Step 1: Get set up
Before you get started, prepare by running through the steps in Setting up Amazon DevOps Guru (p. 6).
Step 2: Enable DevOps Guru
To configure Amazon DevOps Guru to use for the first time, you must choose how you want to set up DevOps Guru. You can either monitor applications across your organization or monitor applications in your current account.
You can either monitor your applications across your organization or enable DevOps Guru for exclusively the current account. The following procedures outline different ways to set up DevOps Guru based on your needs.
Monitor accounts across your organization
If you choose to monitor applications across your organization, log into your organization management account. You can optionally set up an organization member account as a delegated administrator. You can only have one delegated administrator at a time and can modify the administrator settings later.
Both the management account and the delegated administrator account that you set up have access to all insights across all accounts in your organization.
You can either add cross account support for your organization using the Console, or you can do so by using the AWS CLI.
Onboard with the DevOps Guru Console
You can use the Console to add support for accounts across your organization.
Use the Console to enable DevOps Guru to view aggregated insights
1. Open the Amazon DevOps Guru console at https://console.aws.amazon.com/devops-guru/.
2. Choose Monitor applications across your organizations as the setup type.
3. Choose which account you'd like to use as your delegated administrator. Then, choose Register delegated administrator. This provides access to a consolidated view for any account that has DevOps Guru enabled. The delegated administrator has a consolidated view of all DevOps Guru insights and metrics across your organization. You can enable other accounts with SSM quick setup or AWS CloudFormation stack sets. To learn more about quick setup, see Configure DevOps Guru with Quick Setup. To learn more about setting up with stack sets, see Working with stacks in the
Monitor your current account
AWS CloudFormation User Guide, and Step 2 – Determine coverage for DevOps Guru (p. 6). and Use AWS CloudFormation stacks to identify resources in your DevOps Guru applications (p. 34).
Onboard with the AWS CLI
You can use the AWS CLI to enable DevOps Guru to view aggregated insights. Run the following commands.
aws iam create-service-linked-role aws-service-name devops-guru.amazonaws.com --description "My service-linked role to support DevOps Guru"
aws organizations enable-aws-service-access --service-principal devops-guru.amazonaws.com aws organizations register-delegated-administrator --account-id >ACCOUNT_ID< --service-principal devops-guru.amazonaws.com
The following table describes the commands.
Command Description
create-service-linked-role Gives DevOps Guru permission to gather information about your organization. Don't proceed if this step is not successful.
enable-aws-service-access Onboards your organization to DevOps Guru.
register-delegated-administrator Gives access to the member account to view insights.
Monitor your current account
If you choose to monitor applications in your current AWS account, choose which AWS resources in your account and Region are covered or analyzed and specify one or two Amazon Simple Notification Service topics that are used to notify you when an insight is created. You can update these settings later as needed.
Enable DevOps Guru to monitor applications in your current AWS account
1. Open the Amazon DevOps Guru console at https://console.aws.amazon.com/devops-guru/.
2. Choose Monitor applications in the current AWS account as the setup type.
3. In DevOps Guru analysis coverage, choose one of the following.
• Analyze all AWS resources in the current AWS account: DevOps Guru analyzes all AWS resources in your account.
• Choose AWS resources to analyze later: You choose your analysis boundary later. For more information, see Determine coverage for DevOps Guru (p. 6) and Update your AWS analysis coverage in DevOps Guru (p. 39).
DevOps Guru can analyze any resource that is associated with the AWS account it supports. For more information about the supported services and resources, see Amazon DevOps Guru pricing.
4. You can add up to two topics. DevOps Guru uses the topic or topics to notify you about important DevOps Guru events, such as the creation of a new insight. If you don't specify a topic now, you can add one later by choosing Settings in the navigation pane.
Step 3: Specify your DevOps Guru resource coverage
a. In Specify an Amazon SNS topic, choose a topic to use.
b. To add an Amazon SNS topic, do one of the following.
• Choose Chose an existing SNS topic in your AWS account. Then, from Choose a topic in your AWS account, choose the topic you want to use.
• Choose Create a new SNS topic. Then, in Create a new topic, enter the name for your new topic.
• Choose Use an SNS topic ARN to specify an existing account. Then, in Enter an ARN for a topic, enter the topic ARN. The ARN is the topic's Amazon Resource Name. You can specify a topic in a different account. If you use a topic in another account, you must add a resource policy to the topic. For more information, see Permissions for cross account Amazon SNS topics (p. 70).
c. Choose Add SNS topic if you want to add a second topic.
d. Choose Save.
5. Choose Enable.
To configure Amazon DevOps Guru to use for the first time, you must choose which AWS resources in your account and Region is covered, or analyzed, and specify one or two Amazon Simple Notification Service topics that are used to notify you when an insight is created. You can update these settings later as needed.
Step 3: Specify your DevOps Guru resource coverage
If you chose to specify AWS resources later when you enabled DevOps Guru, you need to choose the AWS CloudFormation stacks in your AWS account that create the resources you want analyzed. An AWS CloudFormation stack is a collection of AWS resources that you manage as a single unit. You can use one or more stacks to include all the resources required to run your operational applications, then specify them so that they are analyzed by DevOps Guru. If you don't specify stacks, then DevOps Guru analyzes all the AWS resources in your account. For more information, see Working with stacks in the AWS CloudFormation User Guide, and Determine coverage for DevOps Guru (p. 6). and Use AWS CloudFormation stacks to identify resources in your DevOps Guru applications (p. 34).
NoteFor more information about supported services and resources, see Amazon DevOps Guru pricing.
Specify AWS CloudFormation stacks for DevOps Guru resource coverage
1. Open the Amazon DevOps Guru console at https://console.aws.amazon.com/devops-guru/.
2. Expand Settings in the navigation pane.
3. In Analyzed resources, choose Edit.
4. Choose one of the following coverage options.
• Choose All account resources if you want DevOps Guru to analyze all supported resources in your AWS account and Region. If you choose this option, your AWS account is your resource analysis coverage boundary. All resources in each stack in your account are grouped into their own application. Any remaining resources that are not in a stack are grouped into their own application.
• Choose CloudFormation stacks if you want DevOps Guru to analyze the resources that are in stacks you choose, then choose one of the following options.
Step 3: Specify your DevOps Guru resource coverage
• All resources – All resources that are in stacks in your account are analyzed. Resources in each stack are grouped into their own application. Any resources in your account that are not in a stack are not analyzed.
• Select stacks – Select the stacks that you want DevOps Guru to analyze. The resources in each stack you select are grouped into their own application. You can enter the name of a stack in Find stacks to quickly locate a specific stack. You can select up to 1,000 stacks.
For more information, see Use AWS CloudFormation stacks to identify resources in your DevOps Guru applications (p. 34).
• Choose Tags if you want DevOps Guru to analyze all resources that contain the tags you choose.
Choose a key, then choose one of the following options.
• All resources with this tag key – All resources with tags that have this key are analyzed and grouped into an application, regardless of the tag's value.
• Choose specific tag values – All resources that contain a tag with the key you chose and one of the values you select are analyzed. DevOps Guru groups your resources into applications by your tag's values.
The tag's key must begin with the prefix devops-guru-. This prefix isn't case-sensitive. For example, a valid key is DevOps-Guru-Production-Applications. For more information, see Use tags to identify resources in your DevOps Guru applications (p. 31).
• Choose None if you do not want DevOps Guru to analyze any resources. This option disables DevOps Guru so that you stop incurring charges from resource analyzation.
5. Choose Save.
Enable AWS services for DevOps Guru analysis
Amazon DevOps Guru can analyze the performance of any AWS resource that it supports. When it finds anomalous behavior, it generates an insight with details about the behavior and how to address it. For more information about the supported services and resources, see Amazon DevOps Guru pricing.
DevOps Guru uses Amazon CloudWatch metrics, AWS CloudTrail events, and more to help analyze resources. Most of the resources it supports generate the metrics required for DevOps Guru analysis automatically. However, a few AWS services require extra action to generate the required metrics. For some services, enabling these metrics provides additional analysis to existing DevOps Guru coverage.
For others, analysis is not possible until you enable these metrics. For more information, see Determine coverage for DevOps Guru (p. 6) and Update your AWS analysis coverage in DevOps Guru (p. 39).
Services that require action for DevOps Guru analysis
• Amazon Elastic Container Service – To generate additional metrics that improve DevOps Guru coverage of its resources, follow the steps in Setting up container insights on Amazon ECS. Doing this might incur Amazon CloudWatch charges.
• Amazon Elastic Kubernetes Service – To generate metrics for DevOps Guru to analyze, follow the steps in Setting up container insights on Amazon EKS and Kubernetes. DevOps Guru doesn't analyze any Amazon EKS resources until generation of these metrics is set up. Doing this might incur Amazon CloudWatch charges.
For more information, see Amazon CloudWatch pricing.
View insights
Working with insights in DevOps Guru
Amazon DevOps Guru generates an insight when it detects anomalous behavior in your operational applications. DevOps Guru analyzes the metrics, events, and more in the AWS resources you specified when you set up DevOps Guru. Each insight contains one or more recommendations for you to take to mitigate the issue. It also contains a list of the metrics and a list of the events that were used to identify the unusual behavior.
There are two insight types.
• Reactive insights have recommendations you can take to address issues that are happening now.
• Proactive insights have recommendations that address issues that DevOps Guru predicts will occur in the future.
Topics
• View DevOps Guru insights (p. 16)
• Understanding insights in the DevOps Guru console (p. 17)
• Understanding how anomalous behaviors are grouped into insights (p. 18)
• Understanding insight severities (p. 19)
View DevOps Guru insights
You can view your insights using the AWS Management Console.
View your DevOps Guru insights
1. Open the Amazon DevOps Guru console at https://console.aws.amazon.com/devops-guru/.
2. Open the navigation pane, then choose Insights.
3. On the Reactive tab, you can see a list of reactive insights. On the Proactive tab, you can see a list of proactive insights.
4. (Optional) Use one or more of the following filters to find the insights you are looking for.
• Choose the Reactive or Proactive tab, depending on the type of insight for which you are looking.
• Choose Filter insights, then choose an option to specify a filter. You can add a combination of status, severity, resource, and tag filters. Use an AWS tag filter to view insights generated by only resources with specific tags. To learn more, see Use tags to identify resources in your DevOps Guru applications (p. 31).
Note
DevOps Guru can analyze the following resources, but can't filter their insights using tags.
• Amazon API Gateway paths and routes
• Amazon DynamoDB streams
• Amazon EC2 Auto Scaling group instances
• AWS Elastic Beanstalk environments
Understanding insights in the DevOps Guru console
• Amazon Redshift nodes
• Choose or specify a time range to filter by insight creation time.
• 12h shows insights created in the past 12 hours.
• 1d shows insights created in the past day.
• 1w shows insights created in the past week.
• 1m shows insights created in the past month.
• Custom lets you specify another time range. The maximum time range you can use to filter insights is 180 days.
5. To view details about an insight, choose its name.
Understanding insights in the DevOps Guru console
Use the Amazon DevOps Guru console to view useful information in your insights to help you diagnose and address anomalous behavior. When DevOps Guru analyzes your resources and finds related Amazon CloudWatch metrics, AWS CloudTrail events, and operational data that indicate unusual behavior, it creates an insight that contains recommendations to address the issue and information about the related metrics and events. Use insight data with Best practices in DevOps Guru (p. 44) to address operational problems detected by DevOps Guru.
To view an insight, follow the steps in View insights (p. 16) to find one, then choose its name. The insight page contains the following details.
Insight overview
Use this section to get a high-level overview of the insight. You can see the status of the insight (Ongoing or Closed), how many AWS CloudFormation stacks are affected, when the insight started, ended, and was last updated, and the related operations item if there is one.
If an insight is grouped at the stack level, then you can choose the number of affected stacks to see their names. The anomalous behavior that created the insight occurred in resources created by the affected stacks. If an insight is grouped at the account level, then the number is zero or does not appear.
For more information, see Understanding how anomalous behaviors are grouped into insights (p. 18).
Insight name
The name of an insight depends on whether it is grouped at the stack level or the account level.
• Stack level insight names include the name of the stack that contains the resource with its anomalous behavior.
• Account level insight names do not include a stack name.
For more information, see Understanding how anomalous behaviors are grouped into insights (p. 18).
Aggregated metrics
Choose the Aggregated metrics tab to view metrics that are related to the insight. In the table, each row represents one metric. You can see which AWS CloudFormation stack created the resource that emitted the metric, the name of the resource, and its type. Not all metrics are associated with an AWS CloudFormation stack or have a name.
Understanding how anomalous behaviors are grouped into insights
When there are multiple resources anomalous at the same time, the timeline view aggregates the resources and presents their anomalous metrics in a single timeline for easy analysis. The red lines on a timeline indicate spans of time when a metric emitted unusual values. To zoom in, use your mouse to choose a specific time range. You can also use the magnifying glass icons to zoom in and out.
Choose a red line in the timeline to view detailed information. In the window that opens, you can:
• Choose View in CloudWatch to see how the metric looks in the CloudWatch console. For more information, see Statistics and Dimensions in the Amazon CloudWatch User Guide.
• Hover over the graph to view details about the anomalous metric data and when it occurred.
• Choose the box with the downward arrow to download a PNG image of the graph.
Graphed anomalies
Choose the Graphed anomalies tab to view detailed graphs for each of the insight's anomalies.
One tile appears for each anomaly with details about unusual behavior detected in related metrics.
You can investigate and look at an anomaly at the resource level and per statistic. The graphs are grouped by metric name. In each tile, you can choose a specific time range in the timeline to zoom.
You can also use the magnifying glass icons to zoom in and out, or choose a predefined duration in hours, days, or weeks (1H, 3H, 12H, 1D, 3D, 1W, or 2W).
Choose View all statistics and dimensions to see details about the anomaly. In the window that opens, you can:
• Choose View in CloudWatch to see how the metric looks in the CloudWatch console.
• Hover over the graph to view details about the anomalous metric data and when it occurred.
• Choose Statistics or Dimension to customize the graph's display. For more information, see Statistics and Dimensions in the Amazon CloudWatch User Guide.
Related events
In Related events, view AWS CloudTrail events that are related to your insight. Use these events to help understand, diagnose, and address the underlying cause of the anomalous behavior.
Recommendations
In Recommendations, you can view suggestions that might help you resolve the underlying problem. When DevOps Guru detects anomalous behavior, it attempts to create recommendations.
An insight might contain one, multiple, or zero recommendations.
Understanding how anomalous behaviors are grouped into insights
An insight is grouped at the stack level or the account level. If an insight is generated for a resource that is in an AWS CloudFormation stack, then it is a stack level insight. Otherwise, it is an account level insight.
How a stack is grouped can depend on how you configured your resource analysis coverage in Amazon DevOps Guru.
If your coverage is defined by AWS CloudFormation stacks
All resources contained in the stacks you choose are analyzed, and all detected insights are grouped at the stack level.
If your coverage is your current AWS account and Region
All resources in your account and Region are analyzed, and there are three possible grouping scenarios for detected insights.
Understanding insight severities
• An insight generated from a resource that is not part of a stack is grouped at the account level.
• An insight generated from a resource that is in one of the first 10,000 analyzed stacks is grouped at the stack level.
• An insight generated from a resource that is not in one of the first 10,000 analyzed stacks is grouped at the account level. For example, an insight generated for a resource in the 10,001st analyzed stack is grouped at the account level
For more information, see Determine coverage for DevOps Guru (p. 6).
Understanding insight severities
An insight can have one of three severities, high, medium, or low. An insight is created by Amazon DevOps Guru after it detects related anomalies and assigns each anomaly a severity. DevOps Guru assigns an anomaly a severity of high, medium, or low using domain knowledge and years of collective experience. An insight's severity is determined by the most severe anomaly that contributed to creating
An insight can have one of three severities, high, medium, or low. An insight is created by Amazon DevOps Guru after it detects related anomalies and assigns each anomaly a severity. DevOps Guru assigns an anomaly a severity of high, medium, or low using domain knowledge and years of collective experience. An insight's severity is determined by the most severe anomaly that contributed to creating