Overview
Connect CloudWatch to give TierZero access to your AWS logs, metrics, and alarms. TierZero queries CloudWatch during investigations to analyze log patterns, metric trends, and alarm states.Prerequisites
- An AWS integration configured with IAM role assumption
- CloudWatch log groups and metrics in your AWS account
Setup Instructions
Step 1: Configure AWS Integration
If you haven’t already, set up the AWS integration first. CloudWatch access is provided through the AWS IAM role.Step 2: Navigate to Integration Settings
- Go to Settings → Integrations
- Click Connect next to CloudWatch
- Select the AWS region(s) where your CloudWatch data resides
Step 3: Verify Access
TierZero will validate that it can access CloudWatch using the configured IAM role.Required IAM Permissions
If you used the Terraform setup for AWS, CloudWatch and Logs permissions are already included in themonitoring-observability-readonly inline policy.
If you attached managed policies manually, ensure CloudWatchReadOnlyAccess is attached to the role. At a minimum, the role needs:
What TierZero Accesses
- Log groups and log streams: Query and filter log events
- Metrics: Query metric data and timeseries
- Alarms: View alarm configurations and state
Integration Resources
After connecting CloudWatch, TierZero uses these resource catalogs:- log_groups.json: List of CloudWatch log groups and their fields
- metrics.json: List of CloudWatch metrics to monitor
Security
- Access is provided through IAM role assumption, so no long-lived credentials are needed
- Read-only access only
- Revoke by updating the IAM role’s permissions or trust policy
Troubleshooting
”Access Denied” on Log Queries
- Verify the IAM role includes
logs:GetLogEventsandlogs:FilterLogEvents - Check that the role has access to the specific log groups being queried
- Ensure the correct AWS region is selected