in template section.

https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-master.template.json

4. Provide a stack name, keep the Environment as "**prod**," and Region to "**mum**" (change region to "us" if in the US region). 5. Enter your Organization ID (Only if you have master-child setup.)

6. Add tags as needed, acknowledge role creation, and click "**Submit.**"

7. Wait for deployment to complete.

### **2. Deploy Child CFT as a Stackset** 1. Log in to the Delegated Account. 2. Navigate to CloudFormation, select StackSets and click **`Create Stack`**.

3. Select "**Service-managed permissions**" as the Permission Model. 4. Use this URL to paste in template section.

https://prod-onyx-backend.s3.ap-south-1.amazonaws.com/onyx/aws/cft/onyx-child.template.json

5. Select a Preferred Stack Name 6. Enter the Delegated Account ID, keep the Environment as "**prod**," and Region to "**mum**" (change region to "us" if in the US region) for deploying the Child Stack.

7. Add any desired tags and click **Next**.

8. Select **`Deploy new stacks`**. 9. Under Deployment targets, choose **`Deploy to organizational units`**. 10. Enter the root OU ID saved earlier. 11. For Account filter type, select **`Difference`** and input the Delegated Account ID in the Account numbers section.

12. Select a region where you want to deploy the child stack.

13. Define the maximum concurrent accounts linked in your organization. Select **Parallel** for region concurrency and click **Next**.

14. Acknowledge IAM role creation and click **`Submit`**.

15. Allow deployment to complete.

## Post-Setup Once the setup is complete, the **connection status** in the **Memory Metrics** tab will update to **Connected** for the configured account. From this point forward: * **OneLens will automatically manage the enabling and disabling of memory metrics** in your account as needed. * **Memory usage data will begin flowing automatically** into your OneLens dashboard without requiring any manual intervention. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onelens.cloud/integrations/memory-metrics/setup-metrics-collection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.