Cloudwatch and Cloudformation AWS

Question

is it currently possible to set up a whole cloudwatch stack including the cloudwatch agent via cloudformation ? I cant find a proper documentation and asking myself if its even possible.

Answer 1

The following CloudFormation Resource creates a policy that will allow instances with this policy attached to their role to ship logs to CloudWatch:

    "CloudWatchLogsPolicy": {
        "Type" : "AWS::IAM::Policy",
        "Properties" : { 
            "PolicyDocument" : {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "logs:CreateLogGroup",
                            "logs:CreateLogStream",
                            "logs:PutLogEvents",
                            "logs:DescribeLogStreams"
                        ],
                        "Resource": arn:aws:logs:eu-west-1:123456789012:log-group:my-log-group:*
                    }
                ]
                }
            ,
            "PolicyName" : "CWLogPolicy",
            "Roles": [{ "Ref": "IAMRole"}]
        },
        "DependsOn": ["IAMRole"]
    }

You will need to update the Resource ARN to match your region, account id and log group name. The "Roles" and "DependsOn" assume there is an IAM role declared called "IAMRole" in the current stack.

When attaching a Role you have to use an AWS::IAM::InstanceProfile to create the link between the AWS::IAM::Role and the instance (or Autoscale group in my case).

Answer 2

Yes these types are available in CloudFormation

• AWS::CloudWatch::Alarm
• AWS::CloudWatch::Dashboard

Additionally, detailed monitoring can be set in other resource types (for example AWS::EC2::Instance)

Installing the Cloudwatch log agent would be done by configuring it in the AMI or installing as an action in the user data script