Updating your AWS analysis coverage Removing analyzed resource view for users

Viewing resources analyzed by DevOps Guru

DevOps Guru provides a list of resource names and their application boundaries under analysis using the ListMonitoredResources action. This information is collected from Amazon CloudWatch, AWS CloudTrail, and other AWS services using the DevOps Guru service linked role.

Note that even if a user does not have explicit permission to access the APIs for another service such as AWS Lambda or Amazon RDS, DevOps Guru still provides a list of resources from that service as long as the ListMonitoredResources action is allowed.

Topics

Updating your AWS analysis coverage in DevOps Guru
Removing analyzed resource view for users

Updating your AWS analysis coverage in DevOps Guru

You can update which AWS resources in your account DevOps Guru analyzes. The resources that are analyzed make up your DevOps Guru coverage boundary. When you specify your boundary, your resources are grouped in applications. You have four boundary coverage options.

Choose to have DevOps Guru analyze all supported resources in your account. All resources in your account that are in a stack are grouped into an application. If you have multiple stacks in your account, then the resources in each stack make up their own application. If any resources in your account are not in a stack, they are grouped into their own application.
Specify resources by choosing AWS CloudFormation stacks that define those resources. If you do this, DevOps Guru analyzes every resource specified in the stacks you choose. If a resource in your account is not defined by a stack you choose, it is not analyzed. For more information, see Working with stacks in the AWS CloudFormation User Guide and Determine coverage for DevOps Guru.
Specify resources by using AWS tags. DevOps Guru either analyzes all the resources in your account and Region or all the resources that contain the tag key that you choose. Resources are grouped based on selected tag values. For more information, see Using tags to identify resources in your DevOps Guru applications.
Specify to have no resources analyzed so that you stop incurring charges from resource analyzation.

Note
If you update your coverage to stop analyzing resources, you might continue to incur minor charges if you review existing insights generated by DevOps Guru in the past. These charges are associated with API calls used to retrieve and display insight information. For more information, see Amazon DevOps Guru pricing.

DevOps Guru supports all resources that are associated with supported services. For more information about the supported services and resources, see Amazon DevOps Guru pricing.

To manage your DevOps Guru analysis coverage

Open the Amazon DevOps Guru console at https://console.aws.amazon.com/devops-guru/.
Expand Analyzed resources in the navigation pane.
Choose Edit.
Choose one of the following coverage options.
- Choose All account resources if you want DevOps Guru to analyze all supported resources in your AWS account and Region. If you choose this option, your AWS account is your resource analysis coverage boundary. All resources in each stack in your account are grouped into their own application. Any remaining resources that are not in a stack are grouped into their own application.
- Choose CloudFormation stacks if you want DevOps Guru to analyze the resources that are in stacks you choose, then choose one of the following options.
  - All resources – All resources that are in stacks in your account are analyzed. Resources in each stack are grouped into their own application. Any resources in your account that are not in a stack are not analyzed.
  - Select stacks – Select the stacks that you want DevOps Guru to analyze. The resources in each stack you select are grouped into their own application. You can enter the name of a stack in Find stacks to quickly locate a specific stack. You can select up to 1,000 stacks.
  For more information, see Using AWS CloudFormation stacks to identify resources in your DevOps Guru applications.
- Choose Tags if you want DevOps Guru to analyze all resources that contain the tags you choose. Choose a key, then choose one of the following options.
  - All account resources –Analyze all AWS resources in the current Region and account. Resources with the selected tag key are grouped by tag value, if any exist. Resources without this tag key are grouped and analyzed separately.
  - Choose specific tag values – All resources that contain a tag with the key you chose are analyzed. DevOps Guru groups your resources into applications by your tag's values.
  The tag's key must begin with the prefix devops-guru-. This prefix isn't case-sensitive. For example, a valid key is DevOps-Guru-Production-Applications. For more information, see Using tags to identify resources in your DevOps Guru applications.
- Choose None if you do not want DevOps Guru to analyze any resources. This option disables DevOps Guru so that you stop incurring charges from resource analyzation.
Choose Save.

Removing analyzed resource view for users

Even if a user does not have explicit permission to access the APIs for another service such as Lambda or Amazon RDS, DevOps Guru still provides a list of resources from that service as long as the ListMonitoredResources action is allowed. To change this behavior, you can update your AWS IAM policy to deny this action.


{
            "Sid": "DenyListMonitoredResources",
            "Effect": "Deny",
            "Action": [
                "devops-guru:ListMonitoredResources"
            ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Viewing notifications

Best practices