Configuring Cloud Instance Monitoring using Amazon Web Services
For Cloud Instance Monitoring to automate the retirement activities of certificates issued to your cloud instances, you must:
- create (or have already created) an Amazon AWS credential you can use for accessing your cloud service provider (see About Amazon credentials)
- specify which set of devices and certificates to monitor
- appropriately configure cleanup options
IMPORTANT In order to complete this task, you must have an AWS user account with access keys that have been generated and that has been granted the ec2:DescribeInstances permission.
For information on AWS access keys and polices, visit:
To configure Cloud Instance Monitoring
-
From the Platform menu bar, click Policy Tree.
-
(Conditional) If you have not already done so, create a new Amazon AWS credential.
For more information about how to create an Amazon AWS credential, see About Amazon credentials.
-
Right-click the policy folder and select Add > AWS EC2 Instance Monitor.
-
Enter a name for the object (e.g. Terminated Instance Monitor) and optionally, enter a Description.
-
Select from the list of Region Endpoints the AWS regions in which you have Elastic Cloud Computing (EC2) instances that should be monitored.
NOTE For information on AWS regions, visit: http://docs.aws.amazon.com/general/latest/gr/rande.html.
-
In the Amazon Credential field, select an Amazon credential.
-
Select one or more policy folders where this monitor should look for devices and certificates related to EC2 instances that have been terminated.
All child items contained by the policy folder will be monitored.
NOTE Although it won’t cause errors, it is highly recommended that no two AWS EC2 Instance Monitors target the same combination of AWS region(s) and policy folder(s). Such a configuration may produce unintended results because there is no concept or priority. The first monitor to work on the device will perform its actions and those actions might differ from the actions of the other monitor.
-
In Remove terminated cloud instances after, enter how many days devices or applications should remain disabled before they are automatically deleted.
The default is 30 days.
-
Choose what happens to certificates associated with terminated instances when their devices and applications are deleted. Certificates may be disabled, revoked, or both.
The default is to disable the certificates.
-
In Move terminated instance certificates to, specify where you want to move these certificates.
TIP You may want to move them to keep them separate from certificates that are still actively being used. It will also make it easier for you to delete them later.