Configuring Multi-Account Aggregation for Unified Monitoring

Prerequisites

• You have enabled trusted access to AOM on the Organizations console. For details, see Enabling or Disabling a Trusted Service.
• Cloud service metrics have been connected for multiple accounts in an organization.

Constraints

• A Prometheus instance for multi-account aggregation cannot aggregate Prometheus instances for multi-account virtual aggregation or other Prometheus instances for multi-account aggregation.
• The account access (retiring) function is intended for cloud service metrics and not for custom Prometheus metrics and self-built middleware metrics. You are advised to create a Prometheus instance for multi-account aggregation or create a Prometheus instance for multi-account virtual aggregation to aggregate metrics.
• A multi-account virtual aggregation instance can aggregate a maximum of five Prometheus instances.
• Only an organization administrator or an AOM (trusted service) delegated administrator can aggregate the Prometheus instances of other accounts in the organization.
• If the permissions of an AOM delegated administrator are canceled, the aggregated information about other accounts will be cleared from all multi-account virtual aggregation instances within a certain period.
• If an organization member account leaves the organization, the aggregated information about the account will be cleared from all multi-account virtual aggregation instances within a certain period.
• If a delegated administrator cannot aggregate accounts, grant the following permissions to the delegated administrator by referring to Assigning Permissions to an IAM User:
  • organizations:trustedServices:list
  • organizations:organizations:get
  • organizations:delegatedAdministrators:list
  • organizations:accounts:list
  • organizations:delegatedServices:list

Creating a Prometheus Instance for Multi-Account Aggregation

1. Log in to the AOM 2.0 console.
2. In the navigation pane on the left, choose Prometheus Monitoring > Instances. On the displayed page, click Add Prometheus Instance.
3. Set an instance name, enterprise project, and instance type.

   Table 1 Parameters for creating a Prometheus instance

   Parameter	Description
   Instance Name	Prometheus instance name. Enter a maximum of 100 characters and do not start or end with an underscore (_) or hyphen (-). Only letters, digits, underscores, and hyphens are allowed.
   Enterprise Project	Enterprise project to which the instance belongs. Select a project from the drop-down list. If the existing enterprise projects cannot meet your requirements, create one by referring to Creating an Enterprise Project.
   Instance Type	Type of the Prometheus instance. Select Prometheus for Multi-Account Aggregation.
   Tag	Click Add and enter a tag key and value to add a tag. Max.: 20 tags. A tag key can contain letters, digits, spaces, and special characters (_.:=+-@), but cannot start or end with a space or start with _sys_. A tag value can contain letters, digits, spaces, and special characters (_.:/=+-@).
   Description	Description of the Prometheus instance. Enter up to 1,024 characters.
   Aggregation Mode	Mode for aggregating Prometheus instances. Current account's Prometheus instances: Aggregates the Prometheus instances of the current account to the multi-account aggregation instance. Other accounts' Prometheus instances: Aggregates the Prometheus instances of other accounts in the same organization to the multi-account aggregation instance.
   Select Accounts to Aggregate	This parameter is available only when you set Aggregation Mode to Other accounts' Prometheus instances. NOTE: You do not need to set this parameter. After you select the instance to be aggregated, the corresponding account will be automatically entered here.
   Select Instances to Aggregate	In the Prometheus instance list, select the Prometheus instances to aggregate. You can search for Prometheus instances by name or keyword. If you set Aggregation Mode to Other accounts' Prometheus instances, you can also click an account in the account tree on the left to filter the Prometheus instances under that account.

4. Click OK.

Connecting Accounts

Only the organization administrator or delegated administrator can create Prometheus instances for multi-account aggregation and connect accounts. For details about how to set a delegated administrator, see Specifying, Viewing, or Removing a Delegated Administrator.

• Only after creating a Prometheus instance for multi-account aggregation and configuring account access can you go to the account access page. The account access function will be unavailable soon. Please use the new method to ingest metrics.
• If a delegated administrator cannot connect accounts, grant the following permissions to the delegated administrator by referring to Assigning Permissions to an IAM User:
  • organizations:trustedServices:list
  • organizations:organizations:get
  • organizations:delegatedAdministrators:list
  • organizations:accounts:list
  • organizations:delegatedServices:list
• AOM only supports connection to member accounts under an organizational unit (OU). When the relationship between the OU and member accounts changes, AOM will not automatically synchronize that information.

To connect accounts, do as follows:

1. Log in to the AOM 2.0 console.
2. On the Prometheus instance list page, click a Prometheus instance for multi-account aggregation.
3. On the Account Access page, manage member accounts, connect cloud services, configure data storage, and add supported metrics.
   • Managing member accounts: AOM supports account management. It allows you to incorporate cloud accounts into your organization for centralized management. There are three types of members in an organization: administrator, delegated administrator, and common user. Common users do not have the permission to monitor multi-account metrics on AOM.
     • To monitor the metrics of a member account, click the Member Account text box and enter an account keyword in the displayed search box. Related member accounts are automatically displayed. Then select your desired ones.
     • To stop monitoring the metrics of a member account, delete the account from the Member Account text box on the Account Access page.
   • Connecting cloud services: Select one or more cloud services from the drop-down list.
   • Data storage: Member accounts retain metric data after they are connected to a Prometheus instance for aggregation. By default, this function is disabled.
   • Adding metrics supported by cloud services: Click Add Metric to add metrics for connected cloud services.
   Figure 1 Account access page