Cloudwatch

In this article , We will learn to Use Cloudwatch metrics with Grafana and setup Dashboard for monitoring AWS services.

As Grafana comes with built-in support for Cloudwatch , We can add cloudwatch as a Data source in Grafana and then we can build dashboard and make use of AWS services metrics collected by Cloudwatch.

Installing Grafana

First We need to have Grafana installed. If you havn’t installed Grafana yet , Check this article

Once you have grafana UP and running , We can move to the next step.

Method 1 : Integrating Cloudwatch with Grafana using IAM Role

Create IAM user with Cloudwatch Access

In this step , We need to create an IAM user with Cloudwatch Read-only access.

And also the user should require AWS Credentials (ACCESS_KEY & SECRET_ACCESS_KEY).

To create an IAM user , Login to IAM Console.

In the navigation pane , Choose Users , Click Add user

Provide a name for the IAM user.

Cloudwatch

For AWS access type , Choose Programmatic access type.

Cloudwatch

and then Click Next: permissions

Under Set permissions , Select Attach existing policies directly

Cloudwatch

and search for CloudwatchRead , Choose CloudwatchReadOnlyAccess policy.

Cloudwatch

and then click Next: Tags

You can optionally add tags to the IAM user.

Click Next: Review

Review the settings and choose Create user.

You should get the Successful user creation message along with the User security Credentials.

You can download the security credentials as .csv file to your system.

Make a note of Access Key ID and Secret access key , We will be using it shortly.

Creating IAM policy

First we need to create an IAM policy with cloudwatch read access.

To create an IAM policy , In the navigation pane , Choose Policies

Click Create Policy and choose JSON , Remove the existing policy and then add the below policy.

{
"Version": "2012-10-17",
"Statement": [
   {
     "Sid": "AllowReadingMetricsFromCloudWatch",
     "Effect": "Allow",
     "Action": [
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricData"
     ],
     "Resource": "*" 
   },
   { "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
     "Effect": "Allow", 
     "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
     "Resource": "*"
   }
 ]
}

and click Review policy , provide a name for the IAM policy and click Create policy

Creating IAM Role

Next We need to create an IAM Role and attach the IAM policy with it.

Click Roles and then choose Create role , For AWS Service , Choose EC2 and click Next: permissions

Cloudwatch

Search for the policy that you have created and select it.

Click Next: Tags , Provide a name for the IAM Role and then click Create role.

Cloudwatch

After the role is created , Click the Role and there you will find a Role ARN as shown below.

arn:aws:iam::00000000000:role/role_name

Copy the Role ARN and the click Trust relationships , Click Edit trust relationship , Under Principal after Service , Add the Role ARN as shown below.

"AWS": "arn:aws:iam::00000000000:role/role_name"

Finally It should look similar to this.

Cloudwatch

And click Update Trust Policy

Attaching IAM Role with Grafana Instance

Now we need to attach the IAM role which we have created in the previous step with the Grafana EC2 Instance.

Login to EC2 Console , Choose Instances , Select the Grafana EC2 Instance.

under Actions , Hover to Instance settings and then click Attach/Replace IAM Role

Cloudwatch

Choose the IAM Role which you have created and Click Apply

Method 2 : Integrating Cloudwatch with Grafana using Credentials

This method should be used only if you are not running Grafana in AWS EC2 instance.

Configure Credentials

Login to the Grafana server , and then create a folder .aws and then within the folder create credentials file

mkdir .aws
touch credentials

And the add the AWS security credentials as shown below.

[default]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY
region = AWS_REGION

Replace ACCESS_KEY_ID AND SECRET_ACCESS_KEY with the actual values which we have generated before.

And also replace the AWS_REGION. For example : ap-southeast-1 : Singapore.

And Set the file permission as shown below.

chmod 600 credentials

Integrating Cloudwatch with Grafana

As said earlier , Cloudwatch can be integrated with Grafana in two methods.

  • Using Role ARN
  • Using Security Credentials

Method 1 : Integrating using IAM Role ARN

Login to Grafana Console , In the navigation , Hover to Settings icon and click Data Sources

Click Add data source

Cloudwatch

and then choose Cloudwatch

Cloudwatch

Under Cloudwatch details , For Auth Provider , Choose ARN

For Assume Role ARN , Paste the Role ARN of the IAM role and then choose the Default Region.

Click Save & Test.You should get a message as shown below.

Cloudwatch

We have successfully integrated Cloudwatch with Grafana using IAM Role.

Method 2 : Integrating using Security Credentials

Login to Grafana Console , In the navigation , Hover to Settings icon and click Data Sources

Click Add data source

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-27-21-14-44.png

and then choose Cloudwatch

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-27-21-15-28.png

Under Cloudwatch details , For Auth Provider , Choose Credentials file

Credentials profile name be default.

Choose the Default AWS region and then click Save & Test.

You should get the below response.

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-27-21-18-04.png

We have integrated Cloudwatch with Grafana using Security Credentials.

Creating Dashboards

Lets go ahead and setup first dashboard.

Hover to + icon and click Dashboard , Click Choose Visualization , Select Graph

Click Query icon , Under Query , Choose Cloudwatch

The dashboard settings will look as shown below.

Cloudwatch

We have to add Metric and Dimensions

Click default and choose the AWS region.

Click select namespace and Choose the AWS service you want to monitor.

Click select metric , Choose the type of metric you want to monitor for the AWS service you have chosen.

For Stats , Choose Minimum

It should look something as shown below.

Cloudwatch

And For Dimensions , Choose EngineName = mysql

Cloudwatch

For this tutorial , I have created dashboard for RDS.Likewise we can create dashboard for other AWS services as well and we can setup alerting for the same.

Thanks for reading this article.

Hope you found it helpful.Please do check out my other articles.