Tdd Apps

# Configure AWS Cloudwatch for Log Forwarders

Jul 1, 2016 2 minute read

AWS CloudWatch is a monitoring service to collect logs. It can be configured to accept multiple log sources. As with other AWS services Cloudwatch has detailed security and access control support. These are the steps I take to configure any log forwarder to Cloudwatch.

This guide will produce an Access Key Id and a Secret Access Key.

Configure an Access Policy

Policies are the backbone of AWS security. It is a good practice to write them as restrictive as possible. 1

1- Open the IAM Policies section
2- Select Create Policy Create Policy
3- Select Create Your Own Policy
4- Name it CloudWatchLogSender
5- Add the following text to the Policy Document section

    "Version": "2016-07-02",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

What is this?: A policy that only Allows the actions CreateLogGroup, CreateLogStream, DescribeLogGroups, DescribeLogStreams, and PutLogEvents on any resource.

Create an AWS User

Having a specialized user just to forward logs can significantly limit the impact of any attack on the account. 2

1- Open the User Management Module
2- Create a new user named CloudWatchLogSender.
Make sure to save these security credentials because this is the last time you’ll see them
User Created
3- Open the CloudWatchLogSender user details page
4- Click the Attach Policy button in the Permissions tab
Attach Policy
5- Attach the CloudWatchLogSender policy

Your user summary should look like this
User Summary


We have created the necessary security provisions to forward logs to AWS Cloudwatch from any source. Moreover, we have credentials that can be used by any forwarder compatible with Cloudwatch.

  1. More Info on AWS policies

  2. Restrictive access controls limit the risk of somebody using your account to mine Bitcoins or some other crazy thing. 

Never miss a post. Subscribe to our newsletter