AWS CloudWatch
Connect AWS CloudWatch Logs to SigSentry using IAM credentials
The CloudWatch adapter uses CloudWatch Logs Insights to query log groups during analyses. You'll need an IAM principal with read access to the log groups you care about, plus the AWS region they live in.
Prerequisites
| Need | Notes |
|---|---|
| AWS account with CloudWatch Logs | Logs already flowing in |
| IAM credentials | Access Key ID + Secret Access Key, optionally a session token |
| Region | The AWS region where the log groups live |
| Log group names | At least one; the dashboard can autocomplete from your account |
IAM policy
Create an IAM user (or role) with this least-privilege policy. Replace
<region> and <account-id> with your values.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:StartQuery",
"logs:GetQueryResults",
"logs:StopQuery"
],
"Resource": "arn:aws:logs:<region>:<account-id>:log-group:*"
}
]
}DescribeLogGroups is what powers the dashboard's log-group
autocomplete. StartQuery / GetQueryResults / StopQuery are the
Insights query lifecycle.
For tighter scoping, replace :log-group:* with the specific ARNs of
the log groups SigSentry should access — for example
:log-group:/aws/lambda/checkout-api:*.
Setup walkthrough
Create an IAM user with the policy above
In the AWS console, IAM → Users → Create user. Attach an inline policy with the JSON from the previous section. After creation, go to Security credentials → Create access key and save the Access Key ID and Secret Access Key — the secret is shown only once.
In SigSentry, add the log source
Navigate to Project → Log Sources → Add log source. Pick AWS
CloudWatch as the type and give it a descriptive name like
prod-cloudwatch.
Enter credentials
| Field | Value |
|---|---|
| Access Key ID | AKIA... from IAM |
| Secret Access Key | The secret you saved |
| Region | The region where your log groups live, e.g. us-east-1 |
| Session Token | Optional — for STS / assumed-role temporary credentials |
Add log groups
Paste log group names into the Log groups textarea, one per line. Or click Load log groups to fetch them from your account using the credentials you just provided — the dashboard autocompletes a dropdown.
/aws/lambda/checkout-api
/aws/lambda/billing-worker
/aws/ecs/api-gatewayTest the connection
Click Test connection. SigSentry will query a small recent window of logs across the configured groups and show you a few sample lines plus a "Connected" indicator. If you don't see logs, widen the test window or confirm the groups have recent activity.
Save
Click Save. The source is now active and will be queried during the next analysis on this project.
What you'll see in results
Each CloudWatch log line shown in an analysis includes:
- Timestamp
- Log level (parsed from the message —
DEBUG,INFO,WARN,ERROR, etc.) - Service name (extracted from the log stream path)
- Message
- Log stream and log group carried through as metadata
If your services log structured JSON, the level is detected from the JSON; otherwise from the message prefix.
Quirks
If your log group naming doesn't follow /app/<service>/..., the
service field is inferred from the log-group path. To
override, use the project's AI context
to spell out which log streams correspond to which services.
For cross-region setups, create separate log sources — one per region.
Troubleshooting
| Error | Fix |
|---|---|
AccessDeniedException | IAM user lacks logs:StartQuery. Re-check the policy. |
ResourceNotFoundException | A log group in your list doesn't exist in the configured region |
| "Test connection succeeded but no sample logs" | The recent test window had no activity. Push a test log line and retry |
ThrottlingException | Hitting CloudWatch's per-account quota. Reduce query frequency or scope |