Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ewake.ai/llms.txt

Use this file to discover all available pages before exploring further.

What you’ll get: ewake can query your CloudWatch logs and metrics to investigate AWS workload issues, correlating log events with alerts and deployments without requiring you to switch between dashboards.

Prerequisites

  • An AWS account with CloudWatch logs
  • IAM permissions to create roles and policies
  • Access to your ewake dashboard to retrieve your External ID

Configuration

The CloudWatch integration uses cross-account IAM role assumption with an External ID. This is the standard AWS security pattern for granting a third party read access to your account without sharing credentials.
1

Generate your External ID

Before creating the IAM role, generate a unique External ID, you’ll need it in the next step.Use any of these methods:
  • Online UUID generator: uuidgenerator.net
  • macOS / Linux: uuidgen
  • PowerShell: [guid]::NewGuid()
Keep this External ID secret and store it securely. It acts as a shared secret between you and ewake, preventing the “confused deputy” security issue.
2

Create an IAM role in AWS

In the AWS IAM Console, go to RolesCreate role → select Custom trust policy.Paste the following trust policy, replacing YOUR-UNIQUE-EXTERNAL-ID with the ID generated in Step 1:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::058264427976:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR-UNIQUE-EXTERNAL-ID"
        }
      }
    }
  ]
}
3

Name the role

The role name must be ewake-CloudWatch or start with ewake-CloudWatch (e.g. ewake-CloudWatch-Production).
Ewake will not be able to access the role if the name does not match this pattern.
4

Attach a permissions policy

Choose one of the following options:Option A, AWS Managed Policy (recommended)Attach the AWS managed policy: CloudWatchLogsReadOnlyAccessOption B, Custom policy (least privilege)Create a custom policy with minimal permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "*"
    }
  ]
}
5

Copy the Role ARN

Review the configuration and click Create role.On the role summary page, copy the Role ARN, it follows this format:
arn:aws:iam::123456789012:role/ewake-CloudWatch
6

Connect in ewake

In your ewake dashboard, go to IntegrationsCloudWatch → click Configure.Connect to CloudWatch modal in ewake
FieldValue
IAM Role ARNThe ARN copied in Step 5
External IDThe ID generated in Step 1
AWS RegionThe region where your CloudWatch logs are located
Click Test Configuration to verify the setup, then click Save.
CloudWatch is connected. Ewake can now query your AWS logs and metrics.
If you hit an issue, contact support@ewake.ai with your AWS Account ID, Role ARN, and the exact error message.