Skip to main content

AWS CloudWatch

AWS CloudWatch is a comprehensive monitoring and observability service that provides real-time insights into AWS resources and applications, enabling automated monitoring, alerting, and log analysis for optimal performance and reliability.

AWS CloudWatch icon

Power end-to-end data operations for your AWS CloudWatch API with Nexla. Our bi-directional AWS CloudWatch connector is purpose-built for AWS CloudWatch, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to AWS CloudWatch or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your AWS CloudWatch workflows fast, secure, and fully governed.

Features

Type: API

SourceDestination

  • Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
  • Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
  • API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
  • Request optimization with intelligent batching, retry, and caching to minimize API calls and costs

Prerequisites

Before creating an AWS CloudWatch credential in Nexla, you need to create an IAM user with appropriate permissions and obtain AWS Access Key credentials. AWS CloudWatch uses AWS Signature Version 4 for authentication.

AWS IAM User Setup

The IAM user must have appropriate permissions to access the CloudWatch API. Ensure that the user has the necessary IAM policies attached. For detailed information about CloudWatch API permissions, see the AWS CloudWatch API documentation.

  1. Access AWS IAM Console: Sign in to your AWS account and navigate to the IAM Console.

  2. Create an IAM User: Create a new IAM user or select an existing user that will be used for API access. This user will need permissions to access the CloudWatch API.

  3. Attach CloudWatch Permissions: Attach the necessary IAM policies to the user. The user needs permissions to access the CloudWatch API, such as:

    • cloudwatch:GetMetricData
    • cloudwatch:GetMetricStatistics
    • cloudwatch:ListMetrics
    • cloudwatch:ListDashboards
    • cloudwatch:PutMetricData
    • cloudwatch:PutDashboard
    • cloudwatch:GetDashboard
    • Or attach the CloudWatchReadOnlyAccess managed policy for read-only access, or CloudWatchFullAccess for full access
  4. Create Access Key: Create an access key pair for the IAM user. This will generate an Access Key ID and Secret Access Key that you'll use for authentication.

  5. Select AWS Region: Determine which AWS region you want to use for the CloudWatch API. The CloudWatch API is available in all AWS regions. Common regions include us-east-1 (N. Virginia), us-west-2 (Oregon), eu-west-1 (Ireland), and others.

  6. Copy Credentials: Copy the Access Key ID and Secret Access Key immediately after creation, as the secret key will only be shown once.

    AWS Access Keys provide programmatic access to your AWS account. Keep your Access Key ID and Secret Access Key secure and do not share them publicly or commit them to version control systems. If you suspect your access keys have been compromised, rotate them immediately in the IAM Console. For detailed information about AWS IAM and access keys, see the AWS IAM documentation.

Authenticate

Credentials required

FieldRequiredSecretDescription
AWS Access KeyYesNoThe access key id of the Access Key pair that is used for verifying the identity of the requesting user.
AWS Secret KeyYesYesThe access secret of the Access Key pair that is used for verifying the identity of the requesting user.
AWS RegionYesNoThe region that is receiving the request.
Service NameYesNoThe service that is receiving the request.
Session TokenYesYesOptional session token if the request requires temporary security credentials. This is added to the request as x-amz-access-token request header.

Create a credential in Nexla

  1. After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – AWS CloudWatch API

AWSCloudWatchCred.png
  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

  2. Enter your AWS Access Key ID in the AWS Access Key field. This should be the Access Key ID obtained from your IAM user's access key pair. The Access Key ID is used together with the Secret Access Key to sign API requests using AWS Signature Version 4.

  3. Enter your AWS Secret Access Key in the AWS Secret Key field. This should be the Secret Access Key obtained from your IAM user's access key pair. The Secret Access Key is used together with the Access Key ID to sign API requests.

    The AWS Access Key ID and Secret Access Key provide programmatic access to your AWS account through the CloudWatch API. Keep these credentials secure and do not share them publicly or commit them to version control systems. AWS uses AWS Signature Version 4 to sign API requests, which allows Nexla to make authenticated requests to your AWS account.

  4. Enter your AWS Region in the AWS Region field. This should be the AWS region where you want to make CloudWatch API requests. Common regions include us-east-1 (N. Virginia), us-west-2 (Oregon), eu-west-1 (Ireland), ap-southeast-1 (Singapore), and others. The CloudWatch API endpoint URL is automatically constructed as https://monitoring.{'{region}'}.amazonaws.com based on the region you specify.

  5. Enter the Service Name in the Service Name field. For AWS CloudWatch, this should be set to monitoring. The service name is used as part of the AWS Signature Version 4 signing process to identify the AWS service being accessed.

  6. Optionally, enter a Session Token in the Session Token field if you are using temporary security credentials. Session tokens are required when using temporary credentials from AWS STS (Security Token Service) or when assuming IAM roles. If you are using permanent access keys, you can leave this field empty.

    If you are using temporary security credentials (for example, from AWS STS or IAM role assumption), you must provide a Session Token. The session token is added to requests as the x-amz-access-token header. For permanent access keys, the session token field can be left empty.

  7. Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.

Use as a data source

To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the AWS CloudWatch connector tile, then select the credential that will be used to connect to the AWS CloudWatch instance, and click Next; or, create a new AWS CloudWatch credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common AWS CloudWatch endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.

GetMetricData

This endpoint retrieves metric data from AWS CloudWatch for specified metrics and time periods. Use this endpoint when you need to access CloudWatch metric data for monitoring, analysis, or reporting purposes.

  • This endpoint uses GET requests to the CloudWatch API endpoint with the Action=GetMetricData query parameter. The endpoint URL is automatically constructed based on your credential configuration as https://monitoring.{'{region}'}.amazonaws.com?Action=GetMetricData.
  • Configure the request parameters in the manual configuration section to specify the metrics you want to retrieve, including metric names, namespaces, dimensions, start time, end time, and statistics. The request parameters should follow the AWS CloudWatch API specification for GetMetricData.
  • The endpoint uses token-based pagination when applicable, automatically fetching additional pages as needed using the NextToken mechanism. When a response includes a NextToken field, Nexla automatically includes it in the subsequent request to fetch the next page of results.
  • The endpoint will return metric data based on your request parameters. The response data is extracted from the Metrics array in the API response ($.Metrics[*]), with each metric data point processed individually.

This endpoint requires properly formatted request parameters that match the AWS CloudWatch API specification for GetMetricData. Common parameters include MetricName, Namespace, Dimensions, StartTime, EndTime, Period, and Statistics. The endpoint uses token-based pagination (iteration.type: paging.next.token) through the NextToken mechanism. The endpoint requires AWS Signature Version 4 authentication, which is handled automatically by your credential configuration. For detailed information about GetMetricData parameters, request formatting, and response structures, see the AWS CloudWatch API documentation.

ListDashboards

This endpoint retrieves a list of CloudWatch dashboards in your AWS account. Use this endpoint when you need to access dashboard information for monitoring, management, or integration with other systems.

  • This endpoint uses GET requests to the CloudWatch API endpoint with the Action=ListDashboards query parameter. The endpoint URL is automatically constructed based on your credential configuration as https://monitoring.{'{region}'}.amazonaws.com?Action=ListDashboards.
  • This endpoint automatically retrieves all dashboards accessible to your account. No additional configuration is required beyond selecting this endpoint template, though you can optionally specify dashboard name prefixes in manual configuration.
  • The endpoint uses token-based pagination when applicable, automatically fetching additional pages as needed using the NextToken mechanism. When a response includes a NextToken field, Nexla automatically includes it in the subsequent request to fetch the next page of results.
  • The endpoint will return all dashboards in your account. The response data is extracted from the DashboardEntries array in the API response ($.DashboardEntries[*]), with each dashboard entry processed individually.

This endpoint supports optional parameters such as DashboardNamePrefix to filter dashboards by name. The endpoint uses token-based pagination (iteration.type: paging.next.token) through the NextToken mechanism. The endpoint requires AWS Signature Version 4 authentication, which is handled automatically by your credential configuration. For detailed information about ListDashboards parameters, request formatting, and response structures, see the AWS CloudWatch API documentation.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.

Manual configuration

AWS CloudWatch data sources can also be manually configured to ingest data from any valid AWS CloudWatch API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.

AWS CloudWatch API endpoints follow the pattern https://monitoring.{'{region}'}.amazonaws.com?Action={'{ActionName}'}, where {region} is your AWS region and {ActionName} is the CloudWatch API action to execute. The endpoint URL is constructed automatically from your credential's region setting, and AWS Signature Version 4 authentication is handled automatically by your credential configuration—you do not need to add authentication headers manually.

Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new AWS CloudWatch data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.

Use as a destination

Click the + icon on the Nexset that will be sent to the AWS CloudWatch destination, and select the Send to Destination option from the menu. Select the AWS CloudWatch connector from the list of available destination connectors, then select the credential that will be used to connect to the AWS CloudWatch organization, and click Next; or, create a new AWS CloudWatch credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common AWS CloudWatch endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.

PutMetricData

This endpoint publishes metric data points to AWS CloudWatch. Use this endpoint when you need to send custom metrics, application metrics, or business metrics to CloudWatch for monitoring and alerting purposes.

  • This endpoint uses POST requests to the CloudWatch API endpoint with the Action=PutMetricData query parameter. The endpoint URL is automatically constructed based on your credential configuration as https://monitoring.{'{region}'}.amazonaws.com?Action=PutMetricData.
  • The endpoint sends data from your Nexset as the request body in JSON format. Each record in your Nexset will be sent as a metric data point to CloudWatch. The request body should follow the AWS CloudWatch API specification for PutMetricData, including Namespace, MetricData array with MetricName, Value, Timestamp, Dimensions, and other optional parameters.
  • Ensure your Nexset data includes the required fields for CloudWatch metric data points: Namespace (the namespace for the metric), MetricName (the name of the metric), Value (the value of the metric), and Timestamp (the time the metric data was collected). Optional fields include Dimensions (key-value pairs that define the metric), Unit (the unit of measure), and StatisticValues (for aggregated metrics).
  • Batch mode is disabled by default for this endpoint. Each record in your Nexset will be sent as a separate API request to CloudWatch. If you need to send multiple metric data points in a single request, you can enable batch mode in the advanced settings, but note that CloudWatch has limits on the number of metric data points per request (up to 20 metric data points per PutMetricData call).

The request body must be properly formatted JSON that matches the AWS CloudWatch API specification for PutMetricData. The JSON should include a Namespace field and a MetricData array containing one or more metric data points. Each metric data point should include MetricName, Value, Timestamp, and optionally Dimensions, Unit, and StatisticValues. The endpoint requires AWS Signature Version 4 authentication, which is handled automatically by your credential configuration. Batch mode is disabled by default (batch.mode: false), so each record will be sent as a separate request. For detailed information about PutMetricData parameters, request formatting, and response structures, see the AWS CloudWatch API documentation.

PutDashboard

This endpoint creates or updates a CloudWatch dashboard with the specified configuration. Use this endpoint when you need to programmatically create or update CloudWatch dashboards for monitoring and visualization purposes.

  • This endpoint uses POST requests to the CloudWatch API endpoint with the Action=PutDashboard query parameter. The endpoint URL is automatically constructed based on your credential configuration as https://monitoring.{'{region}'}.amazonaws.com?Action=PutDashboard.
  • The endpoint sends data from your Nexset as the request body in JSON format. Each record in your Nexset should contain the dashboard configuration following the AWS CloudWatch API specification for PutDashboard, including DashboardName (the name of the dashboard) and DashboardBody (a JSON string containing the complete dashboard configuration with widgets, metrics, and visualization settings).
  • Ensure your Nexset data includes the required fields for CloudWatch dashboard creation: DashboardName (the name of the dashboard) and DashboardBody (a JSON string containing the dashboard configuration). The DashboardBody should be a valid JSON string that defines the dashboard widgets, metrics, and visualization settings according to CloudWatch dashboard syntax.
  • Batch mode is disabled by default for this endpoint. Each record in your Nexset will be sent as a separate API request to CloudWatch. If you need to create or update multiple dashboards, you can send multiple records, but each will be processed as a separate PutDashboard request.

The request body must be properly formatted JSON that matches the AWS CloudWatch API specification for PutDashboard. The JSON should include DashboardName and DashboardBody fields. The DashboardBody must be a valid JSON string containing the complete dashboard configuration with widgets, metrics, and visualization settings. The endpoint requires AWS Signature Version 4 authentication, which is handled automatically by your credential configuration. Batch mode is disabled by default (batch.mode: false), so each record will be sent as a separate request. For detailed information about PutDashboard parameters, request formatting, and response structures, see the AWS CloudWatch API documentation.

Manual configuration

AWS CloudWatch destinations can also be manually configured to send data to any valid AWS CloudWatch API endpoint. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, and request body.

AWS CloudWatch API endpoints follow the pattern https://monitoring.{'{region}'}.amazonaws.com?Action={'{ActionName}'} and typically expect JSON request bodies with the Content-Type header set to application/json. AWS Signature Version 4 authentication is handled automatically by your credential configuration.

Save & activate

Once all of the relevant endpoint settings have been configured, click the Create button in the upper right corner of the screen to save and create the new AWS CloudWatch destination. Nexla will now begin sending data from the selected Nexset to the configured endpoint.