🖥️ Unified CloudWatch Agent
The Unified CloudWatch Agent is software you install on EC2 instances or on-premises servers to collect additional system-level metrics and log files, then send them to CloudWatch.
🔑 Covers: What the Agent Collects · EC2 vs On-Prem · IAM Credentials for On-Prem · ConfigurationWhy Do We Need the CloudWatch Agent?
CloudWatch automatically collects basic EC2 metrics: CPU utilization, disk I/O, network I/O. But it does NOT collect:
- Memory utilization (RAM usage)
- Disk space used/free
- Process-level metrics
- Log files from the OS or applications
- Any data from on-premises servers (not AWS at all)
To get these, you install the Unified CloudWatch Agent on the server. The agent runs as a service and continuously collects these metrics/logs, then sends them to CloudWatch.
Answer: Install and configure the Unified CloudWatch Agent on the EC2 instances. These metrics are NOT available from CloudWatch without the agent.
What the Agent Collects
📊 Additional Metrics
- Memory utilization (%)
- Memory used/available (bytes)
- Disk space used/free (per partition)
- Disk I/O per disk
- Number of running processes
- CPU per core/state
- Network packets/sec
- Swap space usage
📝 Log Files
- Any log file on the server (specify path in config)
- Windows Event Logs
- Linux syslog, auth.log
- Application log files (Apache, Nginx, custom)
- All logs sent to CloudWatch Logs (to a log group you specify)
On-Premises — The Crucial IAM Difference
This is the most tested aspect of the CloudWatch Agent. The setup is different for EC2 vs on-premises.
🖥️ CloudWatch Agent on EC2
- EC2 instance has an instance profile (IAM role)
- The agent uses the IAM role automatically via the EC2 metadata service
- No credentials stored on the server
- Just attach a role with CloudWatch permissions to the EC2 instance
- Policy needed:
CloudWatchAgentServerPolicy
🏢 CloudWatch Agent on On-Premises Servers
- On-prem servers are NOT on AWS — no metadata service!
- Cannot use IAM roles
- Must create an IAM user with programmatic access
- Store IAM user's Access Key ID and Secret Access Key on the server
- Agent uses these credentials to authenticate to CloudWatch
- OR use AWS SSM Agent with hybrid activations (more secure)
✅ IAM User with access key credentials → CORRECT
❌ IAM Role → WRONG (IAM roles work via AWS metadata service, which on-prem servers don't have access to)
This exact scenario (Ubuntu on-prem server needing CloudWatch monitoring) appears in exam practice questions with "IAM role" as a wrong answer trap.
⚙️ Agent Configuration File
The agent is configured with a JSON file that specifies what to collect:
💡 Using SSM Parameter Store for Config Distribution
Instead of storing the config file on each server manually, store it in AWS Systems Manager Parameter Store. The agent can fetch its config from SSM automatically. This makes it easy to update config for hundreds of servers at once.