Rocketgraph can pull logs and metrics directly from AWS CloudWatch. You create a read-only IAM user or role in your AWS account, then add the credentials in Rocketgraph.

Prerequisites

  • An AWS account with CloudWatch logs and/or metrics you want to query
  • Permission to create IAM users or roles in your AWS account
  • A Rocketgraph account — sign up here

1. Create a read-only IAM policy

In the AWS IAM console, create a new policy with the following permissions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:GetQueryResults",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*"
    }
  ]
}
Name the policy RocketgraphReadOnly or similar.

2. Create an IAM user and attach the policy

  1. Go to IAM → Users → Create user
  2. Give the user a name (e.g. rocketgraph-datasource)
  3. Select Attach policies directly and attach the policy you created above
  4. Once created, go to the user’s Security credentials tab
  5. Under Access keys, click Create access key → choose Third-party service
  6. Copy the Access Key ID and Secret Access Key — you will need these in the next step
Store the secret access key securely. You will not be able to view it again after closing the dialog.

3. Add CloudWatch as a datasource in Rocketgraph

  1. Log in to Rocketgraph
  2. Navigate to the Datasources tab
  3. Click Add datasource and select AWS CloudWatch
  4. Enter your:
    • AWS Region (e.g. us-east-1)
    • Access Key ID
    • Secret Access Key
  5. Click Save — Rocketgraph will verify the connection
Once connected, your CloudWatch log groups and metrics will be available for querying, alerting, and AI analysis in Rocketgraph.