Install CloudWatch agent in EC2 Instance

EC2 does not send memory or disk metrics to CloudWatch by default - only CPU, network and status checks. The CloudWatch agent runs inside the instance and collects system-level metrics and logs directly.

Prerequisites

• EC2 instance running (Amazon Linux 2 or Ubuntu)
• SSH access to the instance - see Connect to AWS SSO and SSH into EC2 Instance
• Terminal

Attach IAM role to the instance

The agent needs permission to write metrics and logs to CloudWatch. In the AWS console:

1. EC2 > Instances > select your instance
2. Actions > Security > Modify IAM role
3. Attach a role that has CloudWatchAgentServerPolicy managed policy

If no such role exists, create one:

1. IAM > Roles > Create role
2. Trusted entity: AWS service > EC2
3. Add permission: CloudWatchAgentServerPolicy
4. Name it (e.g. ec2-cloudwatch-agent-role) and create

Install the agent

SSH into the instance, then run the appropriate command for your OS.

Amazon Linux 2:

sudo yum install -y amazon-cloudwatch-agent

Ubuntu:

sudo apt-get install -y amazon-cloudwatch-agent

Configure the agent

Run the configuration wizard - it steps through metrics and log collection interactively:

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

Alternatively, create a config file manually at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json:

{
  "agent": {
    "metrics_collection_interval": 60,
    "run_as_user": "root"
  },
  "metrics": {
    "namespace": "CWAgent",
    "metrics_collected": {
      "mem": {
        "measurement": ["mem_used_percent"]
      },
      "disk": {
        "measurement": ["disk_used_percent"],
        "resources": ["/"]
      }
    }
  }
}

Collects memory and disk usage every 60 seconds under the CWAgent namespace.

Start the agent

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \
  -a fetch-config \
  -m ec2 \
  -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json \
  -s

Verify

Check the agent is running:

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status

Expected output:

{
  "status": "running",
  "starttime": "...",
  "version": "..."
}

In the AWS console, go to CloudWatch > Metrics > All metrics > CWAgent to confirm metrics are coming in. Give it 2-3 minutes after starting for metrics to show up.

Notes

1. If the instance had no IAM role before, restart the agent after attaching the role - it picks up credentials on start
2. The wizard config is saved to /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json by default
3. To collect logs, add a logs block to the config pointing to the log file paths
4. Agent logs are at /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log - check here if metrics are not appearing