# Monitoring OS metrics with Enhanced Monitoring
With Enhanced Monitoring, you can monitor the operating system of your DB instance in real time. When you want to see how different processes or threads use the CPU, Enhanced Monitoring metrics are useful.
**Topics**
+ [
## Overview of Enhanced Monitoring
](#USER_Monitoring.OS.overview)
+ [
# Setting up and enabling Enhanced Monitoring
](USER_Monitoring.OS.Enabling.md)
+ [
# Viewing OS metrics in the RDS console
](USER_Monitoring.OS.Viewing.md)
+ [
# Viewing OS metrics using CloudWatch Logs
](USER_Monitoring.OS.CloudWatchLogs.md)
## Overview of Enhanced Monitoring
Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view all the system metrics and process information for your RDS DB instances on the console. You can manage which metrics you want to monitor for each instance and customize the dashboard according to your requirements. For descriptions of the Enhanced Monitoring metrics, see [OS metrics in Enhanced Monitoring](USER_Monitoring-Available-OS-Metrics.md).
RDS delivers the metrics from Enhanced Monitoring into your Amazon CloudWatch Logs account. You can create metrics filters in CloudWatch from CloudWatch Logs and display the graphs on the CloudWatch dashboard. You can consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice. For more information, see [Enhanced Monitoring](https://aws.amazon.com/rds/faqs/#Enhanced_Monitoring) in the Amazon RDS FAQs.
**Topics**
+ [
### Enhanced Monitoring availability
](#USER_Monitoring.OS.Availability)
+ [
### Differences between CloudWatch and Enhanced Monitoring metrics
](#USER_Monitoring.OS.CloudWatchComparison)
+ [
### Retention of Enhanced Monitoring metrics
](#USER_Monitoring.OS.retention)
+ [
### Cost of Enhanced Monitoring
](#USER_Monitoring.OS.cost)
### Enhanced Monitoring availability
Enhanced Monitoring is available for the following database engines:
+ Db2
+ MariaDB
+ Microsoft SQL Server
+ MySQL
+ Oracle
+ PostgreSQL
### Differences between CloudWatch and Enhanced Monitoring metrics
A *hypervisor* creates and runs virtual machines (VMs). Using a hypervisor, an instance can support multiple guest VMs by virtually sharing memory and CPU. CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance. In contrast, Enhanced Monitoring gathers its metrics from an agent on the DB instance.
You might find differences between the CloudWatch and Enhanced Monitoring measurements, because the hypervisor layer performs a small amount of work. The differences can be greater if your DB instances use smaller instance classes. In this scenario, more virtual machines (VMs) are probably managed by the hypervisor layer on a single physical instance.
For descriptions of the Enhanced Monitoring metrics, see [OS metrics in Enhanced Monitoring](USER_Monitoring-Available-OS-Metrics.md). For more information about CloudWatch metrics, see the *[Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)*.
### Retention of Enhanced Monitoring metrics
By default, Enhanced Monitoring metrics are stored for 30 days in the CloudWatch Logs. This retention period is different from typical CloudWatch metrics.
To modify the amount of time the metrics are stored in the CloudWatch Logs, change the retention for the `RDSOSMetrics` log group in the CloudWatch console. For more information, see [Change log data retention in CloudWatch logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention) in the *Amazon CloudWatch Logs User Guide*.
### Cost of Enhanced Monitoring
Enhanced Monitoring metrics are stored in the CloudWatch Logs instead of in CloudWatch metrics. The cost of Enhanced Monitoring depends on the following factors:
+ You are charged for Enhanced Monitoring only if you exceed the amount of data transfer and storage provided by Amazon CloudWatch Logs. Charges are based on CloudWatch Logs data transfer and storage rates.
+ The amount of information transferred for an RDS instance is directly proportional to the defined granularity for the Enhanced Monitoring feature. A smaller monitoring interval results in more frequent reporting of OS metrics and increases your monitoring cost. To manage costs, set different granularities for different instances in your accounts.
+ Usage costs for Enhanced Monitoring are applied for each DB instance that Enhanced Monitoring is enabled for. Monitoring a large number of DB instances is more expensive than monitoring only a few.
+ DB instances that support a more compute-intensive workload have more OS process activity to report and higher costs for Enhanced Monitoring.
For more information about pricing, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
# Setting up and enabling Enhanced Monitoring
To use Enhanced Monitoring, you must create an IAM role, and then enable Enhanced Monitoring.
**Topics**
+ [
## Creating an IAM role for Enhanced Monitoring
](#USER_Monitoring.OS.Enabling.Prerequisites)
+ [
## Turning Enhanced Monitoring on and off
](#USER_Monitoring.OS.Enabling.Procedure)
+ [
## Protecting against the confused deputy problem
](#USER_Monitoring.OS.confused-deputy)
## Creating an IAM role for Enhanced Monitoring
Enhanced Monitoring requires permission to act on your behalf to send OS metric information to CloudWatch Logs. You grant Enhanced Monitoring permissions using an AWS Identity and Access Management (IAM) role. You can either create this role when you enable Enhanced Monitoring or create it beforehand.
**Topics**
+ [
### Creating the IAM role when you enable Enhanced Monitoring
](#USER_Monitoring.OS.Enabling.Prerequisites.creating-role-automatically)
+ [
### Creating the IAM role before you enable Enhanced Monitoring
](#USER_Monitoring.OS.Enabling.Prerequisites.creating-role-manually)
### Creating the IAM role when you enable Enhanced Monitoring
When you enable Enhanced Monitoring in the RDS console, Amazon RDS can create the required IAM role for you. The role is named `rds-monitoring-role`. RDS uses this role for the specified DB instance, read replica, or Multi-AZ DB cluster.
**To create the IAM role when enabling Enhanced Monitoring**
1. Follow the steps in [Turning Enhanced Monitoring on and off](#USER_Monitoring.OS.Enabling.Procedure).
1. Set **Monitoring Role** to **Default** in the step where you choose a role.
### Creating the IAM role before you enable Enhanced Monitoring
You can create the required role before you enable Enhanced Monitoring. When you enable Enhanced Monitoring, specify your new role's name. You must create this required role if you enable Enhanced Monitoring using the AWS CLI or the RDS API.
The user that enables Enhanced Monitoring must be granted the `PassRole` permission. For more information, see Example 2 in [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*.
**To create an IAM role for Amazon RDS enhanced monitoring**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home) at [https://console.aws.amazon.com](https://console.aws.amazon.com/).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. Choose the **AWS service** tab, and then choose **RDS** from the list of services.
1. Choose **RDS - Enhanced Monitoring**, and then choose **Next**.
1. Ensure that the **Permissions policies** shows **AmazonRDSEnhancedMonitoringRole**, and then choose **Next**.
1. For **Role name**, enter a name for your role. For example, enter **emaccess**.
The trusted entity for your role is the AWS service **monitoring.rds.amazonaws.com**.
1. Choose **Create role**.
## Turning Enhanced Monitoring on and off
You can manage Enhanced Monitoring using the AWS Management Console, AWS CLI, or RDS API. You can set different granularities for metric collection on each DB instance.
### Console
You can turn on Enhanced Monitoring when you create a DB instance, Multi-AZ DB cluster, or read replica, or when you modify a DB instance or Multi-AZ DB cluster. If you modify a DB instance to turn on Enhanced Monitoring, you don't need to reboot your DB instance for the change to take effect.
You can turn on Enhanced Monitoring in the RDS console when you do one of the following actions in the **Databases** page:
+ **Create a DB instance or Multi-AZ DB cluster** – Choose **Create database**.
+ **Create a read replica** – Choose **Actions**, then **Create read replica**.
+ **Modify a DB instance or Multi-AZ DB cluster** – Choose **Modify**.
**To turn Enhanced Monitoring on or off in the RDS console**
1. Scroll to **Additional configuration**.
1. In **Monitoring**, choose **Enable Enhanced Monitoring** for your DB instance or read replica. Deselect the option to disable Enhanced Monitoring.
1. Set the **Monitoring Role** property to the IAM role that you created to permit Amazon RDS to communicate with Amazon CloudWatch Logs for you, or choose **Default** to have RDS create a role for you named `rds-monitoring-role`.
1. Set the **Granularity** property to the interval, in seconds, between points when metrics are collected for your DB instance or read replica. The **Granularity** property can be set to one of the following values: `1`, `5`, `10`, `15`, `30`, or `60`.
The fastest that the RDS console refreshes is every 5 seconds. If you set the granularity to 1 second in the RDS console, you still see updated metrics only every 5 seconds. You can retrieve 1-second metric updates by using CloudWatch Logs.
### AWS CLI
To turn on Enhanced Monitoring using the AWS CLI, in the following commands, set the `--monitoring-interval` option to a value other than `0` and set the `--monitoring-role-arn` option to the role you created in [Creating an IAM role for Enhanced Monitoring](#USER_Monitoring.OS.Enabling.Prerequisites).
+ [create-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)
+ [create-db-instance-read-replica](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance-read-replica.html)
+ [modify-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-instance.html)
+ [create-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-cluster.html) (Multi-AZ DB cluster)
+ [modify-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-cluster.html) (Multi-AZ DB cluster)
The `--monitoring-interval` option specifies the interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values for the option are `0`, `1`, `5`, `10`, `15`, `30`, and `60`.
To turn off Enhanced Monitoring using the AWS CLI, set the `--monitoring-interval` option to `0` in these commands.
**Example**
The following example turns on Enhanced Monitoring for a DB instance:
For Linux, macOS, or Unix:
```
aws rds modify-db-instance \
--db-instance-identifier mydbinstance \
--monitoring-interval 30 \
--monitoring-role-arn arn:aws:iam::123456789012:role/emaccess
```
For Windows:
```
aws rds modify-db-instance ^
--db-instance-identifier mydbinstance ^
--monitoring-interval 30 ^
--monitoring-role-arn arn:aws:iam::123456789012:role/emaccess
```
**Example**
The following example turns on Enhanced Monitoring for a Multi-AZ DB cluster:
For Linux, macOS, or Unix:
```
aws rds modify-db-cluster \
--db-cluster-identifier mydbcluster \
--monitoring-interval 30 \
--monitoring-role-arn arn:aws:iam::123456789012:role/emaccess
```
For Windows:
```
aws rds modify-db-cluster ^
--db-cluster-identifier mydbcluster ^
--monitoring-interval 30 ^
--monitoring-role-arn arn:aws:iam::123456789012:role/emaccess
```
### RDS API
To turn on Enhanced Monitoring using the RDS API, set the `MonitoringInterval` parameter to a value other than `0` and set the `MonitoringRoleArn` parameter to the role you created in [Creating an IAM role for Enhanced Monitoring](#USER_Monitoring.OS.Enabling.Prerequisites). Set these parameters in the following actions:
+ [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html)
+ [CreateDBInstanceReadReplica](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstanceReadReplica.html)
+ [ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)
+ [CreateDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html) (Multi-AZ DB cluster)
+ [ModifyDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html) (Multi-AZ DB cluster)
The `MonitoringInterval` parameter specifies the interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are `0`, `1`, `5`, `10`, `15`, `30`, and `60`.
To turn off Enhanced Monitoring using the RDS API, set `MonitoringInterval` to `0`.
## Protecting against the confused deputy problem
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. For more information, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
To limit the permissions to the resource that Amazon RDS can give another service, we recommend using the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in a trust policy for your Enhanced Monitoring role. If you use both global condition context keys, they must use the same account ID.
The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the resource. For Amazon RDS, set `aws:SourceArn` to `arn:aws:rds:Region:my-account-id:db:dbname`.
The following example uses the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in a trust policy to prevent the confused deputy problem.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:SourceArn": "arn:aws:rds:Region:my-123456789012:db:dbname"
},
"StringEquals": {
"aws:SourceAccount": "my-123456789012"
}
}
}
]
}
```
------
# Viewing OS metrics in the RDS console
You can view OS metrics reported by Enhanced Monitoring in the RDS console by choosing **Enhanced monitoring** for **Monitoring**.
The following example shows the Enhanced Monitoring page. For descriptions of the Enhanced Monitoring metrics, see [OS metrics in Enhanced Monitoring](USER_Monitoring-Available-OS-Metrics.md).
![\[Dashboard view\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/metrics1.png)
Some DB instances use more than one disk for the DB instance's data storage volume. On those DB instances, the **Physical Devices** graphs show metrics for each one of the disks. For example, the following graph shows metrics for four disks.
![\[Graph with multiple disks\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/enhanced-monitoring-multiple-disks.png)
**Note**
Currently, **Physical Devices** graphs are not available for Microsoft SQL Server DB instances.
When you are viewing aggregated **File system** graphs, the **rdsdbdata\$1** device relates to the `rdsfilesys/rdsdbdata*` file system, where all database files and logs are stored. The **rootfilesys** device relates to the `/` file system (also known as root), where files related to the operating system are stored. When using additional storage volumes, view the `rdsdbdata2`, `rdsdbdata3`, and `rdsdbdata4` volume metrics for volume specific information.
When you are viewing aggregated **Disk I/O** graphs, the **rdsdbdata** device relates to the primary `/rdsdbdata` storage volume. When using additional storage volumes, view the `rdsdbdata2`, `rdsdbdata3`, and `rdsdbdata4` volume metrics for volume specific information. The filesystem device relates to the /file system (also known as root), where files related to the operating system are stored.
The **rdsdev** device name is deprecated. The **rdsdev** device only relates to the primary `/rdsdbdata` storage volume and does not include metrics from additional storage volumes.
![\[Graph showing file system usage\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/enhanced-monitoring-filesystem.png)
If the DB instance is a Multi-AZ deployment, you can view the OS metrics for the primary DB instance and its Multi-AZ standby replica. In the **Enhanced monitoring** view, choose **primary** to view the OS metrics for the primary DB instance, or choose **secondary** to view the OS metrics for the standby replica.
![\[Primary and secondary choice for Enhanced Monitoring\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/enhanced-monitoring-primary-secondary.png)
For more information about Multi-AZ deployments, see [Configuring and managing a Multi-AZ deployment for Amazon RDS](Concepts.MultiAZ.md).
**Note**
Currently, viewing OS metrics for a Multi-AZ standby replica is not supported for MariaDB DB instances.
If you want to see details for the processes running on your DB instance, choose **OS process list** for **Monitoring**.
The **Process List** view is shown following.
![\[Process list view\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/metrics2.png)
The Enhanced Monitoring metrics shown in the **Process list** view are organized as follows:
+ **RDS child processes** – Shows a summary of the RDS processes that support the DB instance, for example `mysqld` for MySQL DB instances. Process threads appear nested beneath the parent process. Process threads show CPU utilization only as other metrics are the same for all threads for the process. The console displays a maximum of 100 processes and threads. The results are a combination of the top CPU consuming and memory consuming processes and threads. If there are more than 50 processes and more than 50 threads, the console displays the top 50 consumers in each category. This display helps you identify which processes are having the greatest impact on performance.
+ **RDS processes** – Shows a summary of the resources used by the RDS management agent, diagnostics monitoring processes, and other AWS processes that are required to support RDS DB instances.
+ **OS processes** – Shows a summary of the kernel and system processes, which generally have minimal impact on performance.
The items listed for each process are:
+ **VIRT** – Displays the virtual size of the process.
+ **RES** – Displays the actual physical memory being used by the process.
+ **CPU%** – Displays the percentage of the total CPU bandwidth being used by the process.
+ **MEM%** – Displays the percentage of the total memory being used by the process.
The monitoring data that is shown in the RDS console is retrieved from Amazon CloudWatch Logs. You can also retrieve the metrics for a DB instance as a log stream from CloudWatch Logs. For more information, see [Viewing OS metrics using CloudWatch Logs](USER_Monitoring.OS.CloudWatchLogs.md).
Enhanced Monitoring metrics are not returned during the following:
+ A failover of the DB instance.
+ Changing the instance class of the DB instance (scale compute).
Enhanced Monitoring metrics are returned during a reboot of a DB instance because only the database engine is rebooted. Metrics for the operating system are still reported.
# Viewing OS metrics using CloudWatch Logs
After you have enabled Enhanced Monitoring for your DB instance or Multi-AZ DB cluster, you can view the metrics for it using CloudWatch Logs, with each log stream representing a single DB instance or DB cluster being monitored. The log stream identifier is the resource identifier (`DbiResourceId`) for the DB instance or DB cluster.
**To view Enhanced Monitoring log data**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. If necessary, choose the AWS Region that your DB instance or Multi-AZ DB cluster is in. For more information, see [Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/index.html?rande.html) in the *Amazon Web Services General Reference*.
1. Choose **Logs** in the navigation pane.
1. Choose **RDSOSMetrics** from the list of log groups.
In a Multi-AZ DB instance deployment, log files with `-secondary` appended to the name are for the Multi-AZ standby replica.
![\[Multi-AZ standby replica log file\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/enhanced-monitoring-cloudwatch-secondary.png)
1. Choose the log stream that you want to view from the list of log streams.