CloudWatch Logs IAM Policy Installing and configuring the CloudWatch agent Viewing CloudWatch Logs

Monitoring your container instances

You can configure your container instances to send log information to CloudWatch Logs. This allows you to view different logs from your container instances in one convenient location. This topic helps you get started using CloudWatch Logs on your container instances that were launched with the Amazon ECS-optimized Amazon Linux AMI.

For information about sending container logs from your tasks to CloudWatch Logs, see Using the awslogs log driver. For more information about CloudWatch Logs, see Monitoring Log Files in the Amazon CloudWatch User Guide.

Topics

CloudWatch Logs IAM Policy
Installing and configuring the CloudWatch agent
Viewing CloudWatch Logs

CloudWatch Logs IAM Policy

Before your container instances can send log data to CloudWatch Logs, you must create an IAM policy to allow your container instances to use the CloudWatch Logs APIs, and then you must attach that policy to ecsInstanceRole.

To create the `ECS-CloudWatchLogs` IAM policy

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Policies.
Choose Create policy, JSON.

Enter the following policy:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

Choose Review policy.
On the Review policy page, enter ECS-CloudWatchLogs for the Name and choose Create policy.

To attach the `ECS-CloudWatchLogs` policy to `ecsInstanceRole`

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles.
Choose ecsInstanceRole. If the role does not exist, follow the procedures in Amazon ECS container instance IAM role to create the role.
In the navigation pane, choose Policies.
Choose ECS-CloudWatchLogs.
Choose Policy actions, Attach.
To narrow the available policies to attach, for Filter, type ecsInstance.
Select the ecsInstance role and choose Attach policy.

Installing and configuring the CloudWatch agent

After you have added the ECS-CloudWatchLogs policy to your ecsInstanceRole, you can install the CloudWatch agent on your container instances.

For more information, see Download and configure the CloudWatch agent using the command line in the Amazon CloudWatch User Guide.

Viewing CloudWatch Logs

After you have given your container instance role the proper permissions to send logs to CloudWatch Logs, and you have configured and started the agent, your container instance should be sending its log data to CloudWatch Logs. For information about how to view the logs, see View log data sent to CloudWatch Logs in the Amazon CloudWatch Logs User Guide.

Note

New instance launches may take a few minutes to send data to CloudWatch Logs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Updating the AWS Systems Manager Agent and Amazon ECS container agent

Container instance draining