Monitoring your container instances - Amazon Elastic Container Service

Monitoring your container instances

You can configure your container instances to send log information to CloudWatch Logs. This allows you to view different logs from your container instances in one convenient location. This topic helps you get started using CloudWatch Logs on your container instances that were launched with the Amazon ECS-optimized Amazon Linux AMI.

For information about sending container logs from your tasks to CloudWatch Logs, see Using the awslogs log driver. For more information about CloudWatch Logs, see Monitoring Log Files in the Amazon CloudWatch User Guide.

CloudWatch Logs IAM Policy

Before your container instances can send log data to CloudWatch Logs, you must create an IAM policy to allow your container instances to use the CloudWatch Logs APIs, and then you must attach that policy to ecsInstanceRole.

To create the ECS-CloudWatchLogs IAM policy
  1. Open the IAM console at

  2. In the navigation pane, choose Policies.

  3. Choose Create policy, JSON.

  4. Enter the following policy:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }
  5. Choose Review policy.

  6. On the Review policy page, enter ECS-CloudWatchLogs for the Name and choose Create policy.

To attach the ECS-CloudWatchLogs policy to ecsInstanceRole
  1. Open the IAM console at

  2. In the navigation pane, choose Roles.

  3. Choose ecsInstanceRole. If the role does not exist, follow the procedures in Amazon ECS container instance IAM role to create the role.

  4. In the navigation pane, choose Policies.

  5. Choose ECS-CloudWatchLogs.

  6. Choose Policy actions, Attach.

  7. To narrow the available policies to attach, for Filter, type ecsInstance.

  8. Select the ecsInstance role and choose Attach policy.

Installing and configuring the CloudWatch agent

After you have added the ECS-CloudWatchLogs policy to your ecsInstanceRole, you can install the CloudWatch agent on your container instances.

For more information, see Download and configure the CloudWatch agent using the command line in the Amazon CloudWatch User Guide.

Viewing CloudWatch Logs

After you have given your container instance role the proper permissions to send logs to CloudWatch Logs, and you have configured and started the agent, your container instance should be sending its log data to CloudWatch Logs. For information about how to view the logs, see View log data sent to CloudWatch Logs in the Amazon CloudWatch Logs User Guide.


New instance launches may take a few minutes to send data to CloudWatch Logs.