> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ewake.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# CloudWatch

> Connect Amazon CloudWatch to give ewake access to your AWS logs and metrics via a secure cross-account IAM role.

<Info>
  **What you'll get:** ewake can query your CloudWatch logs and metrics to investigate AWS workload issues, correlating log events with alerts and deployments without requiring you to switch between dashboards.
</Info>

***

## Prerequisites

* An AWS account with CloudWatch logs
* IAM permissions to create roles and policies
* Access to your ewake dashboard to retrieve your External ID

***

## Configuration

The CloudWatch integration uses **cross-account IAM role assumption** with an External ID. This is the standard AWS security pattern for granting a third party read access to your account without sharing credentials.

<Steps>
  <Step title="Generate your External ID">
    Before creating the IAM role, generate a unique External ID, you'll need it in the next step.

    Use any of these methods:

    * Online UUID generator: [uuidgenerator.net](https://www.uuidgenerator.net/)
    * macOS / Linux: `uuidgen`
    * PowerShell: `[guid]::NewGuid()`

    <Note>
      Keep this External ID secret and store it securely. It acts as a shared secret between you and ewake, preventing the "confused deputy" security issue.
    </Note>
  </Step>

  <Step title="Create an IAM role in AWS">
    In the [AWS IAM Console](https://console.aws.amazon.com/iam/), go to **Roles** → **Create role** → select **Custom trust policy**.

    Paste the following trust policy, replacing `YOUR-UNIQUE-EXTERNAL-ID` with the ID generated in Step 1:

    ```json theme={null}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::058264427976:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "YOUR-UNIQUE-EXTERNAL-ID"
            }
          }
        }
      ]
    }
    ```
  </Step>

  <Step title="Name the role">
    The role name **must** be `ewake-CloudWatch` or start with `ewake-CloudWatch` (e.g. `ewake-CloudWatch-Production`).

    <Warning>
      Ewake will not be able to access the role if the name does not match this pattern.
    </Warning>
  </Step>

  <Step title="Attach a permissions policy">
    Choose one of the following options:

    **Option A, AWS Managed Policy (recommended)**

    Attach the AWS managed policy: `CloudWatchLogsReadOnlyAccess`

    **Option B, Custom policy (least privilege)**

    Create a custom policy with minimal permissions:

    ```json theme={null}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:GetLogEvents",
            "logs:FilterLogEvents"
          ],
          "Resource": "*"
        }
      ]
    }
    ```
  </Step>

  <Step title="Copy the Role ARN">
    Review the configuration and click **Create role**.

    On the role summary page, copy the **Role ARN**, it follows this format:

    ```
    arn:aws:iam::123456789012:role/ewake-CloudWatch
    ```
  </Step>

  <Step title="Connect in ewake">
    In your ewake dashboard, go to **Integrations** → **CloudWatch** → click **Configure**.

    <img src="https://mintcdn.com/ewakeai/M1QmRrA-jDM2VkcE/images/integrations/observability/cloudwatch/connect-modal.png?fit=max&auto=format&n=M1QmRrA-jDM2VkcE&q=85&s=fab9e2d1f086a3d8548b9efbfb1b921c" alt="Connect to CloudWatch modal in ewake" style={{ maxHeight: "320px", objectFit: "cover", objectPosition: "top", borderRadius: "8px" }} width="940" height="346" data-path="images/integrations/observability/cloudwatch/connect-modal.png" />

    | Field            | Value                                             |
    | ---------------- | ------------------------------------------------- |
    | **IAM Role ARN** | The ARN copied in Step 5                          |
    | **External ID**  | The ID generated in Step 1                        |
    | **AWS Region**   | The region where your CloudWatch logs are located |

    Click **Test Configuration** to verify the setup, then click **Save**.

    <Check>
      CloudWatch is connected. Ewake can now query your AWS logs and metrics.
    </Check>
  </Step>
</Steps>

If you hit an issue, contact [support@ewake.ai](/support) with your AWS Account ID, Role ARN, and the exact error message.
