Menu
DocumentationGrafana CloudMonitor infrastructureAWS ObservabilityCloudWatch metricsConfigure CloudWatch metrics
Grafana Cloud

Configure CloudWatch metrics

When you configure CloudWatch metrics, you can choose to configure automatically or manually in the AWS Management Console. With automatic configuration, you can use either CloudFormation or Terraform. Choose the one that fits with your setup. Either of these options not only automate the process, but allows you to keep track of the resources created.

The connection and configuration process for CloudFormation and Terraform includes these major processes:

  • Connecting to your AWS account
  • Configuring the connection between Grafana Cloud and your AWS account
  • Choosing the service to monitor and configuring its settings
  1. Navigate to your Grafana Cloud portal.
  2. In your Grafana Cloud stack, expand Infrastructure in the main menu.
  3. Click AWS, then click Add your AWS services.
**Add your AWS services** button
Add your AWS services button

  1. At the Configuration page, find and click the CloudWatch metrics tile.

    Configuration choices
    Configuration choices

  2. At the CloudWatch metrics page, click Add new scrape job. The Create new scrape job configuration page appears.

  3. Perform subsequent steps to configure:

Configure automatically with Cloud Formation

Complete the following process to configure with Cloud Formation.

Create a new AWS role

Create an AWS role so that Grafana can then assume a role that has access only to your CloudWatch data, with no need to share access and secret keys.

  1. At the Create new scrape job configuration page, select Automatically to create a new role in the AWS IAM console.
  2. Click Use CloudFormation.
  3. Click Launch stack.
  4. Follow the steps to create the IAM role in AWS CloudFormation.
  5. Return to the CloudWatch metrics Create new scrape job page.

Connect to AWS account

  1. At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
    Give your scrape job a unique name that contains only alphanumeric characters, dashes, and underscores.
  2. In the ARN box, paste the ARN you copied from your AWS IAM role you created.
  3. From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
  4. Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.

    Note

    Including tags increases the total number of active series, which can impact your Grafana Cloud costs.
  5. Click Configure AWS Account to ensure the connection is working.

Choose services

  1. Choose the services you want to scrape. You can search in the search box or browse in the list of services.
  2. Optionally, enter a custom namespace in the Namespace name box and click Add.
Choosing service
Choosing service

Configure service settings

For each service and namespace you have chosen to scrape, select which metrics you want to collect. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics.

  1. Click Edit Metrics next to the service or namespace to open the edit view.
  2. Select or deselect metrics.
  3. For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric.
  4. Select the scrape interval.
  5. Optionally, you can add a tag that exists on the AWS resource for this metric by entering the exact tag name in the AWS tag format.
  6. For a custom namespace, click Edit Metrics, and add metrics and statistics.
  7. After editing the service or namespace, click Save service settings.
  8. Click Create scrape job to begin collecting metrics.
Configuring service settings
Configuring service settings

Explore your AWS service data

  1. Click Install dashboards and alerts to install prebuilt dashboards and alerts.
  2. Click View dashboards to explore out-of-the-box dashboards.

Configure automatically with Terraform

Complete the following process to configure with Terraform.

Before you begin

Click Details in the Prometheus card of the Grafana Cloud Portal to find:

  • The username / instance ID for your Grafana Cloud Prometheus
  • The Terraform snippet you need to provision the IAM role

Input variables

The input variables for the IAM role are:

  • external_id: The username / instance ID for your Grafana Cloud Prometheus. AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.
  • iam_role_name: A customizable name of the IAM role used by Grafana for the CloudWatch integration. The default value is GrafanaCloudWatchIntegration.

Output variable

The output variable is role_arn, which is the IAM role ARN you need to use when you create the scrape job.

Create a new AWS role

Create an AWS role so that Grafana can then assume a role that has access only to your CloudWatch data, with no need to share access and secret keys.

  1. At the Create new scrape job configuration page, select Automatically to create a new role in the AWS IAM console.

  2. Click Use Terraform.

  3. Configure the AWS CLI.

  4. Copy this snippet into your Terraform file.

    terraform 
    terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}
locals {
  grafana_account_id = "008923505280"
}
variable "external_id" {
  type        = string
  description = "This is your Grafana Cloud identifier and is used for security purposes."
  validation {
    condition     = length(var.external_id) > 0
    error_message = "ExternalID is required."
  }
}
variable "iam_role_name" {
  type        = string
  default     = "GrafanaLabsCloudWatchIntegration"
  description = "Customize the name of the IAM role used by Grafana for the CloudWatch integration."
}
data "aws_iam_policy_document" "trust_grafana" {
  statement {
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${local.grafana_account_id}:root"]
    }
    actions = ["sts:AssumeRole"]
    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = [var.external_id]
    }
  }
}
resource "aws_iam_role" "grafana_labs_cloudwatch_integration" {
  name        = var.iam_role_name
  description = "Role used by Grafana CloudWatch integration."
  # Allow Grafana Labs' AWS account to assume this role.
  assume_role_policy = data.aws_iam_policy_document.trust_grafana.json

  # This policy allows the role to discover metrics via tags and export them.
  inline_policy {
    name = var.iam_role_name
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [
            "tag:GetResources",
            "cloudwatch:GetMetricData",
            "cloudwatch:ListMetrics",
            "apigateway:GET",
            "aps:ListWorkspaces",
            "autoscaling:DescribeAutoScalingGroups",
            "dms:DescribeReplicationInstances",
            "dms:DescribeReplicationTasks",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeSpotFleetRequests",
            "shield:ListProtections",
            "storagegateway:ListGateways",
            "storagegateway:ListTagsForResource"
          ]
          Resource = "*"
        }
      ]
    })
  }
}
output "role_arn" {
  value       = aws_iam_role.grafana_labs_cloudwatch_integration.arn
  description = "The ARN for the role created, copy this into Grafana Cloud installation."
}

  5. Run the terraform apply command, and either set variables directly in the CLI or create a tfvars file as the following shows:

    • To set the variables directly in the CLI, use the following example: bash terraform apply \ -var="grafana_importer_external_id=<your external ID>" \ -var="iam_role_name=GrafanaCloudWatchIntegration"
    • To create a tfvars file (.tfvars), add the following text:
      terraform 
      grafana_importer_external_id="<your external ID>"
iam_role_name="GrafanaCloudWatchIntegration"
      Run the following command:
      bash 
      terraform apply -var-file="<your-tfvars-file>.tfvars"

  6. After the Terraform apply command has finished creating the IAM Role, it outputs your role_arn. For example:

    bash 
    role_arn = "arn:aws:iam::<yourAWSAccountID>:role/<iam_role_name>"

Connect to AWS account

  1. At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
    Give your scrape job a unique name, containing only alphanumeric characters, dashes, and underscores.
  2. In the ARN box, paste the role_arn Terraform output.
  3. From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
  4. Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.

    Note

    Including tags increases the total number of active series, which can impact your Grafana Cloud costs.
  5. Click Configure AWS Account to ensure the connection is working.

Choose services

  1. Choose the services you want to scrape. You can search in the search box or browse in the list of services.
  2. Optionally, enter a custom namespace in the Namespace name box and click Add.
Choosing service
Choosing service

Configure service settings

For each service and namespace you have chosen to scrape, select which metrics you want to collect. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics.

  1. Click Edit Metrics next to the service or namespace to open the edit view.
  2. Select or deselect metrics.
  3. For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric.
  4. Select the scrape interval.
  5. Optionally, add a tag to the service by entering the exact tag in the AWS tag format.
  6. For a custom namespace, click Edit Metrics, and add metrics and statistics.
  7. After editing the service or namespace, click Save service settings.
  8. Click Create scrape job to begin collecting metrics.
Configuring service settings
Configuring service settings

Explore your AWS service data

  1. Click Install dashboards and alerts to install prebuilt dashboards and alerts.
  2. Click View dashboards to explore out-of-the-box dashboards.

Configure manually in the AWS Management Console

When you create the role in the AWS IAM console, there are many more steps required. It is recommended that you use CloudFormation or Terraform to configure.

Before you begin

Make sure you have:

  • Username / Instance ID for your Grafana Cloud Prometheus. You can find this by clicking on Details in the Prometheus card of the Grafana Cloud Portal.
  • External ID: AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.

Create a new AWS role

Create an AWS role so that Grafana can then assume a role that has access only to your CloudWatch data, with no need to share access and secret keys.

  1. At the Create new scrape job configuration page, select Manually to create a new role in the AWS IAM console.
  2. Click Open AWS IAM Console to open the IAM console.
  3. In Roles, click Create role.
  4. Select AWS Account for Trusted entity type.
  5. Select Another AWS account.
  6. In Account ID, enter the Grafana AWS account ID shown on the Create new scrape job configuration page.
  7. Select Require external ID, and enter the Username / Instance ID for your Grafana Cloud Prometheus as shown on the Create new scrape job page.
  8. Click Next: Permissions, then Create policy.
  9. At the Grafana Cloud Create new scrape job page under the Grant permissions to Grafana Cloud section, copy and paste the JSON into the policy text box in the AWS IAM console. This replaces the existing code.

Connect to AWS account

  1. At the Create new scrape job page in the Scrape job name box, enter the name of your scrape job.
    Give your scrape job a unique name, containing only alphanumeric characters, dashes, and underscores.
  2. Paste the ARN from your AWS IAM role in the ARN box.
  3. From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
  4. Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
  5. Click Configure AWS Account to ensure the connection is working.

Choose services

  1. Choose the services you want to scrape. You can search in the search box or browse in the list of services.
  2. Optionally, enter a custom namespace in the Namespace name box and click Add.

Configure service settings

For each service and namespace you have chosen to scrape, select which metrics you want to collect. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics.

  1. Click Edit Metrics next to the service or namespace to open the edit view.
  2. Select or deselect metrics.
  3. For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric.
  4. Select the scrape interval.
  5. Optionally, add a tag to the service by entering the exact tag in the AWS tag format.
  6. For a custom namespace, click Edit Metrics, and add metrics and statistics.
  7. After editing the service or namespace, click Save service settings.
  8. Click Create scrape job to begin collecting metrics.

Explore your AWS service data

  1. Click Install dashboards and alerts to install prebuilt dashboards and alerts.
  2. Click View dashboards to explore out-of-the-box dashboards.

Add, edit or delete a scrape job

To add a scrape job, on the Your scrape jobs page, click Add new scrape job.

To edit a scrape job:

  1. At the Your scrape jobs page, open the edit view by one of these methods:

    • Click the name of the scrape job.
    • Click the three-dot menu icon next to the scrape job, and select Edit.

  2. In the Edit scrape job view, make your changes.

  3. Click Save scrape job.

Editing a scrape job
Editing a scrape job

To delete a scrape job, at the Your scrape jobs page, you can either:

  • Click the name of the scrape job to open the Edit scrape job page, click Delete next to the job, then click Delete to confirm.
  • Click the three-dot menu icon next to the scrape job, select Delete, then click Delete to confirm.