AWS Systems Manager Incident Manager is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [AWS Systems Manager Incident Manager availability change](https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-manager-availability-change.html).
# Product and service integrations with Incident Manager
Incident Manager, a tool in AWS Systems Manager, integrates with the following products, services, and tools.
## Integration with AWS services
Incident Manager integrates with the AWS services and tools described in the following table.
| | |
| --- |--- |
| AWS CDK | The AWS CDK is a development framework for using code to define your cloud infrastructure and using CloudFormation for provisioning. The AWS CDK supports multiple programming languages including TypeScript, JavaScript, Python, Java, and C\$1/.Net. For information about using the AWS CDK with Incident Manager, see the following sections in the *AWS CDK API Reference*: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) |
| Amazon Q Developer in chat applications | [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/) enables DevOps and software development teams to use messaging program chat rooms to monitor and respond to operational events in their AWS Cloud. Using Amazon Q Developer in chat applications with Incident Manager, you can create *chat channels* that responders can use to monitor and respond to incidents. Amazon Q Developer in chat applications supports Slack chat rooms, Microsoft Teams channels, and Amazon Chime chat rooms as chat channels. As part of creating a chat channel, you also create a *topic* in Amazon Simple Notification Service (Amazon SNS). [Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/) is a managed service that provides message delivery from publishers to subscribers. In incident response plans, when you associate a chat channel you have created with the plan, you also choose one or more topics that you associated with the chat channel. These SNS topics are used to send notifications about an incident to the incident responders. For more information, see [Creating and integrating chat channels for responders in Incident Manager](chat.md). |
| CloudFormation | CloudFormation is a service that you can use to create a template with all the resources you need for your application, and then configure and provision the resources for you. It will also configure all the dependencies, so you can focus more on your application and less on managing resources. For information about using CloudFormation with Incident Manager, see the following topics in the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) |
| Amazon CloudWatch | [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/) monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. You can configure CloudWatch alarms to create incidents in Incident Manager. CloudWatch works with Systems Manager and Incident Manager to create an incident from a response plan template when an alarm goes into alarm state. For more information, see [Creating incidents automatically with CloudWatch alarms](incident-creation.md#incident-tracking-auto-alarms). |
| Amazon Chime | [Amazon Chime](https://docs.aws.amazon.com/chime/latest/ug/) is an online workplace that combines meetings, chat, and business calls. You can meet, chat, and place business calls inside and outside your organization using Amazon Chime.You can integrate an Amazon Chime room into your Incident Manager operations by creating a chat channel for Amazon Chime in [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/), and then adding that channel to a response plan.For more information, see [Creating and integrating chat channels for responders in Incident Manager](chat.md). |
| Amazon EventBridge | [EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/) is a serverless service that uses events to connect application components, making it easier for you to build scalable event-driven applications. You can configure EventBridge rules to watch for event patterns in your AWS resources and create an incident in Incident Manager when an event matches a pattern that you have defined. Your rules can monitor for event patterns in dozens of AWS services and third-party applications and services. For more information, see [Creating incidents automatically with EventBridge events](incident-creation.md#incident-tracking-auto-eventbridge). |
| AWS Secrets Manager | [Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/) helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. When you integrate Incident Manager with the PagerDuty service, you create a secret in Secrets Manager that contains your PagerDuty credentials. For more information, see [Storing PagerDuty access credentials in an AWS Secrets Manager secret](integrations-pagerduty-secret.md). |
| **AWS Systems Manager** | [Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) is an operations hub that you can use to view and control your application infrastructure and a secure end-to-end management solution for cloud environments. The following Systems Manager tools integrate directly with Incident Manager: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) |
| AWS Trusted Advisor | [Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) is a tool available to AWS customers with a Basic or Developer support plan. Trusted Advisor inspects your AWS environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. For Incident Manager, Trusted Advisor checks that a replication set’s configuration uses more than one AWS Region to support Regional failover and response. |
## Integration with other products and services
You can integrate or use Incident Manager with the third-party services described in the following table.
| | |
| --- |--- |
| **Jira Cloud** | Using the AWS Service Management Connector, you can integrate Incident Manager with **[Jira Cloud](https://www.atlassian.com/enterprise/cloud)** (Atlassian), a third-party cloud-based workflow platform. After you configure integration with Jira Cloud, when you create a new incident in Incident Manager, the integration creates the incident in Jira Cloud as well. If you update an incident in Incident Manager, it makes these updates to the corresponding incident in Jira Cloud. If you resolve an incident in either Incident Manager or Jira Cloud, the integration resolves the incident in both services based on which preferences you configure. For more information, see [Integrating AWS Systems Manager Incident Manager (Jira Cloud)](https://docs.aws.amazon.com/smc/latest/ag/jsmcloud-im.html) in the *AWS Service Management Connector Administrator Guide*. |
| Jira Service Management | Using the AWS Service Management Connector, you can integrate Incident Manager with **[Jira Service Management](https://www.atlassian.com/software/jira/service-management)**, a third-party cloud-based workflow platform. After you configure integration with Jira Service Management, when you create a new incident in Incident Manager, the integration creates the incident in Jira Service Management as well. If you update an incident in Incident Manager, it makes these updates to the corresponding incident in Jira Service Management. If you resolve an incident in either Incident Manager or Jira Service Management, the integration resolves the incident in both services based on which preferences you configure. For more information, see [Configuring Jira Service Management](https://docs.aws.amazon.com/smc/latest/ag/jsd-integration-configure-jsd.html) in the *AWS Service Management Connector Administrator Guide*. |
| **Microsoft Teams** | [https://www.microsoft.com/en-us/microsoft-teams/group-chat-software](https://www.microsoft.com/en-us/microsoft-teams/group-chat-software) provides collaborative cloud-based tools for team messaging, audio and video conferencing, and file sharing. You can integrate a Microsoft Teams channel into your Incident Manager operations by creating a chat channel for Microsoft Team in [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/), and then adding that channel to a response plan. For more information, see [Creating and integrating chat channels for responders in Incident Manager](chat.md). |
| PagerDuty | [PagerDuty](https://www.pagerduty.com) is an incident response tool that supports paging workflows and escalation policies. When you integrate Incident Manager with PagerDuty, you can add a PagerDuty service to your response plan. After that, a corresponding incident is created in PagerDuty whenever an incident in created in Incident Manager. The incident in PagerDuty uses the paging workflow and escalation policies that you defined there in addition to those in Incident Manager. PagerDuty attaches timeline events from Incident Manager as notes on your incident. To integrate Incident Manager with PagerDuty, you must first create a secret in AWS Secrets Manager that contains your PagerDuty credentials. For information about adding a PagerDuty REST API Key and other required details to a secret in AWS Secrets Manager, see [Storing PagerDuty access credentials in an AWS Secrets Manager secret](integrations-pagerduty-secret.md). For information about adding a PagerDuty service from your PagerDuty account to a response plan in Incident Manager, see the steps for [Integrate a PagerDuty service into the response plan](response-plans.md#anchor-pagerduty) in the topic [Creating a response plan](response-plans.md#response-plans-create). |
| ServiceNow | Using the AWS Service Management Connector, you can integrate Incident Manager with **[ServiceNow](https://www.servicenow.com/)**, a third-party cloud-based workflow platform. After you configure integration with ServiceNow, when you create a new incident in Incident Manager, the integration creates the incident in ServiceNow as well. If you update an incident in Incident Manager, it makes these updates to the corresponding incident in ServiceNow. If you resolve an incident in either Incident Manager or ServiceNow, the integration resolves the incident in both services based on which preferences you configure. For more information, see [Integrating AWS Systems Manager Incident Manager in ServiceNow](https://docs.aws.amazon.com/smc/latest/ag/sn-im.html) in the *AWS Service Management Connector Administrator Guide*. |
| Slack | [https://www.slack.com](https://www.slack.com) provides collaborative cloud-based tools for team messaging, audio and video conferencing, and file sharing. You can integrate a Slack channel into your Incident Manager operations by creating a chat channel for Slack in [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/), and then adding that channel to a response plan. For more information, see [Creating and integrating chat channels for responders in Incident Manager](chat.md). |
| Terraform | HashiCorp [Terraform](https://registry.terraform.io/) is an open-source *infrastructure as code* (IaC) software tool that provides a command line interface (CLI) workflow to manage various cloud services. For Incident Manager, you can use Terraform to manage or provision the following: **SSM Incident Manager Contacts resources** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) **SSM Contacts data sources** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) **SSM Incident Manager resources** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) **SSM Incident Manager data sources** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/incident-manager/latest/userguide/integration.html) |
# Storing PagerDuty access credentials in an AWS Secrets Manager secret
After you turn on integration with PagerDuty for a response plan, Incident Manager works with PagerDuty in the following ways:
+ Incident Manager creates a corresponding incident in PagerDuty when your create a new incident in Incident Manager.
+ The paging workflow and escalation policies you created in PagerDuty are used in the PagerDuty environment. However, Incident Manager doesn't import your PagerDuty configuration.
+ Incident Manager publishes timeline events as notes to the incident in PagerDuty, up to a maximum of 2,000 notes.
+ You can choose to automatically resolve PagerDuty incidents when you resolve the related incident in Incident Manager.
To integrate Incident Manager with PagerDuty, you must first create a secret in AWS Secrets Manager that contains your PagerDuty credentials. These allow Incident Manager to communicate with your PagerDuty service. You can then include a PagerDuty service in response plans that you create in Incident Manager.
This secret you create in Secrets Manager must contain, in the proper JSON format, the following:
+ An API key from your PagerDuty account. You can use either a General Access REST API Key or a User Token REST API Key.
+ A valid user email address from your PagerDuty subdomain.
+ The PagerDuty service region where you deployed your subdomain.
**Note**
All services in a PagerDuty subdomain are deployed to the same service region.
**Prerequisites**
Before creating the secret in Secrets Manager, ensure that you meet the following requirements.
**KMS key**
You must encrypt the secret you create with a *customer managed key* that you have created in AWS Key Management Service (AWS KMS). You specify this key when you create the secret that stores you PagerDuty credentials.
Secrets Manager provides the option of encrypting the secret with an AWS managed key, but this encryption mode is not supported.
The customer managed key must meet the following requirements:
+ **Key type**: Choose **Symmetric**.
+ **Key usage**: Choose **Encrypt and decrypt**.
+ **Regionality**: If you want to replicate your response plan to multiple AWS Regions, ensure that you select **Multi-Region key**.
**Key policy**
The user that is configuring the response plan must have permission for `kms:GenerateDataKey` and `kms:Decrypt` in the key's resource-based policy. The `ssm-incidents.amazonaws.com` service principal must have permission for `kms:GenerateDataKey` and `kms:Decrypt` in the key's resource based policy.
The following policy demonstrates these permissions. Replace each *user input placeholder* with your own information.
****
```
{
"Version":"2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM user permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow creator of response plan to use the key",
"Effect": "Allow",
"Principal": {
"AWS": "IAM_ARN_of_principal_creating_response_plan"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
},
{
"Sid": "Allow Incident Manager to use the key",
"Effect": "Allow",
"Principal": {
"Service": "ssm-incidents.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
}
]
}
```
For information about creating a new customer managed key, see [Creating symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*. For more information about AWS KMS keys, see [AWS KMS concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
If an existing customer managed key meets all the previous requirements, you can edit its policy to add these permissions. For information about updating the policy in a customer managed key, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the *AWS Key Management Service Developer Guide*.
You can specify a condition key to limit access even further. For example, the following policy allows access through Secrets Manager in the US East (Ohio) Region (us-east-2) only:
```
{
"Sid": "Enable IM Permissions",
"Effect": "Allow",
"Principal": {
"Service": "ssm-incidents.amazonaws.com"
},
"Action": ["kms:Decrypt", "kms:GenerateDataKey*"],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-2.amazonaws.com"
}
}
}
```
**`GetSecretValue` permission**
The IAM identity (user, role, or group) that creates the response plan must have the IAM permission `secretsmanager:GetSecretValue`.
**To store PagerDuty access credentials in an AWS Secrets Manager secret**
1. Follow the steps through Step 3a in [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*.
1. For Step 3b, for **Key/value pairs**, do the following:
+ Choose the **Plaintext** tab.
+ Replace the default contents of the box with the following JSON structure:
```
{
"pagerDutyToken": "pagerduty-token",
"pagerDutyServiceRegion": "pagerduty-region",
"pagerDutyFromEmail": "pagerduty-email"
}
```
+ In the JSON sample you pasted, replace the *placeholder values* as follows:
+ *pagerduty-token*: The value of a General Access REST API Key or a User Token REST API Key from your PagerDuty account.
For related information, see [API Access Keys](https://support.pagerduty.com/docs/api-access-keys) in the *PagerDuty Knowledge Base*.
+ *pagerduty-region*: The service region of the PagerDuty data center that hosts your PagerDuty subdomain.
For related information, see [Service Regions](https://support.pagerduty.com/docs/service-regions) in the *PagerDuty Knowledge Base*.
+ *pagerduty-email*: The valid email address for a user that belongs to your PagerDuty subdomain.
For related information, see [Manage Users](https://support.pagerduty.com/docs/users) in the *PagerDuty Knowledge Base*.
The following example shows a completed JSON secret containing the required PagerDuty credentials:
```
{
"pagerDutyToken": "y_NbAkKc66ryYEXAMPLE",
"pagerDutyServiceRegion": "US",
"pagerDutyFromEmail": "JohnDoe@example.com"
}
```
1. On Step 3c, for **Encryption key**, choose a customer managed key you created that meets the requirements listed under the previous **Prerequisites** section.
1. On Step 4c, for **Resource permissions**, do the following:
+ Expand **Resource permissions**.
+ Choose **Edit permissions**.
+ Replace the default contents of the policy box with the following JSON structure:
```
{
"Effect": "Allow",
"Principal": {
"Service": "ssm-incidents.amazonaws.com"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
```
+ Choose **Save**.
1. On Step 4d, for **Replicate secret**, do the following if you replicated your response plan to more than one AWS Region:
+ Expand **Replicate secret**.
+ For **AWS Region**, select the Region where you replicated your response plan to.
+ For **Encryption key**, choose a customer managed key you created in, or replicated to, this Region that meets the requirements listed under the **Prerequisites** section.
+ For each additional AWS Region, choose **Add Region** and select the Region name and customer managed key.
1. Complete the remaining steps in [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*.
For information about how to add a PagerDuty service to a Incident Manager incident workflow, see [Integrate a PagerDuty service into the response plan](response-plans.md#anchor-pagerduty) in the topic [Creating a response plan](response-plans.md#response-plans-create).
**Related information**
[How to Automate Incident Response with PagerDuty and AWS Systems Manager Incident Manager](https://aws.amazon.com/blogs/mt/how-to-automate-incident-response-with-pagerduty-and-aws-systems-manager-incident-manager/) (AWS Cloud Operations and Migrations Blog)
[Secret encryption in AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html) in the *AWS Secrets Manager User Guide*