Skip to content
OpsTower Docs

AWS CloudWatch Logs

AWS CloudWatch Logs captures log data from AWS services and applications. Connecting it to OpsTower gives your agents the ability to query log groups, search for patterns, and investigate issues across your AWS infrastructure.

What This Connection Provides

Section titled “What This Connection Provides”

Once connected, agents can:

  • Query logs — search and filter CloudWatch log data using CloudWatch Logs Insights syntax.
  • List log groups — discover available log groups in your AWS account and region.

Agents construct CloudWatch Logs Insights queries automatically based on your natural language questions — you do not need to write query syntax yourself.

Credentials Needed

Section titled “Credentials Needed”

To set up this connection, you will need:

  1. AWS Access Key ID — the access key for an IAM user with CloudWatch Logs read permissions.
  2. AWS Secret Access Key — the corresponding secret key.
  3. Region — the AWS region where your logs are stored.
  4. Default Log Group (optional) — a log group to scope all queries to.

How to Create IAM Credentials for OpsTower

Section titled “How to Create IAM Credentials for OpsTower”
  1. Go to the AWS Console and navigate to IAM (Identity and Access Management).
  2. In the left sidebar, click Users, then click Create user.
  3. Enter a username (e.g., “opstower-readonly”) and click Next.
  4. On the permissions page, select Attach policies directly.
  5. Search for and attach one of the following:
    • The managed policy CloudWatchLogsReadOnlyAccess (recommended for simplicity), or
    • A custom policy with the minimum required permissions: 
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:StartQuery",
              "logs:GetQueryResults",
              "logs:DescribeLogGroups"
            ],
            "Resource": "*"
          }
        ]
      }
  6. Click Next, review the user details, and click Create user.
  7. Click on the newly created user to open their details.
  8. Go to the Security credentials tab.
  9. Under Access keys, click Create access key.
  10. Select Third-party service as the use case and confirm.
  11. Copy both the Access Key ID and the Secret Access Key immediately — the secret key will not be shown again.

Region

Section titled “Region”

Enter the AWS region where your CloudWatch Logs are stored. This determines which regional endpoint OpsTower queries.

Common regions include:

  • us-east-1 (N. Virginia)
  • us-west-2 (Oregon)
  • eu-west-1 (Ireland)
  • eu-central-1 (Frankfurt)
  • ap-southeast-1 (Singapore)

If your application runs in multiple regions, create a separate connection for each region.

Default Log Group (Optional)

Section titled “Default Log Group (Optional)”

You can specify a default log group to scope all queries to a specific source. This is useful if you want an agent focused on a particular service.

Examples:

  • /aws/lambda/my-function — scope to a specific Lambda function.
  • /aws/ecs/my-service — scope to an ECS service.
  • /aws/apigateway/my-api — scope to an API Gateway.

If you leave this field blank, agents can query across all log groups in the region. They will use the list log groups tool to discover available groups and target their queries accordingly.

Setting Up the Connection

Section titled “Setting Up the Connection”
  1. In OpsTower, navigate to Connections in the sidebar.
  2. Click Add Connection and select AWS CloudWatch Logs.
  3. Enter your AWS Access Key ID and AWS Secret Access Key.
  4. Enter the Region where your logs are stored.
  5. Optionally enter a Default Log Group to scope queries.
  6. Save the connection.

Once the connection shows a green status indicator, you can enable it on any Debugger agent to start querying your CloudWatch logs.