AWS for Cloud Insights

Cloud Insights discovers your AWS infrastructure and correlates inventory, configuration changes, and traffic flows with Network & App Synthetics. Use it to see how your AWS environment affects real user experience.

This guide shows how to set up integrations in the AWS Management Console. For CLI steps, see Set up Cloud Insights with the AWS CLI. To learn more about Cloud Insights features, see Cloud Insights overview.

To use Cloud Insights with AWS, create two integrations for each AWS account:

1. Inventory Monitoring — Start here. Discovers AWS assets, topology, and configuration changes. Required for Cloud Insights to show AWS data.

2. Flow Logs Monitoring — Optional. Adds visibility into traffic by ingesting VPC flow logs and Transit Gateway flow logs. Displays throughput and rejected traffic.

For details, see:

• VPC flow logs

• Transit Gateway flow logs

For a hands-on walkthrough, see:

• Cloud Insights Inventory Integration Tutorial for AWS

Prerequisites for AWS Integration with Cloud Insights

Before you set up the AWS integration, make sure you have:

• An active ThousandEyes organization

• A ThousandEyes user with Organization Admin or Account Admin access

• An active AWS account

• AWS IAM permissions to create roles and policies. See AWS permissions for Cloud Insights.

For additional permissions required by Flow Logs Monitoring, see AWS permissions for Cloud Insights.

AWS permissions for Cloud Insights Integration

When you create an Inventory Monitoring integration, ThousandEyes generates a permission policy for you. Review this template to see the read-only actions that Cloud Insights requires. For details, see Creating the Inventory Monitoring Integration.

For general IAM reference, see Actions defined by AWS Identity and Access Management (IAM).

If you also plan to set up Flow Logs Monitoring, make sure your AWS account includes the following permissions:

• VPC — enable and configure VPC flow logs. See VPC permissions.

• Transit Gateway (TGW) — enable and configure TGW flow logs. See TGW permissions.

• S3 — create S3 buckets for flow logs and configure event notifications to SNS. See S3 permissions.

• SNS — create SNS topics, configure access policies, and allow ThousandEyes to subscribe. See SNS permissions.

Cloud Insights Onboarding Constraints for AWS

ThousandEyes Cloud Insights currently supports onboarding up to 200 AWS accounts, with up to 17 regions per account (the AWS default). If you need to onboard more accounts or regions, contact the support team to open a ticket. For more information on contacting ThousandEyes support, see Contacting Support.

ThousandEyes Permissions for Cloud Insights

To set up integrations, use a ThousandEyes account with the Organization Admin or Account Admin role. For details about roles and permissions, see Role-based access control explained.

Overview of the Cloud Insights Integration Architecture

What Cloud Insights Collects From AWS

Cloud Insights works through two types of integrations, each capturing a different view of your AWS environment. To get the full picture, set up both for every account you monitor.

Inventory Monitoring collects inventory and configuration information from your AWS accounts over time. Cloud Insights uses this data to:

• Show your AWS network assets, including types and locations, in Cloud Insights > Inventory

• Track configuration changes as events, visible in Inventory and Views

• Display your cloud network topology in Network & App Synthetics > Views

• Enrich flow log data with resource information (when Flow Logs Monitoring is also enabled)

For more information, see Create the AWS Inventory Monitoring Integration.

Flow Logs Monitoring tracks real traffic flows in your AWS network. Cloud Insights uses this data to:

• Display inbound and outbound throughput for each entity in Views

• Highlight rejected traffic in Cloud Insights > Views

For more information, see Creating the AWS Flow Logs Monitoring integration.

How Cloud Insights Manages AWS Integrations

In ThousandEyes, each organization is divided into account groups. Cloud Insights integrations belong to the account group where you create them. Integrations are not shared across groups.

Within an account group, you can connect one or more AWS accounts. Each AWS account may span multiple regions. Cloud Insights treats each unique account + region pair as an AWS location (for example: 351945360856, us-west-1). Flow logs are fetched per location.

The diagram below shows an example:

• Account Group 1 monitors two AWS accounts, with one account spanning two regions.

• Account Group 2 monitors one AWS account in a single region.

• Account Group 3 monitors one AWS account spanning two regions.

Each monitored AWS account requires its own integration.

• For Inventory Monitoring, create one integration per AWS account in an account group. Each integration needs a separate IAM role.

• For Flow Logs Monitoring, create one integration per AWS account that stores flow logs.

How Cloud Insights AWS Inventory and Flow Logs Monitoring Work Together

Inventory Monitoring gives ThousandEyes access to the AWS accounts you want to observe. These accounts may include VPCs or Transit Gateways that generate flow logs. Flow logs are published to S3 buckets, either in the same account or in a different one. Event notifications from these buckets are sent to SNS topics, and ThousandEyes subscribes to those topics to know when new log files are available.

Flow Logs Monitoring integrations then retrieve the log files from the buckets. Traffic is surfaced only for the accounts you’ve set up through Inventory Monitoring. Other traffic is filtered out or marked as external.

To learn more about how Flow Logs Monitoring works, see AWS Flow Logs Monitoring.

Create the AWS Inventory Monitoring Integration for Cloud Insights

Setting up the AWS Inventory Monitoring integration in ThousandEyes involves three main tasks:

1. Create an IAM Role for ThousandEyes in AWS — gives ThousandEyes read-only access to your AWS account.

2. Look Up the Role ARN in AWS — provides the identifier needed to connect the role with ThousandEyes.

3. Create a New Integration in ThousandEyes — links your AWS account to ThousandEyes using the IAM role.

Create an IAM role for ThousandEyes in AWS

The IAM role gives ThousandEyes read-only access to your AWS account. Setting it up involves two parts:

1. Create the permission policy in AWS

2. Create the trust policy in AWS

ThousandEyes generates both policies for you, so you can copy them directly into AWS.

The steps below use the AWS Management Console. For CLI instructions, see Set up Inventory Monitoring with the AWS CLI.

Create the Permission Policy in AWS

Follow these steps to create the permission policy in the AWS Management Console. For the most up-to-date guidance, see Creating IAM policies (AWS documentation).

1. Sign in to the AWS Management Console and open the IAM console.

2. In the navigation pane, choose Policies, then choose Create policy.

3. In Policy editor, select JSON.

4. Paste the permission policy JSON generated by ThousandEyes.

   • For an example, see AWS Permission Policy for Console.

5. Resolve any validation warnings or errors, then choose Next until you reach the Review and create page.

6. On the Review and create page, enter a Policy name and an optional Description.

7. Review the permissions granted by the policy.

8. Choose Create policy to save your new policy.

AWS Permission Policy for Console

This example shows the permission policy ThousandEyes generates to allow read-only access to your AWS resources.

To get the latest policy text:

1. In ThousandEyes, go to Manage > Integrations.

2. Click + New Integration.

3. In the Add New Integration panel, select Amazon Web Services.

4. Under IAM Role, expand Permission Policy and copy the text.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowTECloudInsightsApiGatewayReadAccess",
            "Effect": "Allow",
            "Action": [
                "apigateway:Get"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsCloudFrontReadAccess",
            "Effect": "Allow",
            "Action": [
                "cloudfront:ListDistributions",
                "cloudfront:GetDistribution",
                "cloudfront:GetDistributionConfig"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsDirectConnectReadAccess",
            "Effect": "Allow",
            "Action": [
                "directconnect:describeDirectConnectGateways",
                "directconnect:describeVirtualInterfaces",
                "directconnect:describeDirectConnectGatewayAssociations",
                "directconnect:describeDirectConnectGatewayAttachments",
                "directconnect:DescribeConnections",
                "directconnect:DescribeLags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCloudInsightsEc2ReadAccess",
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases",
                "autoscaling:DescribeAutoScalingGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeInstances",
                "ec2:DescribeNatGateways",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRouteTables",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeManagedPrefixLists",
                "ec2:GetManagedPrefixListEntries",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpnConnections",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetHealth"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsEcsEksReadAccess",
            "Effect": "Allow",
            "Action": [
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "eks:DescribeNodeGroup",
                "eks:ListNodeGroups",
                "eks:ListClusters",
                "eks:DescribeCluster"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsGlobalAcceleratorReadAccess",
            "Effect": "Allow",
            "Action": [
                "globalaccelerator:ListAccelerators",
                "globalaccelerator:ListListeners",
                "globalaccelerator:ListEndpointGroups",
                "globalaccelerator:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsCloudTrailReadAccess",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:LookupEvents"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsS3ReadAccess",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:ListAllMyBuckets",
                "s3express:ListAllMyDirectoryBuckets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowTECloudInsightsNetworkFirewallReadAccess",
            "Action": [
                "network-firewall:ListFirewalls",
                "network-firewall:DescribeFirewall",
                "network-firewall:ListFirewallPolicies",
                "network-firewall:DescribeFirewallPolicy",
                "network-firewall:ListRuleGroups",
                "network-firewall:DescribeRuleGroup"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Create the Trust Policy in AWS

The trust policy allows ThousandEyes to assume the IAM role with the permissions you created in Create the Permission Policy in AWS.

Follow these steps in the AWS Management Console. For the most up-to-date guidance, see Creating a role with a custom trust policy (AWS documentation).

1. Sign in to the AWS Management Console and open the IAM console.

2. In the navigation pane, choose Roles, then choose Create role.

3. Select Custom trust policy as the role type.

4. In Custom trust policy, paste the trust policy JSON generated by ThousandEyes.

   • For a reference example, see AWS trust policy for console.

5. Resolve any validation warnings or errors, then choose Next.

6. Enter a unique Role name.

   • Role names are case-insensitive, must be unique in your account, and cannot be changed after creation.

7. Review the role, then choose Create role.

AWS Trust Policy for Console

This example shows the trust policy ThousandEyes generates to allow read-only access to your AWS resources.

To get the latest policy text:

1. In ThousandEyes, go to Manage > Integrations.

2. Click + New Integration.

3. In the Add New Integration panel, select Amazon Web Services.

4. Under IAM Role, expand Trust Policy and copy the text.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::874690651150:user/thousandeyes-integrations-user"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "75fbb467732cb3fe17ce05a3ef106c1c3ae2de3f"
                }
            }
        }
    ]
}

Look Up the Role ARN in AWS

You’ll need the role’s Amazon Resource Name (ARN) to complete the integration in ThousandEyes.

1. In the AWS Management Console, open the IAM service.

2. In the navigation pane, choose Roles.

3. Find the role you created, then select it.

4. In the Summary box at the top, copy the ARN (for example: arn:aws:iam::123456789098:role/ThousandEyesInventoryRole).

   • Use the copy icon next to the ARN for accuracy.

Create the integration in ThousandEyes

The AWS Inventory Monitoring integration gives ThousandEyes secure, read-only access to your AWS account.

Before you start, make sure you’ve:

• Created the IAM role in AWS

• Copied the role ARN (see Look up the role ARN in AWS)

To create the integration:

1. In ThousandEyes, go to Manage > Integrations.

2. Click + New Integration in the top-right corner.

3. In the Add New Integration panel, select Amazon Web Services.

4. Enter a unique name for your integration.

   • Duplicate names are not allowed.

5. From ThousandEyes Supported Services, select Inventory Monitoring.

6. Paste the IAM role ARN into Account Resource Name (ARN).

7. Click Test to validate the trust policy between AWS and ThousandEyes.

   • Note: The Test function only validates the trust relationship. It does not check the permission policy.

8. If the test succeeds, click Save.

   • If it fails, see Troubleshooting AWS Integration for Cloud Insights.

9. After saving, the integration appears in the list with a status of Pending. The status changes to Connected once service discovery is complete.

See Checking your integrations are working for details on integration states.

Creating the AWS Flow Logs Monitoring Integration for Cloud Insights

AWS Flow Logs Monitoring Overview

Flow Logs Monitoring works alongside Inventory Monitoring to add traffic visibility. Once your AWS accounts are connected through Inventory Monitoring, Flow Logs Monitoring ingests VPC and Transit Gateway flow logs by following two steps:

1. Receive notifications — Your flow logs are stored in an S3 bucket. Event notifications from that bucket are published to an SNS topic in the same region. ThousandEyes subscribes to the topic to learn when new log files are available.

2. Retrieve log files — Using an IAM role that you create, ThousandEyes downloads the log files from your S3 bucket for processing.

To complete this process, each Flow Logs Monitoring integration needs:

• An SNS topic for each region you want to monitor (in the same account as the bucket)

• An IAM role with read-only access to the S3 buckets containing your flow logs

To create the AWS Flow Logs Monitoring integration:

1. Create an S3 Bucket in AWS

2. Configure VPCs to publish flow logs in AWS

3. Create an SNS topic in AWS

4. Create a ThousandEyes IAM Role for S3 bucket access in AWS

5. Create the Flow Logs Monitoring Integration in ThousandEyes

Create an S3 Bucket in AWS

You’ll need at least one S3 bucket in each region where you want to collect flow logs.

There are two common ways to organize buckets for ThousandEyes flow logs integration:

1. Buckets in each monitored account — Each account publishes flow logs to a bucket in the same region.

   • Minimizes cross-region data transfer fees

   • Requires one Flow Logs Monitoring integration per account

   
2. Centralized buckets — All monitored accounts publish flow logs to a separate account that hosts buckets in each region.

   • Reduces the number of Flow Logs Monitoring integrations

   • Requires a central account with permissions to receive logs from other accounts

   

Follow these steps to create a bucket in the AWS Management Console. For the most up-to-date instructions, see Creating a bucket (AWS documentation).

1. Sign in to the AWS Management Console and open the Amazon S3 console.

2. Choose Create bucket.

3. On the Create bucket page, either:

   • Accept the default settings, or

   • Customize the settings as described in the AWS bucket creation guide.

4. Choose Create bucket to finish.

Configure VPCs to Publish Flow Logs in AWS

Use the VPC console to send VPC flow logs to your S3 bucket.

1. Open the Amazon VPC console.

2. For each VPC you want to monitor in this region, configure the following Flow log settings:

   • Filter → All (to include both accepted and rejected traffic)

   • Maximum aggregation interval → 1 minute or 10 minutes, depending on how detailed you want your data

     • 1 minute produces more detailed data but creates more records.

   • Destination → Send to an Amazon S3 bucket

   • S3 bucket ARN → the ARN of the bucket you created earlier

   • Log file format → Text

   • Log record format → Custom

     Include these mandatory fields:

     Copy

     <account-id>
     <action>
     <bytes>
     <dstaddr>
     <dstport>
     <end>
     <flow-direction>
     <interface-id>
     <log-status>
     <packets>
     <protocol>
     <srcaddr>
     <srcport>
     <start>
     <tcp-flags>
     <traffic-path>
     <version>

     You can include any other standard attributes as needed.

For instructions on publishing flow logs from Transit Gateways, see Configure Transit Gateways to publish flow logs in AWS.

For more background on flow logs, see AWS VPC Flow Logs documentation.

Configure Transit Gateways to Publish Flow Logs in AWS

You can also publish Transit Gateway (TGW) flow logs to the same S3 bucket you use for VPC flow logs.

1. In the VPC console, open Transit Gateways.

2. Under Flow log settings, configure the following:

   • Log file format → Text

   • Destination → Send to an Amazon S3 bucket

   • S3 bucket ARN → the ARN of the S3 bucket you created earlier

   • Log record format → include at least all fields from the Default format

For more information, see AWS Transit Gateway Flow Logs documentation.

Create an SNS topic in AWS

You’ll need an SNS topic in each region where you’re collecting flow logs. ThousandEyes uses these topics to receive notifications when new flow log files are available.

1. In the SNS console, create a new topic.

   • Choose Standard for Type.

   • For step-by-step instructions, see Creating an Amazon SNS topic (AWS documentation).

2. In the S3 console, configure event notifications for each flow log bucket in the region to send to this SNS topic.

   • Follow the steps in Enabling Amazon SNS notifications using the Amazon S3 console.

   • Under Event types, choose All object create events (s3:ObjectCreated:*).

   • Under Destination, select SNS topic, then enter or select the topic ARN you just created.

3. Update the SNS topic access policy to allow the S3 bucket to publish notifications to the topic. For more details, see Grant Destinations Permissions to S3.

   • You’ll also update this policy later in Update the SNS Topic Access Policy.

Create the ThousandEyes IAM role for S3 bucket access in AWS

This IAM role gives ThousandEyes read access to your S3 buckets that store flow logs.

Use the Trust and Permissions policies generated in the ThousandEyes UI to configure the role.

1. In AWS, create a new IAM role.

   • For AWS instructions, see Creating IAM roles (AWS documentation).

2. In the Permissions policy, replace the placeholder <LIST-OF-FLOW-LOG-S3-ARNS> with the ARNs of your flow log buckets.

   • Include both of the following ARNs for each bucket:

     Copy

     arn:aws:s3:::<BUCKET-NAME>
     arn:aws:s3:::<BUCKET-NAME>/*

3. In the Trust policy, paste the version generated by ThousandEyes. This allows ThousandEyes to assume the role securely.

Update the SNS Topic Access Policy

After creating the IAM role, update each SNS topic’s access policy to allow ThousandEyes to subscribe and receive flow log notifications. For the Access Policy generated by ThousandEyes, see the section AWS SNS Access Policy for Console.

To create the SNS topic in AWS:

1. In the SNS console, locate the topics you created in Create an SNS topic in AWS.

2. Choose a topic, then select Edit > Access policy > Advanced.

3. Paste the Access Policy generated by ThousandEyes into the JSON editor. For more information, see the section AWS SNS Access Policy for Console.

4. In the policy JSON, replace the following placeholders:

   • <TOPIC-ARN>: the ARN of your SNS topic

   • <FLOW-LOG-BUCKET-ACCOUNT-ID>: the AWS account ID for your flow log bucket

   • <FLOW-LOG-BUCKET-S3-ARN>: the ARN of your flow log bucket

This policy allows S3 event notifications to be sent to your SNS topic and grants ThousandEyes permission to subscribe to it.

AWS SNS Access Policy for Console

This example shows the access policy ThousandEyes generates to allow read-only access to your AWS SNS topics.

To get the latest policy text:

1. In ThousandEyes, go to Manage > Integrations.

2. Click + New Integration.

3. In the Add New Integration panel, select Amazon Web Services.

4. Under SNS Topics, expand Access Policy and copy the text.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowTECloudInsightsSubscribe",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::874690651150:user/thousandeyes-integrations-user"
            },
            "Action": "SNS:Subscribe",
            "Resource": "<TOPIC-ARN>"
        },
        {
            "Sid": "AllowS3EventNotifications",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "SNS:Publish",
            "Resource": "<TOPIC-ARN>",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<FLOW-LOG-BUCKET-ACCOUNT-ID>"
                },
                "ArnLike": {
                    "aws:SourceArn": "<FLOW-LOG-BUCKET-S3-ARN>"
                }
            }
        }
    ]
} 

Create the Flow Logs Monitoring Integration in ThousandEyes

Before you start, make sure you’ve:

• Created the IAM role in AWS

• Copied the role ARN (see Look up the Role ARN in AWS)

To create the integration:

1. In ThousandEyes, go to Manage > Integrations.

2. Click + New Integration in the top-right corner.

3. In the Add New Integration panel, select Amazon Web Services.

4. Enter a unique name for your integration.

   • Duplicate names are not allowed.

5. From ThousandEyes Supported Services, select Flow Logs Monitoring.

6. Paste the IAM role ARN into Account Resource Name (ARN).

7. Under SNS Topics, add the SNS topic ARNs.

   • Click + Add SNS Topic ARN to add more. Use the minus icon to remove one.

8. Click Test to validate the trust policy between AWS and ThousandEyes.

   • Note: The Test function only validates the trust relationship. It does not check the permission policy or SNS subscriptions.

9. If the test succeeds, click Save.

   • If it fails, see Troubleshooting AWS Integration for Cloud Insights.

10. After saving, the integration appears with a status of Pending. Once ThousandEyes validates subscriptions and begins processing logs, the status changes to Connected (or Partially Connected if some topics or files fail).

Verify Your AWS Cloud Insights Integrations

After you save an integration, ThousandEyes begins monitoring the AWS resources defined in its policy.

• To check the status, go to Manage > Integrations.

• To review detailed logs, go to Cloud Insights > Settings > Integration Logs.

When you first save, the integration status shows as Pending. This state usually updates within 5–10 minutes (inventory and flow logs are polled every five minutes). Refresh the page to see the latest status.

• Connected — Monitoring is working.

• Failed — An issue prevents monitoring. Click the integration to view error details. In most cases, adjust permissions and click Save to retry.

• Pending — Temporary state until ThousandEyes validates the connection.

Flow log errors appear once flow log files are received. Any issues are shown on the integration screen and in Integration Logs.

For more information about status meanings and next steps, see the separate troubleshooting guide: Troubleshooting AWS for Cloud Insights.

Additional resources

• View and manage Cloud Insights data - Cloud Insights

• Manage integrations - Integrations

• Review integration logs in Cloud Insights settings - Cloud Insights Settings: Integration Logs