Integrations with other systems - Amazon CloudWatch
Integration with AWS Systems Manager AutomationIntegration with third-party chat systemsAWS IAM Identity Center

Integrations with other systems

Note

The Amazon Q Developer operational investigations feature is in preview release and is subject to change. It is currently available only in the US East (N. Virginia) Region.

Integration with AWS Systems Manager Automation

Amazon Q Developer operational investigations is integrated with Automation, a capability of AWS Systems Manager. You don't need to configure integration, but you might need to update AWS Identity and Access Management (IAM) permissions so you can use Automation runbooks.

What is AWS Systems Manager?

Systems Manager helps you centrally view, manage, and operate managed nodes at scale in AWS, on-premises, and multicloud environments. In Systems Manager, a managed node is any machine configured for use with Systems Manager. For information, see the AWS Systems Manager User Guide.

What is Systems Manager Automation?

Automation performs common maintenance, deployment, troubleshooting, and remediation tasks through the use of runbooks. Each runbook defines a number of steps for performing tasks. Each step is associated with a particular action. The action determines the inputs, behavior, and outputs of the step. For descriptions of the nearly two dozen actions that are supported for runbooks, see the Systems Manager Automation actions reference in the AWS Systems Manager User Guide.

Automation provides over 400 AWS managed runbooks. For details about each runbook, including a step-by-step description of the actions performed when executed, see the Systems Manager Automation runbook reference. Customers can also design their own runbooks to address specific scenarios in their environments. For information, see Creating your own runbooks in the AWS Systems Manager User Guide.

For information about working with runbooks in an investigation, see Reviewing and executing suggested runbook remediations for Amazon Q Developer operational investigations.

Integration with third-party chat systems

By integrating Amazon Q Developer operational investigations with AWS Chatbot, you can have updates from investigations sent to third-party chat services, including Slack, and Microsoft Teams. The integration is facilitated by Amazon Simple Notification Service.

To integrate with AWS Chatbot, you must complete three steps. We recommend completing the steps in the following order.

  • Create an Amazon SNS topic and add an access policy to it

  • Configure in the AWS Chatbot console

  • Configure in the CloudWatch console

Create and configure the Amazon SNS topic

Create an Amazon SNS topic in US East (N. Virginia) to use for the integration. For more information, see Creating an Amazon Simple Notification Service topic.

To enable Amazon Q Developer operational investigations to send notifications, you must add an the following access policy to the Amazon SNS topic

{
    "Sid": "AIOPS-CHATBOT-PUBLISH",
    "Effect": "Allow",
    "Principal": {
        "Service": "aiops.amazonaws.com"
    },
    "Action": "sns:Publish",
    "Resource": "SNS-TOPIC-ARN",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "account-Id"
        }
    }
}

Configure AWS Chatbot

To configure Chatbot for communication with a third-party chat service, follow the instructions in one of the following links:

Then, to support using AI assistant actions within chat channels you must provide the Chatbot role with appropriate permissions. When you create a new IAM channel role for the channel, select the Notifications and Amazon Q operations assistant permissions policy templates.

Attach the AIOpsOperatorAccess managed IAM policy to the guardrail policies in AWS Chatbot. This grants permissions to AWS Chatbot to interact with Amazon Q Developer operational investigations and perform required actions on your behalf.

In the channel configuration, you must also subscribe to the Amazon SNS topic that you created in the previous step.

Amazon SNS

You must use the CloudWatch console to configure Amazon Q Developer operational investigations to integrate with Amazon SNS. You can do this while you create the investigation group in your account, or later.

For information about completing the step while you create the investigation group, see Step 9b at Set up operational investigations.

If you have already created an investigation group and want to add chat integration, follow these steps.

To add chat integration to an existing investigation group

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. Choose AI operations, Configuration.

  3. Choose the Third-party integrations tab.

  4. In the Chat integration section, do the following:

    • If you have already integrated AWS Chatbot with a third-party chat system, you can choose Select SNS topic to choose the Amazon SNS topic to use to send updates to about investigations. This Amazon SNS topic will relay those updates to the chat client.

    • If you want to integrate AWS Chatbot with a third-party chat system, choose Configure new chat client. For more information about setting up this configuration, see Getting started with AWS Chatbot.

AWS IAM Identity Center

Before you create an Amazon Q Developer operational investigations application in IAM Identity Center, make sure you complete the following prerequisites:

  • Enable an organization-level IAM Identity Center instance in your management account and connect the identity source in IAM Identity Center. Amazon Q Developer operational investigations doesn't support account-level IAM Identity Center instances.

    Note

    To minimize latency, we recommend that you use an IAM Identity Center instance created in the same Region as your Amazon Q Developer operational investigations application. However, you can also use an IAM Identity Center instance created in an AWS Region not yet supported by Amazon Q Developer operational investigations. For more information, see AWS IAM Identity Center.

  • Enable the identity-aware session on your IAM Identity Center instance.

AWS IAM Identity Center

Amazon Q Developer operational investigations can integrate with IAM Identity Center in any commercial region where IAM Identity Center is available, including opt-in Regions. This integration works even if the Region isn't directly supported by Amazon Q Developer operational investigations. You have the flexibility to use an IAM Identity Center instance configured in a Rgion different from where Amazon Q Developer operational investigations is available.

When your IAM Identity Center instance is in a different Region than Amazon Q Developer operational investigations, you enable Amazon Q to make inter-Region calls to access information from your IAM Identity Center instance, such as user and application attributes. This capability allows Amazon Q Developer operational investigations to support IAM Identity Center-enabled applications regardless of regional differences. In this setup, your Amazon Q Developer operational investigations application will have access to user and application information from an IAM Identity Center instance deployed in another Region.

If your IAM Identity Center instance is in a different Region than your Amazon Q Developer operational investigations application, you might experience higher latency when using Amazon Q Developer operational investigations. This is caused by the increased overhead of making inter-Region calls. The increase in latency will be proportional to the two Regions.