- IAM Roles for the Instance to run with AmazonSSMFullAccess
- AWS System Manager, AmazonEC2RoleforSSM Policy attached to your user
- Install or Update the SSM Agent
- AWS CloudWatch Agent
- Your AWS Instance must have internet access or direct access to CloudWatch so the data can be pushed to CloudWatch
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane on the left, choose Roles, Create role.
For Choose the service that will use this role, choose EC2 Allows EC2 instances to call AWS services on your behalf. Choose Next: Permissions.
In the list of policies, select the check box next to CloudWatchAgentServerPolicy. Use the search box to find the policy, if necessary.
If you will use SSM to install or configure the CloudWatch agent, select the check box next to AmazonEC2RoleforSSM. Use the search box to find the policy, if necessary. This policy is not necessary if you will start and configure the agent only through the command line.
Choose Next: Review
Confirm that CloudWatchAgentServerPolicy and optionally AmazonEC2RoleforSSM appear next to Policies. In Role name, type a name for the role, such as CloudWatchAgentServerRole. Optionally give it a description, and choose Create role.
The role is now created.
The following procedure creates the IAM role that can also write to Parameter Store. You need to use this role if you are going to store the agent configuration file in Parameter Store so that other servers can use it.
To create the IAM role necessary for an administrator to save an agent configuration file to Systems Manager Parameter Store
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane on the left, choose Roles, Create role.
For Choose the service that will use this role, choose EC2 Allows EC2 instances to call AWS services on your behalf. Choose Next: Permissions.
In the list of policies, select the check box next to CloudWatchAgentAdminPolicy. Use the search box to find the policy, if necessary.
If you will use SSM to install or configure the CloudWatch agent, select the check box next to AmazonEC2RoleforSSM. Use the search box to find the policy, if necessary. This policy is not necessary if you will start and configure the agent only through the command line.
Choose Next: Review
Confirm that CloudWatchAgentAdminPolicy and optionally AmazonEC2RoleforSSM appear next to Policies. In Role name, type a name for the role, such as CloudWatchAgentAdminRole. Optionally give it a description, and choose Create role.
The role is now created.
Installing CloudWatch Agent on your Linux Instances
- Navigate to your EC2 section
- In the navigation pane, choose Run Command.
- In the Command document list, choose AWS-ConfigureAWSPackage
- In the Targets area, choose the instance or multiple instances on which to install the CloudWatch agent. If you do not see a specific instance, it might not be configured for Run Command.
- In the Action list, choose Install.
- In the Name field, type AmazonCloudWatchAgent.
- Leave Version set to latest to install the latest version of the agent.
- Choose Run.
- Optionally, in the Targets and outputs areas, select the button next to an instance name and choose View output. Systems Manager should show that the agent was successfully installed.
- In the navigation pane, choose Run Command.
- Click on Run Command once the page loads up
- In the Command document list, choose AmazonCloudWatch-ManageAgent
- In the Targets area, choose the instance or multiple instances on which you want to deploy CloudWatch Configuration on
- Under Action select configure
- Under Mode leave it as ec2
- Change the Optional Configuration Source to ssm
- Under Optional Configuration Location enter the exact same name of the parameter you created in the Parameter Store (previous section). In this example, the parameter is called CloudWatchLinux
- Optional Restart should be set to Yes (This will restart the CloudWatch agent, not the instance)
- Now click on Run