View a markdown version of this page

Supported data sources for CloudWatch - Amazon CloudWatch

Supported data sources for CloudWatch

CloudWatch collects and processes telemetry data from a wide range of sources to provide unified observability and security insights. Data sources fall into four categories: AWS native services, third-party platforms, custom sources, and CloudWatch Metrics (OTel).

You can automate the enablement of AWS data sources using telemetry configuration. For more information, see Telemetry discovery and enablement.

AWS service data sources

CloudWatch provides native integration with 90+ AWS services for automatic data collection. When an AWS service source is selected, CloudWatch pipelines intercepts logs ingested into CloudWatch Logs for processing. To get started, enable logging for the supported AWS services using the service's console, then select the data source and type in the CloudWatch pipelines creation wizard.

The following table highlights key AWS service data sources. For the complete list of 90+ supported services, see Supported AWS services for data sources.

Key AWS service data sources
AWS service Data type Description
Amazon Amazon VPC Flow Logs Network traffic metadata for Amazon VPCs, subnets, and network interfaces
Amazon Amazon EKS Control Plane Logs Kubernetes API server, audit, authenticator, controller manager, and scheduler logs
AWS WAF Web ACL Logs Web request inspection logs including rule match details and actions taken
Amazon Route 53 Resolver Query Logs DNS query logs for Amazon VPC resources routed through Route 53 Resolver
CloudTrail Management and Data Events API activity and resource-level operations across AWS services
Amazon Amazon EC2 Detailed Metrics Instance-level performance metrics at 1-minute granularity
AWS Security Hub CSPM Findings Cloud security posture management findings from AWS and third-party providers
Amazon Bedrock AgentCore Runtime, Browser, CodeInterpreter, Gateway, Memory Agent runtime execution, browser interaction, code execution, gateway, and memory operation logs
Amazon CloudFront Distribution Logs CDN access logs for content delivery distributions
Network Load Balancer Access Logs Network Load Balancer connection and TLS negotiation logs
Amazon RDS Aurora MySQL and Aurora PostgreSQL Logs Audit, error, general, slow query, IAM DB authentication error, proxy, and enhanced monitoring logs

For more information about CloudWatch Logs data sources, see Data source discovery and management.

Third-party data sources

CloudWatch extends monitoring capabilities beyond AWS with direct integrations for 34 third-party security, identity, and endpoint platforms. These integrations consolidate security events, audit logs, and telemetry data from external sources into CloudWatch Logs for unified analysis.

The following table lists the supported direct third-party integrations:

Direct third-party integrations
Source Integration pattern Category
Akamai DataStream 2 S3 Delivery CDN and edge security
Check Point NGFW S3 Delivery Network security
Cisco Duo API Identity and access management
Cisco Meraki API Network security
Cisco Umbrella S3 Delivery DNS and network security
CrowdStrike Falcon S3 Delivery Endpoint security
Drupal Core API Content management
Entrust IDaaS API Identity and access management
F5 BIG-IP S3 Delivery Network security
GitHub API Source code and audit logs
GitLab API DevSecOps and source code
HashiCorp Vault S3 Delivery Secrets management
Jamf Protect S3 Delivery Endpoint security
Microsoft Entra ID API Identity and access management
Microsoft Office 365 API Productivity and audit logs
Microsoft Windows Event Logs API Operating system events
Netskope API Network security and CASB
Okta Auth0 API Identity and access management
Okta SSO API Identity and access management
OneLogin Identity API Identity and access management
Palo Alto Networks NGFW API Network security
Palo Alto Prisma Cloud API Cloud security
PingIdentity PingAccess S3 Delivery Access management
PingIdentity PingFederate S3 Delivery Identity federation
PingIdentity PingOne API Identity and access management
Proofpoint TAP API Email security
Slack Audit Log API Collaboration and audit logs
SentinelOne S3 Delivery Endpoint security
ServiceNow CMDB API IT service management
Tanium Endpoint Management S3 Delivery Endpoint security and management
Tenable Vulnerability Management API Vulnerability management
Wiz CNAPP API Cloud security
Zeek S3 Delivery Network security monitoring
Zscaler ZIA/ZPA S3 Delivery Network security

For detailed setup procedures, prerequisites, and configuration steps for each integration, see Third-party data sources integration.

Additional third-party sources through Security Hub CSPM

Beyond the 34 direct integrations, 49+ additional third-party sources are available through AWS Security Hub CSPM integration. Security Hub CSPM partner providers that send findings to Security Hub are automatically available as data sources. For the full list of supported partners, see the Security Hub CSPM partner providers documentation.

Additional third-party sources through Security Hub

AWS Security Hub (distinct from Security Hub CSPM) provides its own set of third-party integrations. These integrations that send findings to Security Hub are automatically available as data sources. For the full list of supported integrations, see the Security Hub third-party integrations documentation.

Custom data sources

For logs that are not covered by AWS service or third-party integrations, CloudWatch pipelines can process custom logs stored in CloudWatch Logs or Amazon S3 buckets. Custom sources accommodate unique organizational requirements:

  • Application-specific logs – Custom application telemetry from Amazon EC2 instances with specialized logging formats

  • File-based ingestion – Amazon S3-based log files from legacy systems or batch processing workflows

  • Serverless integration – Lambda function logs and custom serverless application telemetry

For more details, see Custom log data from CloudWatch Logs or an Amazon S3 bucket.

CloudWatch Metrics (OTel) source

The CloudWatch Metrics (OTel) source processes OpenTelemetry (OTel) metrics on the OTLP ingestion path based on selection criteria. This source enables you to transform metrics data through CloudWatch pipelines before the metrics are persisted in CloudWatch Metrics.

The following metric types are supported:

  • Custom OTel metrics – Metrics that your applications emit through OpenTelemetry instrumentation and send to the OTLP endpoint

  • AWS vended OTel metrics – Metrics that AWS services emit via OTLP

Note

The CloudWatch Metrics (OTel) source only supports metrics ingested through the OTLP endpoint. Metrics sent through other ingestion paths, such as the PutMetricData API, are not processed by this source.

You define which metrics to process by configuring metrics pipeline selection criteria. Selection criteria let you target specific metrics based on OTel attributes such as resource attributes, metric name, and datapoint attributes. For more information, see CloudWatch Metrics (OTel).

For information about sending OTel metrics to CloudWatch, see Using OpenTelemetry with CloudWatch.