Amazon Managed Grafana FAQs
General
What is Amazon Managed Grafana?
Amazon Managed Grafana is a fully managed multicloud, cross-project service with rich, interactive data visualizations to help customers analyze, monitor, and alarm on metrics, logs, and traces across multiple data sources. You can create interactive dashboards and share them with anyone in your organization with an automatically scaled, highly available, and enterprise-secure service. With Amazon Managed Grafana, you can manage user and team access to dashboards across AWS accounts, AWS regions, and data sources. Amazon Managed Grafana provides an intuitive resource discovery experience to help you easily onboard your AWS accounts across multiple regions and securely access AWS services such as Amazon CloudWatch, AWS X-Ray, Amazon Elasticsearch Service, Amazon Timestream, AWS IoT SiteWise, and Amazon Managed Service for Prometheus.
What is Grafana?
Grafana is an open source data visualization and operational dashboarding solution used by hundreds of thousands of organizations and millions of users. Grafana’s rich visualization library and broad support for multiple data sources makes it simple for customers to query, visualize, and alert on a wide variety of operational data, including metrics, logs, and traces in a single console. Amazon Managed Grafana provides fully managed Grafana workspaces compatible with the open source project and developed in partnership with Grafana Labs, parent company of the open source project.
What is an Amazon Managed Grafana Workspace?
A workspace is a logically isolated Grafana server. Once you have created a workspace, you can integrate it with data sources and then query and visualize metrics from these data sources. You can create multiple workspaces per Region, per account, so that you can create isolated Grafana workspaces for monitoring your Prod and Dev workloads separately.
How do I enable multi-account, multi-Region access to my AWS data sources?
Amazon Managed Grafana integrates with AWS Organizations to discover the AWS accounts and resources in your Organizational Units. Using AWS CloudFormation StackSets, Amazon Managed Grafana will automatically create the IAM policies needed to grant read-only access to your AWS Services data for the accounts and Regions you choose. Using the Amazon Managed Grafana console, you can easily add or remove accounts, Organizational Units, and Regions that you want to add to each Grafana workspace.
When do I need Enterprise Plugins license?
Amazon Managed Grafana ships with core plugins to connect to commonly used data sources including Amazon Managed Service for Prometheus, Amazon CloudWatch, and also supports installation of Grafana community plugins for other cloud providers, including Azure Monitor and Google Analytics, and self-managed data sources such as Graphite, InfluxDB, and more. If you need access to Enterprise data source plugins including AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake; you can upgrade your Amazon Managed workspace with Amazon Managed Grafana Enterprise plugins.
How do I upgrade my workspace to enable Enterprise plugins?
In the Amazon Managed Grafana console, you can select the workspace you’d like to upgrade to Grafana Enterprise. You can optionally upgrade one or more workspaces; each upgraded workspace will have access to Enterprise plugins. This enables you to query and visualize data from AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake.
Is there CloudFormation support for creating Amazon Managed Grafana Workspaces?
Yes. You can use AWS CloudFormation templates to create, update, and delete your Amazon Managed Grafana workspaces, as well as manage or update workspace SAML authentication settings. To learn more about manage Amazon Managed Grafana workspaces and configuring workspace SAML authentication with CloudFormation, see the Amazon Managed Grafana resource type reference in the CloudFormation user guide. To create Amazon Managed Grafana workspaces using AWS CloudFormation, follow the reference templates.
Is there Terraform support for creating, editing, and deleting dashboards for Amazon Managed Grafana Workspaces?
Yes, Amazon Managed Grafana supports Terraform for dashboard management.
What are the types of Grafana users?
There are three user types in Grafana: Administrators, Editors, and Viewers. Administrators have add, edit, and delete permissions to manage data sources, users, teams, folders, and dashboards. Editors have view, add, edit, and delete permissions to dashboards and alerts. Viewers can view dashboards to which they have been granted access, but cannot add, edit, or delete data sources, dashboards, or alerts.
Which Grafana data source plugins are supported?
Amazon Managed Grafana provides native integrations for multiple AWS Services, including Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon OpenSearch Service, AWS IoT SiteWise, Amazon Timestream, and AWS X-Ray. Amazon Managed Grafana also supports installation of Grafana community plugins for other cloud providers, including Azure Monitor and Google Analytics, and self-managed data sources such as Graphite, InfluxDB, and more. You can browse all supported data sources plugins directly from the Plugins Catalog within your workspace. Additionally, with Amazon Managed Grafana Enterprise plugins, you can access Enterprise data source plugins including AppDynamics, Atlassian Jira, Datadog, Dynatrace, Gitlab, Honeycomb, MongoDB, New Relic, Oracle Database, Salesforce, SAP HANA, ServiceNow, VMware Tanzu Observability by Wavefront, and Snowflake. Click here to learn more about Plugins in Amazon Managed Grafana.
What are teams in Amazon Managed Grafana and why should I use them?
Teams provide a grouping mechanism to organize users in Amazon Managed Grafana. You can use teams to group individual users into entities that are granted access to shared resources such as dashboards, data sources, and alerts. Teams can also be mapped to your LDAP groups. With Team Sync enabled, you can keep team membership and user identities in sync with your Identity Provider's user directories such as Azure Active Directory, Microsoft Active Directory, CyberArk, Okta, OneLogin, and Ping Identity.
What is Grafana alerting?
Grafana alerting is an opt-in Amazon Managed Grafana feature that allows you to visualize alerts from Prometheus Alertmanager data sources in a searchable alerting interface in your Grafana workspace.
How do I use the Grafana alerting experience?
In the Amazon Managed Grafana console, you can select the workspace where you’d like to enable Grafana Alerting to visualize your Prometheus Alertmanager alerts in your Grafana workspace.
Can I connect my Amazon Managed Grafana workspace to OpenSearch clusters, RDS Postgres databases, or self-managed data sources?
Yes, Amazon Managed Grafana can connect to OpenSearch clusters, RDS Postgres databases, or self-managed data sources directly from your VPC without using public IPs or requiring traffic to traverse the Internet. To learn more, see user guide for Connecting to Amazon VPC from Amazon Managed Grafana.
Can I connect multiple Virtual Private Cloud (VPC) endpoints, or VPCs from a different region and different accounts to a single Amazon Managed Grafana workspace?
Currently, you can connect one Amazon Managed Grafana workspace to one VPC endpoint in the same region and same account. However, you can use Virtual Private Cloud peering or AWS Transit Gateway to connect the cross-region or cross-account VPCs, then connect the select the VPC endpoint that’s in the same account and same region as your Amazon Managed Grafana workspace. In this way, data sources from different accounts or different region can all be connected to a single Amazon Managed Grafana workspace. If Virtual Private Clouds peering is not an option for you, please share your use cases with your Account Manager, or email us directly at aws-grafana-feedback@amazon.com.
When my Amazon Managed Grafana workspace is connected to a Virtual Private Cloud (VPC), will I still be able to connect to other public data sources?
Yes, you can still connect to public data source after you configure the VPC connection in Amazon Managed Grafana workspace. Requests to public data sources must traverse your VPC. If your workspace was previously connected to data sources prior to configuring a VPC endpoint, ensure that the VPC is able to reach the previously connected data sources as all traffic will now route through the VPC connection.
Do you support PrivateLink?
Yes. We provide AWS PrivateLink support between Amazon VPC and Amazon Managed Grafana. You can control access to the Amazon Managed Grafana service from the virtual private cloud (VPC) endpoints by attaching an IAM resource policy for Amazon VPC endpoints. Amazon Managed Grafana supports two different kinds of VPC endpoints. You can connect to the Amazon Managed Grafana service, providing access to the Amazon Managed Grafana APIs to manage workspaces. Or you can create a VPC endpoint to a specific workspace. For information about creating a VPC endpoint for your Grafana workspaces, see Interface VPC endpoints.
Is my Amazon Managed Grafana workspace URL publicly reachable?
Not necessarily. You have granular security controls over the rollout of Amazon Managed Grafana workspaces by defining customer-managed prefix lists and VPC endpoints to help you restrict the inbound network traffic that can reach your Grafana workspaces. Amazon Managed Grafana supports two modes for user and host access of your Grafana workspace: open access and restricted access. The open access mode is the default access setting for Grafana workspaces when there are no VPC endpoints or managed prefix list restrictions to reach your Grafana workspace URL; however, users must still authenticate with the configured identity provider(s) in order to log in to the workspace. The restricted access mode enables you to specify the inbound network traffic that is allowed to reach your workspace. To restrict access, you can configure prefix lists to specify IP address ranges from which users and hosts can reach your Grafana workspace. You can also create an interface VPC endpoints to allow AWS resources such as Amazon EC2 instances to access the Amazon Managed Grafana API to manage resources, or you can use a VPC endpoint as part of limiting network access to your Amazon Managed Grafana workspaces.
Can I install new plugins in my workspace? Can I update plugin versions?
Yes, you can install up to 50 data source, app, or visualization panel plugins, out of all pre-built plugins listed in the Plugin catalog, in addition to the core plugins that are pre-installed in your workspace. You can also update the plugin to a version that works for you. Grafana community plugins, not listed in the Plugin catalog or custom built plugins can not be installed in Amazon Managed Grafana.
What is the Plugin Catalog?
Your Amazon Managed Grafana workspace includes a page that shows all of your installed plugins and a list of all plugins that are available to install in your workspace. You can access the plugin catalog here.
How do I interact with Grafana HTTP APIs?
Amazon Managed Grafana supports API keys and Service accounts, to interact with Grafana HTTP APIs. Service accounts, introduced with Grafana version 9, replace API keys as the primary way to authenticate applications that interact with Grafana using Service Account Tokens. A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafana’s HTTP API. You can list, create and delete API keys and Service accounts from your Amazon Managed Grafana workspace or using Amazon Managed Grafana configuration APIs.
API keys are on their deprecation path and may be fully removed in upcoming major Grafana releases.
Pricing
How is Amazon Managed Grafana priced?
You are billed monthly for the total number of active users that have logged in to each Grafana workspace, with a minimum of one Editor user license per workspace per month. There are two tiers of users: an Editor user price that can be assigned Administrator or Editor roles, and a Viewer user price that can be assigned a Viewer role. If you upgrade your workspace with Amazon Managed Grafana Enterprise Plugins, you will be charged an additional fee per active user per month. For detailed pricing information, please reference the Amazon Managed Grafana pricing page.
What is an active user?
An “Active user” has logged in to an Amazon Managed Grafana workspace or made an API request at least once during a monthly billing cycle. Users who are provisioned with access to Grafana workspaces but have not used the service at least once in the monthly billing cycle will not be charged. If no users log into a workspace for a month, you will be billed for one minimum Editor user license per workpsace per month.
Can I create multiple workspaces?
Yes, you can create multiple workspaces. Users are billed per workspace per month. For example, if User A belongs to both Workspace 1 and Workspace 2, User A will be billed for using Workspace 1 and separately billed for using Workspace 2.
Will I be charged for API requests?
There are three types of API requests when working with an Amazon Managed Grafana workspace. The first type are Amazon Managed Grafana APIs that are used to create, edit, and delete workspaces. These do not incur charges. The second type are Grafana HTTP API requests that are used to manage workspace resources such as dashboards, alerts, and data sources. These are billed per API user license - API key or Service accounts, and can be granted Administrator, Editor, or Viewer permissions. Charges for Grafana API user licenses will appear on your AWS bill under the Amazon Managed Grafana section. The third type are Amazon Managed Grafana data queries made to other AWS Services and third-party ISVs that may charge fees for using their APIs. These API fees are charged by the respective AWS service or third-party ISV and not charged by Amazon Managed Grafana. For example, a dashboard in Amazon Managed Grafana that contains CloudWatch metrics will make requests to Amazon CloudWatch, and this will incur API fees on your CloudWatch bill.
How will I be billed for Amazon Managed Grafana Enterprise Plugins?
You will receive one bill with your Amazon Managed Grafana usage, based on active Editor, active Viewer and active Enterprise Plugins users per workspace per month. You will only see charges for Enterprise Plugins user, If you upgrade your Amazon Managed Grafana workspace(s) with Enterprise Plugins. Enterpise Plugins pricing is in addition to Amazon Managed Grafana's per Editor and per Viewer pricing.
Versions and Updates
Which Grafana versions does Amazon Managed Grafana support?
See the Amazon Managed Grafana documentation for currently supported Grafana versions. Amazon Managed Grafana will continue to add support for additional Grafana versions in the future.
Can I update my Amazon Managed Grafana workspace to a new version?
Yes. Amazon Managed Grafana supports in place update to a new Grafana version. You can update your Amazon Managed Grafana workspace to a new version from the AWS Console, SDK, or CLI. Check out the Amazon Managed Grafana user guide and Amazon Managed Grafana API Reference for detailed documentation.
Why would I want manual control over Grafana version updates?
New versions of Grafana introduce breaking changes, which may impact your visualizations or automation workflows. Manual control over Grafana workspace versioning lets you validate your Grafana experience against new versions of Grafana before upgrading production workspaces.