Product Tour

Log Insights on AWS RDS — CloudWatch IAM Setup

IAM role + permissions to let MonPG read your RDS instance logs from CloudWatch.

MonPG needs two AWS permissions to read your logs: rds:DescribeDBLogFiles to list log file names and sizes, and logs:GetLogEvents to read content from CloudWatch log streams. Two ways to grant them.

Create a role in your AWS account that MonPG's hosted collector assumes. Our collector lives in account 123456789012 — that's the value to plug in. We rotate this quarterly; check Settings → Servers → AWS integration for the current value if you're setting up months from now.

Trust policy

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::123456789012:role/monpg-collector-fleet" },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": { "sts:ExternalId": "<unique-external-id-shown-in-UI>" }
    }
  }]
}

The ExternalId condition is what stops a "confused deputy" attack — without it, anyone who knows the role ARN could potentially assume it. The MonPG UI shows the unique value to use.

Permission policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DescribeLogs",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBLogFiles",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ReadCloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:GetLogEvents",
        "logs:DescribeLogStreams",
        "logs:DescribeLogGroups",
        "logs:FilterLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/rds/instance/<your-db-identifier>/postgresql:*"
      ]
    },
    {
      "Sid": "CloudWatchMetrics",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*"
    }
  ]
}

The CloudWatch metrics block is for the System page (CPU, IOPS, etc.) — not strictly needed for logs, but if you scope down to logs only the System page goes blank.

Paste the role ARN

Settings → Servers → [your server] → AWS cloud integration. Paste the role ARN and the external ID. Click Test — we attempt the AssumeRole and a sample GetLogEvents call. Green means done.

Option B: access keys (simpler, less secure)

Create an IAM user with the same permission policy. Generate access key + secret. Paste into MonPG. Not recommended in production: static credentials rotate poorly, can't be condition-scoped, and leak more damage when exposed. Acceptable for staging or evaluation; replace before production.

Enable CloudWatch publishing

The CloudWatch role is necessary but not sufficient — RDS also has to be told to publish logs there. Modify your RDS instance → Log exports → check "PostgreSQL log". Without this checkbox, RDS writes logs internally where MonPG cannot reach them, and you'll see "no logs" with green permissions, which is confusing until you remember this step.

What we do with the logs

Pulls new events every 5 minutes (configurable). Categorizes each line. Surfaces on Log Insights with full-text search and pattern aggregation. The overview page covers what comes after setup.