Skip to main content
Sumo Logic

Grant Access to Read CloudWatch Metrics

Before configuring an AWS CloudWatch Source, you'll need to grant Sumo permissions to list available metrics and get metric datapoints.

To grant Amazon CloudWatch permissions

  1. Sign in to the AWS Management Console.
  2. On the Amazon Web Services page, click IAM.
    AWS services
  3. Click Users
    welcome to IAM
  4. Click Add user.  
    add user
  5. Enter the user name (such as SumoLogicMetrics), check the Programmatic access box, and click Next: Permissions
    define username and accesstype
  6. Assuming that you do not already have a group, click Create groupcreate group
  7. Enter a name for the group, for example SumoGroup, and click Create Groupcreate group
  8. Click Next: Reviewset permissions
  9. Click Create User.  review user details
  10. The user is created. Click Show if desired to view the Secret Access Key for the new user. Then click Download Credentials to download a .csv file with this information. You'll provide the credentials to Sumo Logic. 
    user access credentials
  11. Click Close.
  12. On the Users page, click the user you just created.
  13. Click Add Inline Policy
    add inline policy
  14. Under Set Permissions, choose Custom Policy, then click Select.
  15. For Policy Name, enter "sumo-cloudwatch" or something similar, so your organization is aware of why this policy was created. Then, enter the JSON parameters for the policy. (See the “Policy JSON” section in this topic to copy and paste a recommended policy.) Click Validate Policyvalidate policy
  16. The page updates, and indicates whether your policy is valid.valid policy
  17. Click Apply Policy. The Summary page appears. summary
     

Policy JSON

We recommend using the following JSON to create a policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

All of the Action parameters that are shown are required. 

Managing Access Keys

When  configuring an CloudWatch Source, you'll need to provide  the Access Key ID and Secret Access Key for this user (tokens) to Sumo Logic. Security, token, and access settings are handled through Amazon Web Service Identity & Access Management.

For instructions on using Identity & Access Management, see AWS Identity and Access Management (IAM)  to learn about the options available to your organization.