--- title: "Configure CloudWatch | Grafana Plugins documentation" description: "This document provides configuration instructions for the CloudWatch data source." --- # Configure the Amazon CloudWatch data source This document provides instructions for configuring the Amazon CloudWatch data source and explains available configuration options. For general information on adding and managing data sources, refer to [Data source management](/docs/grafana/latest/administration/data-source-management/). ## Before you begin - You must have the `Organization administrator` role to configure the CloudWatch data source. Organization administrators can also [configure the data source via YAML](#provision-the-data-source) with the Grafana provisioning system. - Grafana comes with a built-in CloudWatch data source plugin, so you do not need to install a plugin. - Familiarize yourself with your CloudWatch security configuration and gather any necessary security certificates, client certificates, and client keys. ## Add the CloudWatch data source Complete the following steps to set up a new CloudWatch data source: 1. Click **Connections** in the left-side menu. 2. Click **Add new connection** 3. Type `CloudWatch` in the search bar. 4. Select the **CloudWatch data source**. 5. Click **Add new data source** in the upper right. Grafana takes you to the **Settings** tab, where you will set up your CloudWatch configuration. ## Configure the data source in the UI The following are configuration options for the CloudWatch data source. Expand table | **Setting** | **Description** | |-------------|--------------------------------------------------------------------------------------------------------------------------------------------| | **Name** | The data source name. Sets the name you use to refer to the data source in panels and queries. | | **Default** | Toggle to select as the default name in dashboard panels. When you go to a dashboard panel, this will be the default selected data source. | Grafana plugin requests to AWS are made on behalf of an AWS Identity and Access Management (IAM) role or IAM user. The IAM user or IAM role must have the associated policies to perform certain API actions. For authentication options and configuration details, refer to [AWS authentication](/docs/plugins/grafana-cloudwatch-datasource/latest/aws-authentication/). Expand table | Setting | Description | |--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Authentication** | Specify which AWS credentials chain to use. A Grafana plugin’s requests to AWS are made on behalf of an IAM role or IAM user. The IAM user or IAM role must have the necessary policies to perform the required API actions. | **Access & secret key:** You must use both an access key ID and a secret access key to authenticate. Expand table | Setting | Description | |-----------------------|------------------------------| | **Access Key ID** | Enter your key ID. | | **Secret Access Key** | Enter the secret access key. | **Assume Role**: Expand table | Setting | Description | |---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| | **Assume Role ARN** | *Optional.* Specify the ARN of an IAM role to assume. This ensures the selected authentication method is used to assume the role, not used directly. | | **External ID** | If you’re assuming a role in another AWS account that requires an external ID, specify it here. | **Additional Settings:** Expand table | Setting | Description | |----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Endpoint** | *Optional*. Specify a custom endpoint for the AWS service. | | **Default Region** | Specify the AWS region. Example: If the region is US West (Oregon), use `us-west-2`. | | **Namespaces of Custom Metrics** | Add one or more custom metric namespaces, separated by commas (for example,`Namespace1,Namespace2`). Grafana can’t automatically load custom namespaces using the [CloudWatch GetMetricData API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html). To make custom metrics available in the query editor, manually specify the namespaces in the `Namespaces of Custom Metrics` field in the data source configuration. | **CloudWatch Logs**: Expand table | Setting | Description | |--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Query timeout result** | Grafana polls Cloudwatch Logs every second until AWS returns a `Done` status or the timeout is reached. An error is returned if the timeout is exceeded. For alerting, the timeout defined in the Grafana config file takes precedence. Enter a valid duration string, such as `30m`, `30s` or `200ms`. The default is `30m`. | | **Default Log Groups** | *Optional*. Specify the default log groups for CloudWatch Logs queries. | **Application Signals trace link:** Expand table | Setting | Description | |-----------------|----------------------------------------------------------------------------------------| | **Data source** | Select the Application Signals (previously X-Ray) data source from the drop-down menu. | Grafana automatically creates a link to a trace in Application Signals data source if logs contain the `@xrayTraceId` field. To use this feature, you must already have an Application Signals data source configured. For details, see the [Application Signals data source docs](/docs/plugins/grafana-x-ray-datasource/). To view the link to Application Signals, select the log row in either the Explore view or dashboard [Logs panel](/docs/grafana/latest/panels-visualizations/visualizations/logs/) to view the log details section. To log the `@xrayTraceId`, refer to the [AWS Application Signals documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Monitoring-Sections.html). To provide the field to Grafana, your log queries must also contain the `@xrayTraceId` field, for example by using the query `fields @message, @xrayTraceId`. **Private data source connect** - *Only for Grafana Cloud users.* Expand table | Setting | Description | |---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Private data source connect** | Establishes a private, secured connection between a Grafana Cloud stack and data sources within a private network. Use the drop-down to locate the PDC URL. For setup instructions, refer to [Private data source connect (PDC)](/docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/) and [Configure PDC](/docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/configure-pdc/#configure-grafana-private-data-source-connect-pdc). Click **Manage private data source connect** to open your PDC connection page and view your configuration details. | After configuring your Amazon CloudWatch data source options, click **Save & test** at the bottom to test the connection. You should see a confirmation dialog box that says: [](/media/docs/cloudwatch/cloudwatch-config-success-message.png) > Note > > To troubleshoot issues while setting up the CloudWatch data source, check the `/var/log/grafana/grafana.log` file. ### IAM policy examples To read CloudWatch metrics and EC2 tags, instances, regions, and alarms, you must grant Grafana permissions via IAM. You can attach these permissions to the IAM role or IAM user you configured in [AWS authentication](/docs/plugins/grafana-cloudwatch-datasource/latest/aws-authentication/). **Metrics-only permissions:** JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingMetricsFromCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetInsightRuleReport" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" }, { "Sid": "AllowReadingResourceMetricsFromPerformanceInsights", "Effect": "Allow", "Action": "pi:GetResourceMetrics", "Resource": "*" } ] } ``` **Logs-only permissions:** JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingLogsFromCloudWatch", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:GetLogGroupFields", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogEvents" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] } ``` **Metrics and logs permissions:** JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingMetricsFromCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetInsightRuleReport" ], "Resource": "*" }, { "Sid": "AllowReadingResourceMetricsFromPerformanceInsights", "Effect": "Allow", "Action": "pi:GetResourceMetrics", "Resource": "*" }, { "Sid": "AllowReadingLogsFromCloudWatch", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:GetLogGroupFields", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogEvents" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] } ``` #### Cross-account observability permissions JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "Version": "2012-10-17", "Statement": [ { "Action": ["oam:ListSinks", "oam:ListAttachedLinks"], "Effect": "Allow", "Resource": "*" } ] } ``` > Note > > Cross-account observability lets you retrieve metrics and logs across different accounts in a single region, but you can’t query EC2 Instance Attributes across accounts because those come from the EC2 API and not the CloudWatch API. For more information on configuring authentication, refer to [Configure AWS authentication](/docs/grafana/latest/datasources/aws-cloudwatch/aws-authentication/). ### Configure the data source with grafana.ini The Grafana [configuration file](/docs/grafana/latest/setup-grafana/configure-grafana/#aws) includes an `AWS` section where you can configure data source options: Expand table | Configuration option | Description | |---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `allowed_auth_providers` | Specifies which authentication providers are allowed for the CloudWatch data source. The following providers are enabled by default in open-source Grafana: `default` (AWS SDK default), `keys` (Access and secret key), `credentials` (Credentials file), `ec2_IAM_role` (EC2 IAM role). | | `assume_role_enabled` | Allows you to disable `assume role (ARN)` in the CloudWatch data source. The assume role (ARN) is enabled by default in open-source Grafana. | | `list_metrics_page_limit` | Sets the limit of List Metrics API pages. When a custom namespace is specified in the query editor, the [List Metrics API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html) populates the *Metrics* field and *Dimension* fields. The API is paginated and returns up to 500 results per page, and the data source also limits the number of pages to 500 by default. This setting customizes that limit. | ### Provision the data source You can define and configure the data source in YAML files as part of the Grafana provisioning system. For more information about provisioning and available configuration options, refer to [Provision Grafana](/docs/grafana/latest/administration/provisioning/#data-sources). **Using AWS SDK (default)**: YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml apiVersion: 1 datasources: - name: CloudWatch type: cloudwatch jsonData: authType: default defaultRegion: eu-west-2 ``` **Using credentials’ profile name (non-default)**: YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml apiVersion: 1 datasources: - name: CloudWatch type: cloudwatch jsonData: authType: credentials defaultRegion: eu-west-2 customMetricsNamespaces: 'CWAgent,CustomNameSpace' profile: secondary ``` **Using `accessKey` and `secretKey`** : YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml apiVersion: 1 datasources: - name: CloudWatch type: cloudwatch jsonData: authType: keys defaultRegion: eu-west-2 secureJsonData: accessKey: '' secretKey: '' ``` **Using AWS SDK Default and ARN of IAM Role to Assume:** YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml apiVersion: 1 datasources: - name: CloudWatch type: cloudwatch jsonData: authType: default assumeRoleArn: arn:aws:iam::123456789012:root defaultRegion: eu-west-2 ```