AWS

Stack Monitors

Monitor AWS Infrastructure with Crowswatch

Monitor infrastructure health, service availability, and resource utilisation across your AWS accounts and regions directly from Crowswatch.

What This Integration Provides

  • EC2 metrics: CPU, memory, network, and disk utilisation per instance
  • RDS health: database connections, query latency, and storage usage
  • CloudFront: request volume, error rates, and cache performance
  • S3: request counts, data transfer, and error rates
  • Lambda: invocations, duration, error rate, and throttles
  • ELB / ALB: request counts, latency, and unhealthy host counts
  • CloudWatch alarms: current alarm state across your account
  • Billing: estimated monthly charges by service

Requirements

RequirementDetail
AWS accountAny tier
IAM user or roleWith read-only CloudWatch and Cost Explorer permissions
Access key ID & secretGenerated for the IAM user
AWS regionThe primary region to monitor
Estimated setup time~10 minutes

Step 1: Generate Credentials

Create a dedicated IAM user:

  1. Log in to the AWS Management Console
  2. Go to IAM → Users → Create user
  3. Name the user (e.g. crowswatch-monitor)
  4. Select Attach policies directly and attach:
    • CloudWatchReadOnlyAccess
    • AWSBillingReadOnlyAccess (optional, for cost metrics)
  5. Click Create user
  6. Open the user → Security credentials → Create access key
  7. Select Third-party service as the use case
  8. Copy the Access Key ID and Secret Access Key. The secret is only shown once
Prefer IAM roles with least-privilege policies over broad managed policies where possible.

Step 2: Locate Required IDs

AWS Account ID

  1. Click your account name in the top-right of the AWS Console
  2. The Account ID (12-digit number) is shown in the dropdown

Region

  1. The active region is shown in the top-right of the AWS Console (e.g. eu-west-1)
  2. Select the region where your primary resources are deployed

Step 3: Add Credentials to Crowswatch

Navigate to: Crowswatch → Add Service → AWS

FieldValue
Access Key IDFrom the IAM user created in Step 1
Secret Access KeyFrom the IAM user created in Step 1
AWS RegionYour primary region (e.g. eu-west-1)
Account IDYour 12-digit AWS Account ID

Available Metrics

EC2

  • CPU utilisation (%)
  • Network in/out (bytes)
  • Disk read/write ops
  • Instance status checks

RDS

  • Database connections
  • Read/write latency (ms)
  • Free storage space
  • CPU utilisation

Lambda

  • Invocation count
  • Duration (ms)
  • Error rate (%)
  • Throttle count
  • Concurrent executions

CloudFront

  • Total requests
  • Error rate (4xx, 5xx)
  • Cache hit rate
  • Bytes downloaded

S3

  • Number of requests
  • Bytes uploaded/downloaded
  • 4xx / 5xx error count

Load Balancers (ELB / ALB)

  • Request count
  • Target response time
  • Unhealthy host count
  • HTTP 5xx count

CloudWatch Alarms

  • Alarm state (OK / ALARM / INSUFFICIENT_DATA)
  • Alarm history

Billing

  • Estimated total charges
  • Charges broken down by service

Connect

  1. Enter your Access Key ID, Secret Access Key, Region, and Account ID
  2. Click Verify to test the connection
  3. Select the services and metrics to track
  4. Click Connect

Security

  • Never use root account credentials. Always create a dedicated IAM user
  • Grant only the permissions listed above. No write access is required
  • Enable MFA on the IAM user for additional security
  • Rotate access keys periodically
  • Consider using IAM roles with cross-account trust if monitoring multiple accounts
  • Restrict the IAM policy to specific resource ARNs where possible

Troubleshooting

Authentication error

Verify the Access Key ID and Secret Access Key are correct. Ensure the IAM user is active and not suspended. Check that the key has not been rotated or deactivated.

No metrics appearing

Confirm the IAM user has CloudWatchReadOnlyAccess attached. Verify the selected region matches where your resources are deployed. Some services (e.g. CloudFront) publish metrics to us-east-1 regardless of your region.

Billing data missing

Ensure AWSBillingReadOnlyAccess is attached to the IAM user. Billing metrics are only available from the us-east-1 region.

Partial service coverage

Resources in other regions will not appear unless you add a separate Crowswatch connection for each region.