AWS CloudWatch
AWS CloudWatch is a comprehensive monitoring and observability service that provides real-time insights into AWS resources and applications, enabling automated monitoring, alerting, and log analysis for optimal performance and reliability.
Power end-to-end data operations for your AWS CloudWatch API with Nexla. Our bi-directional AWS CloudWatch connector is purpose-built for AWS CloudWatch, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to AWS CloudWatch or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your AWS CloudWatch workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
Before creating an AWS CloudWatch credential in Nexla, you need to create an IAM user with appropriate permissions and obtain AWS Access Key credentials. AWS CloudWatch uses AWS Signature Version 4 for authentication.
AWS IAM User Setup
The IAM user must have appropriate permissions to access the CloudWatch API. Ensure that the user has the necessary IAM policies attached. For detailed information about CloudWatch API permissions, see the AWS CloudWatch API documentation.
-
Access AWS IAM Console: Sign in to your AWS account and navigate to the IAM Console.
-
Create an IAM User: Create a new IAM user or select an existing user that will be used for API access. This user will need permissions to access the CloudWatch API.
-
Attach CloudWatch Permissions: Attach the necessary IAM policies to the user. The user needs permissions to access the CloudWatch API, such as:
cloudwatch:GetMetricDatacloudwatch:GetMetricStatisticscloudwatch:ListMetricscloudwatch:ListDashboardscloudwatch:PutMetricDatacloudwatch:PutDashboardcloudwatch:GetDashboard- Or attach the
CloudWatchReadOnlyAccessmanaged policy for read-only access, orCloudWatchFullAccessfor full access
-
Create Access Key: Create an access key pair for the IAM user. This will generate an Access Key ID and Secret Access Key that you'll use for authentication.
-
Select AWS Region: Determine which AWS region you want to use for the CloudWatch API. The CloudWatch API is available in all AWS regions. Common regions include
us-east-1(N. Virginia),us-west-2(Oregon),eu-west-1(Ireland), and others. -
Copy Credentials: Copy the Access Key ID and Secret Access Key immediately after creation, as the secret key will only be shown once.
AWS Access Keys provide programmatic access to your AWS account. Keep your Access Key ID and Secret Access Key secure and do not share them publicly or commit them to version control systems. If you suspect your access keys have been compromised, rotate them immediately in the IAM Console. For detailed information about AWS IAM and access keys, see the AWS IAM documentation.
Authenticate
Credentials required
| Field | Required | Secret | Description |
|---|---|---|---|
| AWS Access Key | Yes | No | The access key id of the Access Key pair that is used for verifying the identity of the requesting user. |
| AWS Secret Key | Yes | Yes | The access secret of the Access Key pair that is used for verifying the identity of the requesting user. |
| AWS Region | Yes | No | The region that is receiving the request. |
| Service Name | Yes | No | The service that is receiving the request. |
| Session Token | Yes | Yes | Optional session token if the request requires temporary security credentials. This is added to the request as x-amz-access-token request header. |
Create a credential in Nexla
- After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
New Credential Overlay – AWS CloudWatch API

-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
-
Enter your AWS Access Key ID in the AWS Access Key field. This should be the Access Key ID obtained from your IAM user's access key pair. The Access Key ID is used together with the Secret Access Key to sign API requests using AWS Signature Version 4.
-
Enter your AWS Secret Access Key in the AWS Secret Key field. This should be the Secret Access Key obtained from your IAM user's access key pair. The Secret Access Key is used together with the Access Key ID to sign API requests.
The AWS Access Key ID and Secret Access Key provide programmatic access to your AWS account through the CloudWatch API. Keep these credentials secure and do not share them publicly or commit them to version control systems. AWS uses AWS Signature Version 4 to sign API requests, which allows Nexla to make authenticated requests to your AWS account.
-
Enter your AWS Region in the AWS Region field. This should be the AWS region where you want to make CloudWatch API requests. Common regions include
us-east-1(N. Virginia),us-west-2(Oregon),eu-west-1(Ireland),ap-southeast-1(Singapore), and others. The CloudWatch API endpoint URL is automatically constructed ashttps://monitoring.{'{region}'}.amazonaws.combased on the region you specify. -
Enter the Service Name in the Service Name field. For AWS CloudWatch, this should be set to
monitoring. The service name is used as part of the AWS Signature Version 4 signing process to identify the AWS service being accessed. -
Optionally, enter a Session Token in the Session Token field if you are using temporary security credentials. Session tokens are required when using temporary credentials from AWS STS (Security Token Service) or when assuming IAM roles. If you are using permanent access keys, you can leave this field empty.
If you are using temporary security credentials (for example, from AWS STS or IAM role assumption), you must provide a Session Token. The session token is added to requests as the
x-amz-access-tokenheader. For permanent access keys, the session token field can be left empty. -
Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.
Use as a data source
To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the AWS CloudWatch connector tile, then select the credential that will be used to connect to the AWS CloudWatch instance, and click Next; or, create a new AWS CloudWatch credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common AWS CloudWatch endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.
Manual configuration
AWS CloudWatch data sources can also be manually configured to ingest data from any valid AWS CloudWatch API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.
AWS CloudWatch API endpoints follow the pattern https://monitoring.{'{region}'}.amazonaws.com?Action={'{ActionName}'}, where {region} is your AWS region and {ActionName} is the CloudWatch API action to execute. The endpoint URL is constructed automatically from your credential's region setting, and AWS Signature Version 4 authentication is handled automatically by your credential configuration—you do not need to add authentication headers manually.
Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new AWS CloudWatch data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Use as a destination
Click the + icon on the Nexset that will be sent to the AWS CloudWatch destination, and select the Send to Destination option from the menu. Select the AWS CloudWatch connector from the list of available destination connectors, then select the credential that will be used to connect to the AWS CloudWatch organization, and click Next; or, create a new AWS CloudWatch credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common AWS CloudWatch endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Manual configuration
AWS CloudWatch destinations can also be manually configured to send data to any valid AWS CloudWatch API endpoint. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, and request body.
AWS CloudWatch API endpoints follow the pattern https://monitoring.{'{region}'}.amazonaws.com?Action={'{ActionName}'} and typically expect JSON request bodies with the Content-Type header set to application/json. AWS Signature Version 4 authentication is handled automatically by your credential configuration.
Save & activate
Once all of the relevant endpoint settings have been configured, click the Create button in the upper right corner of the screen to save and create the new AWS CloudWatch destination. Nexla will now begin sending data from the selected Nexset to the configured endpoint.