Monitor AWS GovCloud With Metricly

As many organizations migrate to the cloud, they need to adhere to strict information regulations on how their data is stored. Many use a segment of the AWS Cloud that is designated as secure for controlled and unclassified government data: GovCloud. In this article, we’ll look at the GovCloud service itself, and implementing a comprehensive strategy to monitor AWS GovCloud resources with Metricly.

What is AWS GovCloud?

AWS GovCloud (US) is a segment of Amazon Web Services cloud offerings that restrict physical and logical administrative access to U.S. citizens only. The region meets the requirements for U.S. International Traffic in Arms Regulations (ITAR), and allows users to move Controlled Unclassified Information (CUI) into the cloud. In addition to ITAR, GovCloud has also received certifications for:

  • Federal Risk and Authorization Management Program (FedRAMP)
  • Authorization to Operate (ATO) from the U.S. Department of Health and Human Services (HHS).
  • S. Department of Defense (DoD) security level 3-5 authorization

GovCloud provides agencies with opportunities to experiment with the cloud, and see what new and creative solutions they can develop. Examples of this have been shared by Tom Soderstrom from NASA’s Jet Propulsion Lab who has spoken at multiple RE:Invent conferences about how they have leveraged the power of the cloud to gather and process ever-increasing amounts of data to perform their critical missions.

How is GovCloud Different from Other AWS Regions?

Since we’re talking about monitoring in this article, it’s worth pointing out that a fundamental difference between the GovCloud region and other AWS regions is that the GovCloud region does not allow for CloudWatch API access through an IAM role. We’ll come back to this when we talk about enabling access to third-party monitoring solutions to stream metrics information from your GovCloud account.

Another key difference is that authentication for GovCloud accounts is maintained in an entirely different stack than that used by other regions.

Finally, the list of available services approved for use in GovCloud is an approved subset of those available in other regions. This list is updated as additional services are approved and made available in the region. A list of approved services can be viewed here.

What Security Precautions Do I Need to Take When Using It?

The security precautions you should take when using GovCloud are much the same as you should take when using any online service. It is important that you don’t share your credentials with anyone. Each user should have a unique account with permissions appropriate to the access they require to accomplish their responsibilities. Accounts should be regularly reviewed for compliance, and disabled when a user no longer requires access.

Developing a Plan to Monitor AWS GovCloud

Moving operations to the cloud can enable an organization to harness the power of more computing resources than would be available in a dedicated data center. While the benefit of handing off the maintenance and provisioning of infrastructure to an IAAS provider like AWS provides some peace of mind, this does not abdicate users from the responsibility to ensure that their applications are performing as expected, nor does it provide any guarantee that instances will always be available and healthy.

A comprehensive plan to monitor AWS GovCloud ensures that you and your organization will be kept apprised of changes within the cloud environment, and will be notified when outages or anomalies occur. The benefits of such a plan extend from more cost efficient use of resources to reduce your AWS bill, to more reliable data and performant processing of information.

Why Use Metricly?

With many third-party monitoring vendors to select from, let’s discuss why you should consider Metricly as a tool to collect, analyze and help you monitor your data.

Metricly is not only a comprehensive monitoring and analytics platform—They have also invested heavily in providing tools to leverage your data and provide you with dashboards, anomaly detection and policies designed to alert you to problems before they become critical.

All of those tools are available for you to use the instant you set up an account on their system and configure an agent to import your metrics. If you don’t already have an account, you can sign up for a 21-day free trial here.

With minimal effort, you’ll be able to access recommendations to optimize cost, performance, and reliability, and make decisions based on easy to understand and actionable data.

It’s worth noting that a monitoring service like Metricly will ingest only performance-related statistics from your GovCloud account. The actual data stored in the account is not accessed by the Metricly agents, and as such will remain securely within your AWS GovCloud account.

Enabling Access to the Right Data

As we talked about before, there are restrictions on how third-party services like Metricly can access your GovCloud. Let’s walk through how to enable read-only access to the performance metrics within your account for analysis by Metricly to monitor AWS GovCloud.

Begin by logging into your GovCloud account, and navigating to the IAM Dashboard. We’re going to create a new user for Metricly to use when retrieving performance data. Click on the link to view Users under IAM Resources.

Click on the Add user button, and then on the next screen, select an appropriate name, and check the box next to Programmatic access. Click on Next: Permission.

monitor AWS govcloud

Creating a User for Programmatic Access

On the next page, click on the option to Attach existing policies directly. Type ReadOnlyAccess into the Policy Type filter. Scroll down until you find the ReadOnlyAccess Policy, and check the box next to it. Click on Next: Review.

ReadOnlyAccess GovCloud

ReadOnlyAccess Filter

Finally, click on Create user, and select a name and description for your role.

The confirmation page should indicate that your user was successfully created and should give you both an Access key ID and an obfuscated Secret access key. Click on the show link to view the Secret access key.

NOTE: This secret access key needs to be kept private. This is also the only time you’ll be able to view it.

In a second tab, log in to your Metricly account, and navigate to the Integrations page. Click on the Amazon Web Services button to open that Integration page.

AWS Metricly Integration Card

AWS Metricly Integration Card

Check the box next to In GovCloud. This will limit the options for access below. Enter the Access Key ID and Secret Access Key for the user we just created. Finally, if you know which resources within GovCloud you’ll be using and monitoring, scroll down the list of types to include, and ensure the relevant services are checked.

Metricly integration to monitor AWS govcloud

Completing the AWS Integration

Finally, click on Save to complete the process. If you make a mistake this page or need to add or remove AWS services at a later time, you can update it later time.

Leveraging the Power of Metricly

For the best experience, you’ll want to install the Metricly agent on instances that you deploy into your GovCloud VPC. Metricly offers both a Linux and a Windows agent which is easily installed and can be scripted to be automatically applied to new instances using Chef, Ansible or Salt. The agent is configured to handle typical use cases, but can be further customized if required.

Once you have an Integration set up, you can follow the links from the Integration Setup page to view available metrics on the Metrics and Inventory pages. You can also navigate to the Dashboards page and view some of the preconfigured dashboards which are automatically provisioned when you include specific metrics types in your feed from the cloud. Preconfigured dashboards are created by research(operator)netuitive.com and can be copied and manipulated as needed to suit your needs.

Finally, Metricly provides a series of Policies which may be invoked if specific conditions are met. The beauty of these policies is that they are the result of years of extensive experience by experts in the world of monitoring. They use a series of algorithms to determine when the metrics for a service fall outside the range of values which is expected.

Each of the policies can be adjusted, and notifications added if you or your team would like to be notified if anomalies or catastrophic failures are encountered. Notifications can be set up to be sent via email, Slack, HipChat, SNS, and WebHook, among others. A notification can take the form of an actual notification to a real person, or you can use the WebHook option to invoke a call to an external service to automatically correct a specific situation.


Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest – for now. By day he works as a Senior Engineer on a Quality Engineering team and by night he writes, consults on several web based projects and runs a marginally successful eBay sticker business. When he’s not tapping on the keys, he can be found hiking, fishing and exploring both the urban and the rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or Single-malt Scotch.

Start monitoring performance, capacity, and cost with Metricly today – sign up for a free no-credit-card-required trial.