Create IAM roles and users for use with CloudWatch agent
Access to AWS resources requires permissions. You create an IAM role, an IAM user, or both to grant permissions that the CloudWatch agent needs to write metrics to CloudWatch. If you're going to use the agent on Amazon EC2 instances, you must create an IAM role. If you're going to use the agent on on-premises servers, you must create an IAM user.
Note
We recently modified the following procedures by using new
CloudWatchAgentServerPolicy
and CloudWatchAgentAdminPolicy
policies created by Amazon, instead of requiring customers to create these policies
themselves. For writing files to and downloading files from the Parameter Store, the policies
created by Amazon support only files with names that start with
AmazonCloudWatch-
. If you have a CloudWatch agent configuration file with a
file name that doesn't start with AmazonCloudWatch-
, these policies can't
be used to write the file to Parameter Store or download it from Parameter Store.
If you're going to run the CloudWatch agent on Amazon EC2 instances, use the following steps to create the necessary IAM role. This role provides permissions for reading information from the instance and writing it to CloudWatch.
To create the IAM role necessary to run the CloudWatch agent on EC2 instances
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane on the left, choose Roles and then Create role.
Make sure that AWS service is selected under Trusted entity type.
For Use case, choose EC2 under Common use cases,
-
Choose Next.
-
In the list of policies, select the check box next to CloudWatchAgentServerPolicy. If necessary, use the search box to find the policy.
(Optional) If the agent is sending traces to X-Ray you need to also give the role the AWSXRayDaemonWriteAccess policy. To do so, find that policy in the list and select the check box next to it.
-
Choose Next.
-
In Role name, enter a name for the role, such as
CloudWatchAgentServerRole
. Optionally give it a description. Then choose Create role.The role is now created.
(Optional) If the agent is going to send logs to CloudWatch Logs and you want the agent to be able to set retention policies for these log groups, you need to add the
logs:PutRetentionPolicy
permission to the role. For more information, see Allowing the CloudWatch agent to set log retention policy.
If you're going to run the CloudWatch agent on on-premises servers, use the following steps to create the necessary IAM user.
Warning
This scenario requires IAM users with programmatic access and long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed. Access keys can be updated if necessary. For more information, see Updating access keys in the IAM User Guide.
To create the IAM user necessary for the CloudWatch agent to run on on-premises servers
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane on the left, choose Users and then Add users.
-
Enter the user name for the new user.
-
Select Access key - Programmatic access and choose Next: Permissions.
-
Choose Attach existing policies directly.
-
In the list of policies, select the check box next to CloudWatchAgentServerPolicy. If necessary, use the search box to find the policy.
(Optional) If the agent is going to traces to X-Ray you need to also give the role the AWSXRayDaemonWriteAccess policy. To do so, find that policy in the list and select the check box next to it.
-
Choose Next: Tags.
Optionally create tags for the new IAM user, and then choose Next:Review.
-
Confirm that the correct policy is listed, and choose Create user.
-
Next to the name of the new user, choose Show. Copy the access key and secret key to a file so that you can use them when installing the agent. Choose Close.
Allowing the CloudWatch agent to set log retention policy
You can configure the CloudWatch agent to set the retention policy for log groups that it sends
log events to. If you do this, you must grant the logs:PutRetentionPolicy
to the IAM role or user that the agent uses. The agent uses an IAM role to run on
Amazon EC2 instances, and uses an IAM user for on-premises servers.
To grant the CloudWatch agent's IAM role permission to set log retention policies
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. In the left navigation pane, choose Roles.
In the search box, Type the beginning of the name of the CloudWatch agent's IAM role. You chose this name when you created the role. It might be named
CloudWatchAgentServerRole
.When you see the role, choose the name of the role.
In the Permissions tab, choose Add permissions, Create inline policy.
Choose the JSON tab and copy the following policy into the box, replacing the default JSON in the box:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:PutRetentionPolicy", "Resource": "*" } ] }
Choose Review policy.
For Name, enter
CloudWatchAgentPutLogsRetention
or something similar, and choose Create policy.
To grant the CloudWatch agent's IAM user permission to set log retention policies
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. In the left navigation pane, choose Users.
In the search box, Type the beginning of the name of the CloudWatch agent's IAM user. You chose this name when you created the user.
When you see the user, choose the name of the user.
In the Permissions tab, choose Add inline policy.
Choose the JSON tab and copy the following policy into the box, replacing the default JSON in the box:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:PutRetentionPolicy", "Resource": "*" } ] }
Choose Review policy.
For Name, enter
CloudWatchAgentPutLogsRetention
or something similar, and choose Create policy.