# CloudWatch

This guide provides step-by-step instructions for integrating your Amazon Web Services (AWS) CloudWatch logs with slaOS. This integration allows slaOS to collect metrics, logs, and other critical data necessary to monitor your AWS environment effectively.

{% hint style="info" %}
The [app.rated.co](https://app.rated.co) interface guides you step-by-step, all the way through to a successful Cloudwatch integration!  
{% endhint %}

## Prerequisites

Before you begin, ensure you have the following:

* An active AWS account with administrative access
* Access to AWS Identity and Access Management (IAM)
* Your slaOS account credentials

## Integration Steps

### Step 1: Creating an AWS IAM Policy

To enable slaOS to access your CloudWatch logs, you need to create an AWS IAM policy with the necessary permissions.

1. **Log into AWS Management Console:** Navigate to the IAM service.
2. **Create a New Policy:** Use the JSON editor and paste the following policy document:

   ```json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "LogAccess",
         "Effect": "Allow",
         "Action": [
           "logs:FilterLogEvents",
           "logs:DescribeLogGroups"
         ],
         "Resource": "arn:aws:logs:*:*:*"
       }
     ]
   }
   ```
3. **Name the Policy:** Assign a name such as `RatedSLIQueryAccessPolicy`.
4. **Review and Create:** Complete the policy creation process.

### Step 2: Creating an AWS IAM User

Next, create an IAM user to associate with the slaOS integration.

1. **Navigate to IAM Users:** In the IAM console, click on "Users" in the left sidebar, then select "Add user."
2. **Configure User Details:**
   * Choose a username (e.g., `RatedIntegrationUser`).
   * Select "Access key - Programmatic access" for the AWS access type.
3. **Attach the Policy:**
   * On the permissions page, select "Attach existing policies directly."
   * Search for and select the `RatedSLIQueryAccessPolicy` created earlier.
4. **Finalize User Creation:** Review and create the user.

### Step 3: Generating and Managing Access Keys

Once the user is created, generate the access keys necessary for slaOS to access your logs.

1. **Download the Access Keys:** On the "Success" page, download the CSV file containing the access key ID and secret access key.
2. **Missed Download?** If you missed this step, you can generate a new secret access key for the IAM user later via the IAM console.

### Step 4: Submitting keys to slaOS

After generating your AWS access keys, the next step is to add these credentials to slaOS for verification:

{% tabs %}
{% tab title="slaOS dashboard" %}

1. During the onboarding process in the slaOS user interface, you'll be prompted to enter your AWS credentials.
2. Input your AWS Access Key ID and Secret Access Key in the designated fields.

<figure><img src="/files/K48lCFp7wocK78hkgQlC" alt="" width="375"><figcaption><p>slaOS integrations workflow for Cloudwatch</p></figcaption></figure>

3. The slaOS system will automatically verify your credentials to ensure they have the necessary permissions.
4. Depending on your integration needs, slaOS will verify access to logs, metrics, or both.
   {% endtab %}

{% tab title="Self-hosted" %}
If you're using a self-hosted version of slaOS, you'll need to manually add your AWS credentials to the configuration file:

1. Locate your slaOS configuration YAML file.
2. Add the following section to your YAML file, replacing the placeholder values with your actual AWS credentials:

```yaml
cloudwatch:
  region: us-east-1
  aws_access_key_id: AKIA6XXXXXXXXXX
  aws_secret_access_key: 5/XXXXXXXXXXXXXXXXXXXXXXXX
```

{% hint style="info" %}
For more detailed information about CloudWatch configuration in self-hosted environments, refer to the [self-hosted page](/onboarding-your-data/self-hosting.md) in our documentation. Alternatively, you can find example templates in our [GitHub repository](https://github.com/rated-network/rated-log-indexer).
{% endhint %}
{% endtab %}
{% endtabs %}

### Step 5: Selecting Log Groups and Streams

For slaOS to effectively query and parse your logs, it is essential to define the correct scopes. Scopes determine which parts of your log data will be accessible to slaOS, including the following:

* **Log Groups:** Specify the CloudWatch log groups that should be included.
* **Log Streams:** Define the log streams within each group that contain relevant data. It is not mandatory to specify this.

### Step 6: Using CloudWatch Filter Patterns (*Optional*)

When setting up your CloudWatch logs for slaOS, you may want to use CloudWatch's native `filter_pattern` tool to filter logs. This tool allows you to specify which logs should be included based on your defined patterns.

{% embed url="<https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html>" %}

{% hint style="danger" %}
slaOS does not verify the validity of the `filter_pattern` you provide. You are fully responsible for ensuring that your `filter_pattern` is correctly configured according to CloudWatch's native log filtering rules. Incorrect patterns may lead to missed log data or improper parsing.
{% endhint %}

## Frequently Asked Questions (FAQ)

### Can I restrict access to specific log groups or regions?

**Yes:** You can modify the `Resource` field in the IAM policy. For example:

* To restrict access to a specific region: `"arn:aws:logs:us-west-2:*:*"`
* To restrict access to specific log groups: `"arn:aws:logs:*:*:log-group:/aws/lambda/my-function:*"`

### What happens if I need to rotate my AWS access keys?

Generate new access keys in the AWS IAM console and update them in your slaOS integration settings. Ensure you delete the old keys after confirming the new ones work.

### How often does slaOS collect data from CloudWatch?

slaOS collects data in near real-time, typically with a delay of a few minutes depending on CloudWatch's own latency.

### Is it safe to use the `ingestion_key` in logs?

The `ingestion_key` is not an API key or bearer token and does not provide access to other slaOS functionalities. While it has limited access, it's important to understand its security implications:

{% tabs %}
{% tab title="slaOS-managed" %}
**Don't Worry:** If you're using the slaOS-managed cloud version, security measures are already in place to protect your `ingestion_key`. You don't need to handle these concerns directly.

slaOS manages:

* Built-in rate limiting and anomaly detection
* Isolation of your environment
* Key rotation as needed

You rarely need to handle or log the `ingestion_key` directly, further reducing any risk.
{% endtab %}

{% tab title="Self-hosted" %}
For Self-Hosted slaOS Users:

1. **Potential Risks:**
   * Unauthorized data injection
   * Resource consumption from large data volumes
2. **Security Recommendations:**
   * Treat as a secret; mask or remove from logs
   * Implement rate limiting
   * Monitor ingestion patterns for anomalies

If you suspect your data is being tampered with, you can contact slaOS support to refresh your keys.
{% endtab %}
{% endtabs %}

***

For any additional questions or issues, please contact the slaOS support team on Slack.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rated.co/onboarding-your-data/integrations/cloudwatch.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.