Monitoring your container instances - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Monitoring your container instances

You can configure your container instances to send log information to CloudWatch Logs. This enables you to view different logs from your container instances in one convenient location. This topic helps you get started using CloudWatch Logs on your container instances that were launched with the Amazon ECS-optimized Amazon Linux AMI.

For information about sending container logs from your tasks to CloudWatch Logs, see Using the awslogs log driver. For more information about CloudWatch Logs, see Monitoring Log Files in the Amazon CloudWatch User Guide.

CloudWatch Logs IAM Policy

Before your container instances can send log data to CloudWatch Logs, you must create an IAM policy to allow your container instances to use the CloudWatch Logs APIs, and then you must attach that policy to ecsInstanceRole.

To create the ECS-CloudWatchLogs IAM policy

  1. Open the IAM console at

  2. In the navigation pane, choose Policies.

  3. Choose Create policy, JSON.

  4. Enter the following policy:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }
  5. Choose Review policy.

  6. On the Review policy page, enter ECS-CloudWatchLogs for the Name and choose Create policy.

To attach the ECS-CloudWatchLogs policy to ecsInstanceRole

  1. Open the IAM console at

  2. In the navigation pane, choose Roles.

  3. Choose ecsInstanceRole. If the role does not exist, follow the procedures in Amazon ECS container instance IAM role to create the role.

  4. In the navigation pane, choose Policies.

  5. Choose ECS-CloudWatchLogs.

  6. Choose Policy actions, Attach.

  7. To narrow the available policies to attach, for Filter, type ecsInstance.

  8. Select the ecsInstance role and choose Attach policy.

Installing and configuring the CloudWatch agent

After you have added the ECS-CloudWatchLogs policy to your ecsInstanceRole, you can install the CloudWatch agent on your container instances.

For more information, see Download and configure the CloudWatch agent using the command line in the Amazon CloudWatch User Guide.

Viewing CloudWatch Logs

After you have given your container instance role the proper permissions to send logs to CloudWatch Logs, and you have configured and started the agent, your container instance should be sending its log data to CloudWatch Logs. You can view and search these logs in the Amazon Web Services Management Console.


New instance launches may take a few minutes to send data to CloudWatch Logs.

To view your CloudWatch Logs data

  1. Open the CloudWatch console at

  2. In the left navigation pane, choose Logs, Log groups.

                            CloudWatch console metrics view
  3. Choose a log group to view.

  4. Choose a log stream to view. The streams are identified by the cluster name and container instance ID that sent the logs.

                            CloudWatch console metrics view