Skip to main content

Overview

Connect CloudWatch to give TierZero access to your AWS logs, metrics, and alarms. TierZero queries CloudWatch during investigations to analyze log patterns, metric trends, and alarm states.

Prerequisites

  • An AWS integration configured with IAM role assumption
  • CloudWatch log groups and metrics in your AWS account

Setup Instructions

Step 1: Configure AWS Integration

If you haven’t already, set up the AWS integration first. CloudWatch access is provided through the AWS IAM role.

Step 2: Navigate to Integration Settings

  1. Go to Settings → Integrations
  2. Click Connect next to CloudWatch
  3. Select the AWS region(s) where your CloudWatch data resides

Step 3: Verify Access

TierZero will validate that it can access CloudWatch using the configured IAM role.

Required IAM Permissions

The IAM role must include these CloudWatch permissions: 
{
  "Effect": "Allow",
  "Action": [
    "logs:GetLogEvents",
    "logs:FilterLogEvents",
    "logs:DescribeLogGroups",
    "logs:DescribeLogStreams",
    "cloudwatch:GetMetricData",
    "cloudwatch:ListMetrics",
    "cloudwatch:DescribeAlarms"
  ],
  "Resource": "*"
}

What TierZero Accesses

  • Log groups and log streams: Query and filter log events
  • Metrics: Query metric data and timeseries
  • Alarms: View alarm configurations and state

Integration Resources

After connecting CloudWatch, configure Integration Resources:
  • log_groups.json: List of CloudWatch log groups and their fields
  • metrics.json: List of CloudWatch metrics to monitor

Security

  • Access is provided through IAM role assumption, so no long-lived credentials are needed
  • Read-only access only
  • Revoke by updating the IAM role’s permissions or trust policy

Troubleshooting

”Access Denied” on Log Queries

  • Verify the IAM role includes logs:GetLogEvents and logs:FilterLogEvents
  • Check that the role has access to the specific log groups being queried
  • Ensure the correct AWS region is selected