AWS CloudWatch MCP Server

Create a powerful Model Context Protocol (MCP) server for AWS CloudWatch in minutes with our AI Gateway. This guide walks you through setting up seamless CloudWatch integration with enterprise-grade security and AWS Signature v4 authentication.

About AWS CloudWatch API

Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and applications in real time. The CloudWatch API enables programmatic access to:

• Metrics Collection: Gather and track metrics for AWS resources
• Custom Metrics: Publish your own application metrics
• Alarms: Create alarms that watch metrics and send notifications
• Dashboards: Build custom dashboards to visualize metrics
• Logs: Centralized log collection and analysis
• Events: Respond to state changes in AWS resources
• Insights: Query and analyze log data
• Anomaly Detection: ML-powered anomaly detection

Key Features

• Real-time Monitoring: Sub-minute metric granularity
• Multi-Region Support: Monitor resources across all AWS regions
• High Resolution: Support for metrics at 1-second frequency
• Metric Math: Perform calculations across metrics
• Composite Alarms: Combine multiple alarms with boolean logic
• Cross-Account: Monitor resources across AWS accounts
• Container Insights: Deep monitoring for ECS, EKS, and Fargate
• Lambda Insights: Enhanced monitoring for serverless applications

What You Can Do with CloudWatch MCP Server

The MCP server transforms CloudWatch's API into a natural language interface, enabling AI agents to:

Metrics & Monitoring

• Metric Operations

  • "Show CPU utilization for all EC2 instances in us-east-1"
  • "List custom metrics for my application namespace"
  • "Get average response time for ALB in last hour"
  • "Compare memory usage between production and staging"

• Custom Metrics

  • "Publish checkout conversion rate metric with value 0.85"
  • "Send batch of performance metrics for web application"
  • "Track custom business KPIs with dimensions"
  • "Create high-resolution metrics for real-time monitoring"

Alarms & Notifications

• Alarm Management

  • "Create alarm when CPU exceeds 80% for 5 minutes"
  • "Set up alarm for API error rate above 1%"
  • "Create composite alarm for multi-region failure"
  • "List all alarms in ALARM state"

• Alarm Actions

  • "Send SNS notification when database connections exceed 100"
  • "Auto-scale EC2 when memory utilization is high"
  • "Stop instance when idle for 30 minutes"
  • "Trigger Lambda function on alarm state change"

Dashboards & Visualization

• Dashboard Creation

  • "Create dashboard showing all production metrics"
  • "Build executive dashboard with cost and performance KPIs"
  • "Clone staging dashboard for production environment"
  • "Add widget showing API latency percentiles"

• Widget Configuration

  • "Add line graph for request count over time"
  • "Create stacked area chart for error types"
  • "Show current value widget for active users"
  • "Add text widget with deployment notes"

Logs & Insights

• Log Analysis

  • "Search application logs for error messages"
  • "Count unique IP addresses in access logs"
  • "Find slowest API endpoints from logs"
  • "Extract custom fields from JSON logs"

• Log Insights Queries

  • "Show top 10 error messages by frequency"
  • "Calculate average response time from logs"
  • "Create time series of status codes"
  • "Analyze user behavior patterns"

Anomaly Detection

• Detector Management

  • "Enable anomaly detection for response time metric"
  • "Create anomaly detector for transaction volume"
  • "Adjust sensitivity for seasonal patterns"
  • "Exclude maintenance windows from detection"

• Anomaly Alarms

  • "Alert when metrics deviate from normal behavior"
  • "Create band alarms for expected ranges"
  • "Detect unusual spikes in error rates"
  • "Monitor for abnormal traffic patterns"

Quick Start Guide

1. Prerequisites

• AWS Account with CloudWatch access
• Authentication method (choose one):
  • AWS IAM credentials (Access Key ID and Secret Access Key)
  • OAuth2 via AWS IAM Identity Center (SSO)
  • SAML 2.0 federation
• IAM permissions for CloudWatch operations
• AI Gateway account

2. Authentication Options

Option A: AWS IAM Credentials (Traditional)

Use AWS Access Key ID and Secret Access Key with the required IAM permissions below.

Option B: OAuth2 via AWS IAM Identity Center

AWS supports OAuth2 through IAM Identity Center for programmatic access:

1. Enable IAM Identity Center:

   • Navigate to IAM Identity Center in AWS Console
   • Enable Identity Center in your preferred region
   • Configure identity source

2. Register OAuth Application:

   aws sso-admin register-client \
     --client-name "AI-Gateway-CloudWatch-MCP" \
     --client-type "public" \
     --scopes "cloudwatch:*"

3. Configure OAuth Settings:

   • Authorization URL: https://[your-sso-url].awsapps.com/start/authorize
   • Token URL: https://[your-sso-url].awsapps.com/start/token
   • Redirect URI: https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback
   • Scopes: Configure based on CloudWatch operations needed

4. Permission Sets: Create permission set in IAM Identity Center with CloudWatch policies attached.

3. Required IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:PutMetricData",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricAlarm",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:DeleteAlarms",
        "cloudwatch:PutDashboard",
        "cloudwatch:GetDashboard",
        "cloudwatch:ListDashboards",
        "cloudwatch:DeleteDashboards",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:GetLogEvents",
        "logs:StartQuery",
        "logs:GetQueryResults"
      ],
      "Resource": "*"
    }
  ]
}

4. MCP Server Configuration

For IAM Credentials:

1. Navigate to the AI Gateway dashboard
2. Click "Create New MCP Server"
3. Select "AWS CloudWatch" from the available integrations
4. Choose "AWS IAM" authentication
5. Configure credentials:
   • Enter AWS Access Key ID
   • Enter AWS Secret Access Key
   • Select default AWS region
   • Configure optional session token for temporary credentials

For OAuth2 (IAM Identity Center):

1. Navigate to the AI Gateway dashboard
2. Click "Create New MCP Server"
3. Select "AWS CloudWatch" from the available integrations
4. Choose "OAuth 2.0" authentication
5. Configure OAuth settings:
   • Authorization URL: Your IAM Identity Center authorize endpoint
   • Token URL: Your IAM Identity Center token endpoint
   • Client ID: From registered application
   • Client Secret: From registered application (if confidential client)
   • Scopes: Select required CloudWatch permissions
   • AWS Region: Default region for operations

5. Test Your Connection

Try these commands to verify your setup:

• "List all available metrics"
• "Show current EC2 CPU utilization"
• "Create test alarm for high memory usage"

OAuth2 Scopes for CloudWatch Operations

When using OAuth2 via IAM Identity Center, configure permission sets with these CloudWatch actions:

Metrics Operations

• cloudwatch:PutMetricData - Publish custom metrics
• cloudwatch:GetMetricData - Retrieve metric data
• cloudwatch:GetMetricStatistics - Get statistical data
• cloudwatch:ListMetrics - List available metrics

Alarms Management

• cloudwatch:PutMetricAlarm - Create alarms
• cloudwatch:DescribeAlarms - View alarm details
• cloudwatch:DeleteAlarms - Remove alarms
• cloudwatch:EnableAlarmActions - Enable alarm actions
• cloudwatch:DisableAlarmActions - Disable alarm actions

Dashboards & Logs

• cloudwatch:PutDashboard - Create/update dashboards
• cloudwatch:GetDashboard - View dashboards
• cloudwatch:ListDashboards - List all dashboards
• cloudwatch:DeleteDashboards - Remove dashboards
• logs:CreateLogGroup - Create log groups
• logs:PutLogEvents - Write log events
• logs:StartQuery - Run Insights queries

Configure permission sets in IAM Identity Center to match your monitoring requirements.

Common Use Cases

Infrastructure Monitoring

Monitor your entire AWS infrastructure:

"Show me all EC2 instances with CPU > 70% in the last hour"
"Alert when any RDS instance has high connection count"
"Track EBS volume utilization across all regions"
"Monitor Lambda function cold starts and errors"

Application Performance

Track application-specific metrics:

"Publish response time metric for checkout API"
"Create dashboard for microservices performance"
"Set up alarms for SLA compliance"
"Track custom business metrics hourly"

Cost Optimization

Monitor resource utilization for cost savings:

"Find underutilized EC2 instances"
"Alert on unexpected data transfer costs"
"Track S3 storage growth trends"
"Monitor unused elastic IPs"

Security Monitoring

Enhance security posture:

"Alert on root account usage"
"Monitor failed authentication attempts"
"Track security group changes"
"Detect unusual API activity patterns"

Advanced Features

Metric Math

Perform calculations across metrics:

"Calculate error rate as percentage of total requests"
"Show memory utilization as percentage of available"
"Create expression for cost per transaction"
"Compare week-over-week growth rates"

Cross-Account Monitoring

Monitor resources across AWS accounts:

"Aggregate metrics from all production accounts"
"Create consolidated dashboard for organization"
"Set up centralized alarming"
"Compare metrics between accounts"

High-Resolution Metrics

Work with sub-minute metrics:

"Publish 1-second resolution metrics"
"Create real-time dashboard"
"Set up instant alerting"
"Monitor API latency in real-time"

Best Practices

Metric Organization

• Use consistent naming conventions
• Apply meaningful dimensions
• Group related metrics in namespaces
• Document metric meanings and units

Alarm Strategy

• Set appropriate thresholds based on baselines
• Use composite alarms for complex scenarios
• Configure proper alarm actions
• Test alarms regularly

Dashboard Design

• Create role-specific dashboards
• Use appropriate widget types
• Include relevant time ranges
• Add context with text widgets

Cost Management

• Monitor CloudWatch costs
• Use metric filters efficiently
• Archive old logs appropriately
• Optimize dashboard refresh rates

Troubleshooting

Common Issues

• Missing Metrics: Ensure resources are tagged correctly
• Alarm Not Triggering: Check evaluation periods and thresholds
• Access Denied: Verify IAM permissions
• No Data Points: Confirm metric is being published

Performance Tips

• Use metric math instead of multiple API calls
• Batch custom metric publishing
• Optimize dashboard queries
• Use appropriate metric storage resolution

Integration Examples

With Other AWS Services

"When CloudWatch alarm triggers, invoke Lambda function"
"Send alarm notifications to SNS topic"
"Auto-scale based on custom metrics"
"Store metrics in S3 for long-term analysis"

With AI Gateway Tools

"Create Slack alert for production alarms"
"Update Jira ticket when deployment metrics change"
"Generate weekly reports in Google Sheets"
"Send critical alerts to PagerDuty"

Security Considerations

Access Control

• Use IAM roles with minimal permissions
• Enable MFA for sensitive operations
• Audit CloudWatch API usage
• Rotate access keys regularly

Data Protection

• Encrypt sensitive log data
• Use secure transport (HTTPS)
• Implement log retention policies
• Control cross-account access

Pricing Considerations

• Metrics: First 10 custom metrics free
• Alarms: First 10 alarms free
• Dashboards: First 3 dashboards free
• API Requests: $0.01 per 1,000 requests
• Logs: $0.50 per GB ingested

---

Ready to transform your AWS monitoring? Start creating your CloudWatch MCP server today and enable AI-powered observability for your infrastructure!