is it currently possible to set up a whole cloudwatch stack including the cloudwatch agent via cloudformation ? I cant find a proper documentation and asking myself if its even possible.
1
votes
What excactly do you want to do? You can create Alarms and assign them with cloud formation: docs.aws.amazon.com/awscloudtrail/latest/userguide/…
– ghovat
actually i need the cloudwatch agent to generate logfiles. the agent i already can install but i have problems to create policies for the cloudwatch service and attach it to roles and the e2instances
– RedXIII
2 Answers
2
votes
Yes these types are available in CloudFormation
- AWS::CloudWatch::Alarm
- AWS::CloudWatch::Dashboard
Additionally, detailed monitoring can be set in other resource types (for example AWS::EC2::Instance)
Installing the Cloudwatch log agent would be done by configuring it in the AMI or installing as an action in the user data script
0
votes
The following CloudFormation Resource creates a policy that will allow instances with this policy attached to their role to ship logs to CloudWatch:
"CloudWatchLogsPolicy": {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": arn:aws:logs:eu-west-1:123456789012:log-group:my-log-group:*
}
]
}
,
"PolicyName" : "CWLogPolicy",
"Roles": [{ "Ref": "IAMRole"}]
},
"DependsOn": ["IAMRole"]
}
You will need to update the Resource ARN to match your region, account id and log group name. The "Roles" and "DependsOn" assume there is an IAM role declared called "IAMRole" in the current stack.
When attaching a Role you have to use an AWS::IAM::InstanceProfile to create the link between the AWS::IAM::Role and the instance (or Autoscale group in my case).
