--- title: "Configure CloudWatch metrics scrape | Grafana Cloud documentation" description: "Configuration steps for CloudWatch metrics scrape jobs" --- # Configure CloudWatch metrics scrape jobs You can configure CloudWatch metrics scrape jobs with Terraform or using a combination of the Cloud Provider UI, and CloudFormation or the AWS IAM console. The connection and configuration process for CloudWatch metrics scrape jobs includes the following tasks: - Navigate to Cloud provider AWS configuration - Create an AWS IAM role - Connect to AWS account - Create a scrape job > Note > > For AWS to ingest metrics from CloudWatch into Grafana Cloud, you must set at least one [tag](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) on a resource in AWS. ## Navigate to Cloud provider AWS configuration 1. Open your [Grafana Cloud portal](/docs/grafana-cloud/account-management/cloud-portal/). 2. Expand **Observability > Cloud Provider** in the main menu of your Grafana Cloud stack. 3. Select **AWS > Add your AWS services** if you haven’t added any AWS services yet. If you have added a service, click the **Configuration** tab. ## Create an AWS IAM role To configure CloudWatch metrics scrape jobs, you must create an AWS IAM role to grant Grafana Cloud Access to read your CloudWatch metrics and associated resource metadata. You can choose to configure the AWS role either automatically or manually in the AWS Management Console. With automatic configuration, you can use either CloudFormation or Terraform. Choose the one that fits with your setup. ### Automatically with CloudFormation The IAM role establishes a secure trust relationship between your AWS account and Grafana Cloud, allowing metric collection without sharing long-term credentials or compromising security. To create an AWS IAM role for Grafana Cloud, complete the following steps: 1. From the **Configuration** tab, click the **AWS accounts** tile. 2. At the AWS Accounts page, click **Add new account** to open the **Create new account** page. 3. For **Create a new AWS role**, leave the **Automatically** and **Use CloudFormation** tiles selected. 4. Click **Launch stack**, opening a CloudFormation template in your AWS account in a new tab. The AWS account that you are logged into at the time of clicking the button is the account that opens. To use a different account, log out of the current account and into the account you want to use. 5. Select the **I acknowlege that AWS CloudFormation might create IAM resources with custom names** checkbox. 6. Click **Create stack**. 7. Copy the `RoleARN` in the **Outputs** tab of the stack to use in a later step. 8. Return to the **Create new account** page in Grafana Cloud when you have finished in AWS. ### Automatically with Terraform Create an AWS IAM role so that Grafana can then assume a role that has access *only* to your CloudWatch data, with no need to share access and secret keys. The input variables for the IAM role are: - `external_id`: The username / instance ID for your Grafana Cloud Prometheus. AWS uses an [external ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html#external-id-purpose) to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud. Click **Details** in the Prometheus card of the Grafana Cloud Portal or use the [`grafana_cloud_stack` data source](https://registry.terraform.io/providers/grafana/grafana/latest/docs/data-sources/cloud_stack) to find this information. - `iam_role_name`: A customizable name of the IAM role used by Grafana for the CloudWatch integration. The default value is `GrafanaCloudWatchIntegration`. The output variable is `role_arn`, which is the AWS Identity and Access Management (IAM) role Amazon Resource Name (ARN) you need to use when you create the scrape job. To create a new AWS role in Grafana Cloud using the AWS Command Line Interface (CLI): 1. [Configure authentication for the AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration). 2. Copy the following code snippet into your Terraform file: terraform ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } locals { grafana_account_id = "008923505280" } variable "external_id" { type = string description = "This is your Grafana Cloud identifier and is used for security purposes." validation { condition = length(var.external_id) > 0 error_message = "ExternalID is required." } } variable "iam_role_name" { type = string default = "GrafanaLabsCloudWatchIntegration" description = "Customize the name of the IAM role used by Grafana for the CloudWatch integration." } data "aws_iam_policy_document" "trust_grafana" { statement { effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${local.grafana_account_id}:root"] } actions = ["sts:AssumeRole"] condition { test = "StringEquals" variable = "sts:ExternalId" values = [var.external_id] } } } resource "aws_iam_role" "grafana_labs_cloudwatch_integration" { name = var.iam_role_name description = "Role used by Grafana CloudWatch integration." # Allow Grafana Labs' AWS account to assume this role. assume_role_policy = data.aws_iam_policy_document.trust_grafana.json } resource "aws_iam_role_policy" "grafana_labs_cloudwatch_integration" { name = "GrafanaLabsCloudWatchIntegrationPolicy" role = aws_iam_role.grafana_labs_cloudwatch_integration.id # This policy allows the role to discover metrics via tags and export them. policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "tag:GetResources", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "apigateway:GET", "aps:ListWorkspaces", "autoscaling:DescribeAutoScalingGroups", "dms:DescribeReplicationInstances", "dms:DescribeReplicationTasks", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeSpotFleetRequests", "shield:ListProtections", "storagegateway:ListGateways", "storagegateway:ListTagsForResource" ] Resource = "*" } ] }) } // Allow some time for IAM (global) changes to propagate resource "time_sleep" "wait_10_seconds" { depends_on = [ aws_iam_role.grafana_labs_cloudwatch_integration, aws_iam_role_policy.grafana_labs_cloudwatch_integration ] create_duration = "10s" } output "role_arn" { depends_on = [ time_sleep.wait_10_seconds ] value = aws_iam_role.grafana_labs_cloudwatch_integration.arn description = "The ARN for the role created, copy this into Grafana Cloud installation." } ``` 3. Run the `terraform apply` command, and either set variables directly in the CLI or create a `tfvars` file. - To set the variables directly in the CLI, use the following example command: `terraform apply -var="external_id=" -var="iam_role_name=GrafanaCloudWatchIntegration"` - To create a `tfvars` file (terraform.tfvars), add the following text to the Terraform file: terraform ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```terraform external_id="" iam_role_name="GrafanaCloudWatchIntegration" ``` Then run the following command: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash terraform apply ``` 4. After the Terraform apply command has finished creating the IAM Role, it outputs your `role_arn`, as in the following example: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash role_arn = "arn:aws:iam:::role/" ``` ### Manually with the AWS IAM console Creating the AWS IAM role manually is a lengthy, tedious, error-prone process. We recommend using CloudFormation or Terraform to configure your IAM role to enable scraping CloudWatch metrics. 1. From the **Configuration** tab, click the **AWS accounts** tile. 2. At the **AWS accounts** page, click **Add new account** to open the **Create new account** page. 3. For **Create a new AWS role**, select **Manually > Open AWS IAM Console**. Continue the following steps in the AWS IAM Console in a separate browser tab. Leave the Grafana Cloud browser tab open to find information needed for subsequent steps. 1. Click **Roles > Create role** in the AWS IAM Console. 2. Select **AWS Account > Another AWS account**. 3. For **Account ID**, enter the Grafana AWS Account ID found on the **Create new account** configuration page in Grafana Cloud. 4. Select **Require external ID**, and enter the Grafana Cloud/External ID found on the **Create new account** page in Grafana Cloud. 5. Click **Next > Next**. 6. Enter a Role name for this role and click **Create role > View role**. 7. Click **Add Permissions > Create inline policy** and select **JSON** on the policy editor toggle. 8. Delete the existing JSON and replace it with the JSON policy configuration found on the **Create new account** page in Grafana Cloud and click **Next**. 9. Enter a Policy name and click **Create policy**. Copy the ARN for your new role to use when you connect to AWS account in Grafana Cloud. ### Enable `account_alias` label in collected metrics Amazon CloudWatch Metrics supports pulling the AWS Account alias, as an additional label, `account_alias`, into all collected metrics. If the configured IAM role doesn’t have enough permissions to fetch the account alias, it isn’t added. To enable the collection and addition of the `account_alias` label in all collected metrics, add the `iam:ListAccountAliases` permission to the IAM Policy used by Grafana. You can check if the `account_alias` label is present by running the following query: promql ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```promql group({__name__=~"aws.+"}) by (account_alias) ``` ## Connect to AWS account After you have created the AWS IAM role, you need to connect your AWS account with your Grafana Cloud instance so Grafana Cloud can scrape metrics. You can connect your AWS account with Grafana Cloud either in the UI or using Terraform. ### Connect to AWS account in UI If you aren’t using Terraform to configure your scrape job, you can connect your AWS account in the UI using the following steps: 1. Enter the name of your account on the AWS Accounts **Create new account** page in Grafana Cloud, for the **Account name(optional)** box. Give your account a unique name that contains only alphanumeric characters, dashes, and underscores. 2. In the **ARN** box, paste the ARN you copied from the AWS IAM role you created. 3. Select the regions where you have services you want to monitor from the **AWS Regions** drop-down menu. 4. Click **Add account** to ensure the connection is working and to save your new account. 5. Click **Create a scrape job** to continue creating your configuration. The **Create new scrape job** configuration page opens with the preselected account. ### Connect to AWS account using Terraform If you are using Terraform to configure your CloudWatch metrics scrape job, you need to connect to AWS account by completing the tasks: - Create a Grafana Cloud access policy - Obtain the regional Cloud Provider API endpoint - Set up the Grafana Cloud Terraform Provider #### Create a Grafana Cloud access policy To create an access policy token: 1. Follow the [Create an access policy for a stack](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/create-access-policies/#create-an-access-policy-for-a-stack) instructions. 2. In step 6, add the following scopes: - `integration-management:read` - `integration-management:write` - `stacks:read` 3. After creating the policy, click **Add token** and generate a token. 4. Give your token an appropriate name and select an Expiration date. We recommend you select a specific expiration date and **do not** set the **Expiration date** to **No expiry**, as this can create a security vulnerability. 5. Store this token securely—you’ll use it to configure the Grafana Terraform provider. #### Obtain the regional Cloud Provider API endpoint The Grafana Terraform provider needs your stack’s Grafana Cloud Provider API URL to manage your AWS resources on Grafana Cloud. To complete these steps, you need to have [`cURL`](https://curl.se/download.html) and [`jq`](https://jqlang.github.io/jq/) installed. To get the regional Cloud Provider API endpoint: 1. Copy and use the following command to return a list of all your Grafana Cloud stacks, along with their respective Cloud Provider API hostnames: shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```shell curl -sH "Authorization: Bearer @@@GRAFANA_CLOUD_ACCESS_POLICY_TOKEN@@@" "https://grafana.com/api/instances" | \ jq '[.items[]|{stackName: .slug, clusterName:.clusterSlug, cloudProviderAPIURL: "https://cloud-provider-api-\(.clusterSlug).grafana.net"}]' ``` 2. Find your stack in the output and note the `cloudProviderAPIURL` as in the following example: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json [ { "stackName": "my-stack", "clusterName": "prod-us-central-0", "cloudProviderAPIURL": "https://cloud-provider-api-prod-us-central-0.grafana.net" } ] ``` > Note > > If this endpoint does not work, your Grafana Cloud Provider API endpoint may be using the new URL format. For more information on Grafana Cloud URLs, refer to [Determine Grafana Cloud URLs based on region](/docs/grafana-cloud/security-and-account-management/region-url-formats/). #### Set up the Grafana Terraform Provider Set up the Grafana Terraform provider with either of these methods: - Terraform commands - Environmental variables ##### Configure the Grafana Terraform Provider 1. Include the provider as a dependency in your Terraform configuration, as in the following example: terraform ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```terraform terraform { required_providers { grafana = { source = "grafana/grafana" version = ">= 3.13.1" # minimum required version that includes Cloud Provider support } } } ``` 2. Configure AWS support for the Grafana Terraform provider with the following snippet, which uses the access token and cloud provider API URL obtained in the previous steps. ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none provider "grafana" { // ... cloud_provider_url = cloud_provider_access_token = } ``` ##### Environment variables When running Terraform commands, set the cloud provider URL and access token in an empty Grafana provider block with environment variables, such as `GRAFANA_CLOUD_PROVIDER_ACCESS_TOKEN` and `GRAFANA_CLOUD_PROVIDER_URL`. ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none provider "grafana" {} ``` ## Create a scrape job After you have added an AWS account to Grafana Cloud, you can create a CloudWatch metrics scrape job to scrape metrics from that AWS account. You can create a CloudWatch metrics scrape job with Grafana Cloud either in the UI or using Terraform. ### Create a scrape job in the UI To get to the **Create new scrape job** configuration page, either click **Create a scrape job** after [connecting your AWS account](#connect-to-aws-account), or follow the steps to [Navigate to Cloud provider AWS configuration](#navigate-to-cloud-provider-aws-configuration), and click **CloudWatch metrics scrape > Add new scrape job**. 1. Select an AWS account. Either use the dropdown or click **add a new one** to add a different AWS account. 2. Enter a name for your scrape job. Give your scrape job a unique name that contains only alphanumeric characters, dashes, and underscores. 3. **Include your AWS resource tags** is selected by default. This option adds all of your AWS tags to the `aws__info` metrics included in this job. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information. For more information on tags and how Cloud Provider Observability uses them, refer to [Tags](_index.md#tags). 4. Optionally, add static labels for easier filtering and grouping. These labels are added to all metrics exported by this scrape job. 5. Choose the services you want to scrape. You can search in the search box or browse in the list of services. 6. Optionally, enter a [custom namespace](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace) in the **Namespace name** box and click **Add**. 7. Click **Edit Metrics** next to the service or namespace if you want to customize the metrics that are collected for that service or namespace. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics. 1. Select or deselect metrics in the Edit dialog box. 2. For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric. 3. Select the scrape interval. 4. Add AWS tags you want to include. This option adds certain tags to service metrics in addition to the tags added to all `aws__info` metrics added earlier. To pull metrics from Amazon CloudWatch into Grafana Cloud, you must have tagged resources in AWS. Optionally, you can narrow the metrics you pull by adding the tag you have placed on a metric in AWS, using the exact [AWS tag format](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html). For more information on tags and how Cloud Provider Observability uses them, refer to [Tags](_index.md#tags). 5. Click **Save service settings**. 8. Click **Create scrape job** to begin collecting metrics or click **Export as terraform** to export the scrape settings in Terraform format. ### Create a scrape job using Terraform #### Grafana Terraform provider resources You can define the following resources and data sources with the Grafana Terraform provider: Expand table | Resource name | Documentation reference | Description | |----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `grafana_cloud_provider_aws_account` | [Doc](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/cloud_provider_aws_account) | Represents an AWS IAM role that authorizes Grafana Cloud to pull Amazon CloudWatch metrics for a set of regions. Usually, there’s one of these resources per configured AWS account. | | `grafana_cloud_provider_aws_cloudwatch_scrape_job` | [Doc](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/cloud_provider_aws_cloudwatch_scrape_job) | Represents a Grafana AWS scrape job. This configures Grafana to fetch a list of metrics/statistics for one or many AWS services, and for a given `grafana_cloud_provider_aws_account`. | #### Scrape job example Terraform The following example is for obtaining Amazon Elastic Compute Cloud (EC2) and Amazon Relational Database Service (RDS) metrics. Replace the values with your values. terraform ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```terraform variable "access_token" { type = string sensitive = true } variable "cloud_provider_url" { type = string description = "The Grafana Cloud Provider API URL from the previous step" } variable "role_arn" { type = string description = "The AWS role ARN output from the previous step" } variable "stack_slug" { type = string description = "The Grafana Cloud Stack name" } terraform { required_providers { grafana = { source = "grafana/grafana" version = ">= 3.13.1" } } } provider "grafana" { # this token is used for calling the grafana.com API, and easily fetching the Grafana instance Stack ID cloud_access_policy_token = var.access_token cloud_provider_url = var.cloud_provider_url cloud_provider_access_token = var.access_token } data "grafana_cloud_stack" "thestack" { slug = var.stack_slug } resource "grafana_cloud_provider_aws_account" "myaccount" { stack_id = data.grafana_cloud_stack.thestack.id role_arn = var.role_arn regions = [ "us-east-1", "us-east-2", ] } resource "grafana_cloud_provider_aws_cloudwatch_scrape_job" "myaccount-ec2" { stack_id = data.grafana_cloud_stack.thestack.id name = "tf-managed-scrape-job" aws_account_resource_id = grafana_cloud_provider_aws_account.myaccount.resource_id service { name = "AWS/EC2" metric { name = "CPUUtilization" statistics = ["Average"] } metric { name = "StatusCheckFailed" statistics = ["Maximum"] } scrape_interval_seconds = 300 tags_to_add_to_metrics = ["eks:cluster-name"] } service { name = "AWS/RDS" metric { name = "CPUUtilization" statistics = ["Average", "Maximum"] } scrape_interval_seconds = 300 tags_to_add_to_metrics = ["name"] } custom_namespace { name = "MyApp" metric { name = "MyMetric" statistics = ["Maximum", "Sum"] } scrape_interval_seconds = 300 } } ``` #### Export Terraform for existing scrape jobs If you already have a scrape job in Cloud provider observability, you can export the Terraform configuration for that scrape job. To export the Terraform configuration for existing scrape jobs in Grafana Cloud: 1. Open your [Grafana Cloud portal](/docs/grafana-cloud/account-management/cloud-portal/). 2. Expand **Observability > Cloud Provider** in the main menu of your Grafana Cloud stack. 3. Click the **Configuration** tab. 4. Click **CloudWatch metrics scrape**. 5. Select the checkbox next to the scrape job you want the Terraform configuration for. 6. Click **Export as terraform**. 7. Click **Copy to clipboard** and save the Terraform in a file. #### Export Terraform for new scrape jobs If you don’t already have a scrape job, but you want a quicker way to collect a default set of metrics, you can use the Cloud provider observability UI to select the services with multiple configurable default metrics and export the configuration as Terraform. To use the Cloud provider observability UI to configure your scrape job: 1. Open your [Grafana Cloud portal](/docs/grafana-cloud/account-management/cloud-portal/). 2. Expand **Observability > Cloud Provider** in the main menu of your Grafana Cloud stack. 3. Click the **Configuration** tab. 4. Click **CloudWatch metrics scrape**. 5. Click **Add new scrape job**. ## Explore your AWS service data On the Cloud provider AWS Configuration tab, click **Install dashboards and alerts** to install the following prebuilt dashboards and alerts: - [Prebuilt dashboards](/docs/grafana-cloud/monitor-infrastructure/monitor-cloud-provider/aws/cloudwatch-metrics/metric-dashboards/) - [Preconfigured alerts](/docs/grafana-cloud/monitor-infrastructure/monitor-cloud-provider/aws/cloudwatch-metrics/cw-alerts/) ## Add, edit, or delete a scrape job To add a scrape job, on the **Your scrape jobs** page, click **Add new scrape job**. To edit a scrape job: 1. Click the **Configuration** tab, then click the **CloudWatch metrics scrape** tile. 2. At the **Your scrape jobs** page, open the edit view by one of these methods: - Click the name of the scrape job. - Click the three-dot icon next to the scrape job, and select **Edit**. 3. In the **Edit scrape job** view, make your changes. 4. Click **Save scrape job**. To delete a scrape job, at the **Your scrape jobs** page, you can either: - Click the three-dot menu icon next to the scrape job, select **Delete**, then click **Delete** to confirm. - Click the name of the scrape job to open the **Edit scrape job** page, click **Delete scrape job**, then click **Delete** to confirm. ## Troubleshoot scrape jobs This section includes common errors encountered while configuring CloudWatch metric scrape jobs and tools you can use to troubleshoot. ### Verify AWS IAM permissions The most common cause of missing data is insufficient IAM permissions. Your IAM role must have the following minimum permissions: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "tag:GetResources", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "apigateway:GET", "aps:ListWorkspaces", "autoscaling:DescribeAutoScalingGroups", "dms:DescribeReplicationInstances", "dms:DescribeReplicationTasks", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeSpotFleetRequests", "shield:ListProtections", "storagegateway:ListGateways", "storagegateway:ListTagsForResource" ], "Effect": "Allow", "Resource": "*" } ] } ``` To verify your IAM role permissions: 1. In the AWS console, navigate to **IAM > Roles**. 2. Select the role you’re using for the integration. 3. In the **Permissions** tab, verify the required actions are present by clicking the plus sign next to the Policy name to open the permissions JSON. #### Verify trust relationship configuration Your IAM role must trust Grafana Cloud’s AWS account. The trust relationship should look like the following example JSON: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] } ``` The `YOUR_ACCOUNT_ID` and `YOUR_EXTERNAL_ID` values are provided on the **Create new account** page in Grafana Cloud. To verify your IAM role trust relationship: 1. In the AWS console, navigate to **IAM > Roles**. 2. Select the role you’re using for the integration. 3. Click on the **Trust relationships** tab. In the Trusted entities JSON, the number that is part of the ARN should match your Grafana Cloud Account, and the External ID should match your External ID. These numbers can be found on the **Create new account** page in Cloud Provider AWS. To get to the Create new account page in Grafana Cloud: 1. Open your [Grafana Cloud portal](/docs/grafana-cloud/account-management/cloud-portal/). 2. Expand **Observability > Cloud Provider** in the main menu of your Grafana Cloud stack. 3. Click **AWS**. 4. Click the **Configuration** tab. 5. Click **AWS accounts**. 6. Click **Add new account**. 7. Select the **Manually** tile. #### Test IAM permissions To test your IAM configuration: 1. Use the AWS CLI with your role to verify permissions work: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash aws sts assume-role --role-arn YOUR_ROLE_ARN --role-session-name test-session --external-id YOUR_EXTERNAL_ID ``` 2. Test metric access with the assumed role: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash aws cloudwatch list-metrics --namespace AWS/EC2 ``` 3. Verify resource discovery works: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash aws resourcegroupstaggingapi get-resources --resource-type-filters ec2:instance ``` If any of these commands fail, review your IAM policy and trust relationship configuration. ### Check resource tagging The YACE exporter only exports metrics for resources that have tags. If your AWS resources aren’t tagged, they won’t appear in your metrics. To verify resource tagging: 1. In the AWS console, navigate to the service you’re monitoring (for example, EC2, RDS, or ELB). 2. Select a resource you expect to see metrics for. 3. In the **Tags** tab, verify at least one tag is present. 4. If no tags exist, add at least one tag to the resource. Common tag patterns that work well with monitoring: - `Environment: production` - `Team: backend` - `Application: webapp` ### Validate scrape job configuration Review your scrape job configuration for common issues: **Region configuration**: Ensure you’re scraping the correct AWS regions where your resources exist. **Service selection**: Verify you’ve enabled the correct AWS services in your scrape job configuration. **Metric selection**: Check that you’ve selected the specific metrics you want to collect. Some services have hundreds of available metrics. ### Check scrape job status After you have created your CloudWatch metric scrape job, you can check that data is successfully getting sent from your Amazon account to Grafana Cloud. To verify data is getting sent to Grafana Cloud: 1. In Grafana Cloud, select **Observability > Cloud provider > AWS** in the main menu. 2. Click the **Services** tab. 3. Find your scrape job listed in the **Job name** column. If data is getting sent to Grafana Cloud, the Service’s status is “Sending data”. 4. Hover your mouse over the status to see the date data was last sent from your specific scrape job. ### Common error messages **“Access Denied” errors**: Your IAM role lacks required permissions. Review the IAM policy and trust relationship. **“Invalid parameter” errors**: Check your scrape job configuration for typos in region names, service names, or metric names. **“Throttling” errors**: You’re exceeding CloudWatch API limits. Reduce scrape frequency or scope. **“No data points” errors**: The metric exists but has no data for the requested time period. Verify the resource is active and generating metrics.