← Back to convops.io

Customer Onboarding Guide

Connect your AWS infrastructure to ConvOps in about 5 minutes. No code changes required.

1

Deploy CloudFormation

IAM Role + SNS Topic. ~2 min.

2

Tag Your Resources

Mark what ConvOps can act on. ~1 min.

3

Connect CloudWatch

Point alarms at the SNS topic. ~1 min.

4

Onboard with Us

Email Role ARN — we handle the rest.

No Lambda functions. No code changes. No agents in your account.
ConvOps only needs two resources:
  • An IAM Role — so ConvOps can read metrics and take approved actions
  • An SNS Topic — so CloudWatch alarms can notify ConvOps

What You'll Deploy

ResourceTypePurpose
ConvOpsAccessRole IAM Role Allows ConvOps to read your metrics and take approved actions on tagged resources
ConvOpsAlertTopic SNS Topic Receives CloudWatch alarms and forwards them securely to ConvOps

That's it — no changes to existing resources, no code, no agents.

Step 1 — Deploy the CloudFormation Template

This creates the IAM Role and SNS Topic ConvOps needs.

Before you deploy, replace these two values:
  • YOUR_CUSTOMER_EXTERNAL_ID — provided by ConvOps during onboarding
  • YOUR_CONVOPS_API_KEY — provided by ConvOps during onboarding

The CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: ConvOps Infrastructure Setup — IAM Role + Alert Topic

Parameters:
  CustomerExternalId:
    Type: String
    Description: Unique external ID provided by ConvOps (keep this secret)
    Default: YOUR_CUSTOMER_EXTERNAL_ID

  ConvOpsApiKey:
    Type: String
    Description: Your ConvOps API key (provided during onboarding)
    Default: YOUR_CONVOPS_API_KEY
    NoEcho: true

Resources:

  # SNS Topic: receives CloudWatch alarms and forwards to ConvOps
  ConvOpsAlertTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: ConvOpsAlerts
      Subscription:
        - Protocol: https
          Endpoint: https://api.convops.io/v1/ingest
          DeliveryPolicy:
            healthyRetryPolicy:
              numRetries: 3
              minDelayTarget: 20
              maxDelayTarget: 20

  ConvOpsAlertTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref ConvOpsAlertTopic
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudwatch.amazonaws.com
            Action: sns:Publish
            Resource: !Ref ConvOpsAlertTopic

  # IAM Role: allows ConvOps to read and take approved actions
  ConvOpsAccessRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: ConvOpsAccessRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::009001720832:role/convops-executor
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: !Ref CustomerExternalId
      Policies:
        - PolicyName: ConvOpsReadPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - cloudwatch:GetMetricData
                  - cloudwatch:GetMetricStatistics
                  - cloudwatch:DescribeAlarms
                  - logs:FilterLogEvents
                  - logs:GetLogEvents
                  - logs:DescribeLogGroups
                  - logs:DescribeLogStreams
                  - ec2:DescribeInstances
                  - ecs:DescribeTasks
                  - ecs:DescribeServices
                  - ecs:ListTasks
                  - ecs:ListServices
                  - rds:DescribeDBInstances
                  - rds:DescribeEvents
                  - lambda:ListFunctions
                  - lambda:GetFunctionConfiguration
                Resource: "*"

        - PolicyName: ConvOpsActionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: ecs:UpdateService
                Resource: "*"
                Condition:
                  StringEquals:
                    aws:ResourceTag/ConvOpsManaged: "true"
              - Effect: Allow
                Action: ec2:RebootInstances
                Resource: "*"
                Condition:
                  StringEquals:
                    aws:ResourceTag/ConvOpsManaged: "true"
              - Effect: Allow
                Action: rds:RebootDBInstance
                Resource: "*"
                Condition:
                  StringEquals:
                    aws:ResourceTag/ConvOpsManaged: "true"
              - Effect: Allow
                Action: ssm:SendCommand
                Resource:
                  - !Sub "arn:aws:ssm:*:*:document/AWS-RestartService"
                  - !Sub "arn:aws:ssm:*:*:document/AWS-RunShellScript"
                  - !Sub "arn:aws:ec2:*:${AWS::AccountId}:instance/*"
                Condition:
                  StringEquals:
                    aws:ResourceTag/ConvOpsManaged: "true"

Outputs:
  RoleArn:
    Description: Share this with ConvOps during onboarding
    Value: !GetAtt ConvOpsAccessRole.Arn
  SNSTopicArn:
    Description: Use this as your CloudWatch alarm action
    Value: !Ref ConvOpsAlertTopic

Deploy via AWS CLI

aws cloudformation deploy \
  --template-file customer-convops-setup.yaml \
  --stack-name convops-setup \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \
    CustomerExternalId=YOUR_EXTERNAL_ID \
    ConvOpsApiKey=YOUR_API_KEY

Or via AWS Console

  1. Go to CloudFormation → Create Stack → Upload template file
  2. Paste your CustomerExternalId and ConvOpsApiKey when prompted
  3. Check I acknowledge that AWS CloudFormation might create IAM resources with custom names
  4. Click Create Stack and wait ~60 seconds
After deployment, open the stack's Outputs tab. Copy the RoleArn and SNSTopicArn — you'll need them in Steps 3 and 4.

Step 2 — Tag Resources You Want ConvOps to Manage

ConvOps uses tags to determine what it can act on. Investigation (reading metrics and logs) works on all resources — but actions like restarts and reboots are restricted to tagged resources only.

Tag KeyTag Value
ConvOpsManagedtrue
Resources without this tag: ConvOps can investigate but cannot take any action. This is by design — you control exactly what's actionable.

Tag an ECS service

aws ecs tag-resource \
  --resource-arn arn:aws:ecs:eu-central-1:YOUR_ACCOUNT:service/my-cluster/my-service \
  --tags key=ConvOpsManaged,value=true

Tag an EC2 instance

aws ec2 create-tags \
  --resources i-0abc123def456 \
  --tags Key=ConvOpsManaged,Value=true

Tag an RDS instance

aws rds add-tags-to-resource \
  --resource-name arn:aws:rds:eu-central-1:YOUR_ACCOUNT:db:my-db \
  --tags Key=ConvOpsManaged,Value=true

Step 3 — Connect Your CloudWatch Alarms

Add the ConvOpsAlerts SNS topic as an action on any alarm you want ConvOps to monitor.

Via AWS CLI

# Get your SNS Topic ARN from the CloudFormation stack outputs
SNS_ARN=$(aws cloudformation describe-stacks \
  --stack-name convops-setup \
  --query "Stacks[0].Outputs[?OutputKey=='SNSTopicArn'].OutputValue" \
  --output text)

# Add ConvOps as an alarm action on an existing alarm
aws cloudwatch put-metric-alarm \
  --alarm-name "prod-api-cpu-high" \
  --alarm-actions $SNS_ARN \
  --metric-name CPUUtilization \
  --namespace AWS/ECS \
  --statistic Average \
  --period 300 \
  --threshold 85 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2

Via AWS Console

  1. Go to CloudWatch → Alarms
  2. Select an alarm → click Edit
  3. Under Notification, click Add notification
  4. Select In alarm state → SNS topic → choose ConvOpsAlerts
  5. Click Update alarm
Confirm the SNS subscription: Go to SNS → Subscriptions in the console. The HTTPS subscription should show Confirmed. If it shows Pending, email nitesh@convops.io with your Topic ARN.

Step 4 — Complete Onboarding with ConvOps

Onboarding is currently handled directly with the ConvOps team — no self-serve signup yet.

  1. Email nitesh@convops.io to start onboarding — we'll send you your ExternalId and API key
  2. Deploy the CloudFormation template from Step 1 using those values
  3. Reply with the IAM Role ARN from your stack outputs — we'll confirm the SNS subscription on our end
  4. Send us your WhatsApp number — we'll register it to receive alerts
  5. We'll trigger a test alert together to confirm end-to-end delivery
Having trouble? Email nitesh@convops.io with your CloudFormation stack name and we'll help you debug within a few hours.

What ConvOps Can and Cannot Do

ConvOps CAN

  • Read CloudWatch metrics and alarms (all resources)
  • Read CloudWatch Logs (all log groups)
  • Describe EC2, ECS, RDS, Lambda resources
  • Restart ECS services (tagged only)
  • Reboot EC2 instances (tagged only)
  • Reboot RDS instances (tagged only)
  • Run specific SSM documents (tagged only)

ConvOps CANNOT

  • Terminate or delete any resource
  • Modify security groups, VPCs, or IAM policies
  • Access S3, Secrets Manager, or any secrets
  • Take any action without your WhatsApp confirmation
  • Act on resources without the ConvOpsManaged: true tag

Security Notes

ExternalId Your unique ExternalId prevents other AWS accounts from assuming your ConvOps role (confused deputy protection). Treat it like a password — keep it secret.
Revoke access instantly Delete the ConvOpsAccessRole IAM role at any time. ConvOps immediately and permanently loses all access to your account.
Confirmation gate Every action (restart, reboot, scale) requires an explicit "YES" reply on WhatsApp before execution. Nothing happens automatically.
Data handling ConvOps never stores your logs or metrics. They're fetched on-demand, used for analysis, then discarded. Operational metadata (alarm names, action history) is retained for 90 days.
Session tokens only No long-lived credentials stored. All cross-account operations use STS session tokens with a 15-minute TTL.
Audit trail Every action is logged with timestamp, phone number, and outcome. Full log available on request.

Troubleshooting

Not receiving alerts?

Check the following:

  • SNS subscription shows Confirmed (not Pending) in SNS → Subscriptions console
  • CloudWatch alarm has the SNS topic set as the alarm action (not just the OK action)
  • The alarm is actually in ALARM state — test by lowering the threshold temporarily
Action failed with permission denied?

Check the following:

  • The target resource has the ConvOpsManaged: true tag applied
  • The tag key and value match exactly (case-sensitive)
  • The resource is in the same account as the deployed IAM role
CloudFormation deploy failed?

Ensure your deploying IAM user/role has these permissions:

  • cloudformation:*
  • iam:CreateRole, iam:PutRolePolicy, iam:AttachRolePolicy
  • sns:CreateTopic, sns:SetTopicAttributes

Also ensure you included the --capabilities CAPABILITY_NAMED_IAM flag.

SNS subscription stuck on Pending?

ConvOps needs to confirm the HTTPS subscription from our side. Email nitesh@convops.io with your SNS Topic ARN and we'll confirm it manually within a few hours.

Need Help?

We'll walk you through setup on a 15-minute call.

Email Us

nitesh@convops.io · Usually responds within a few hours