You will need to create two new roles: one of these roles will have the permission to read and collect log data and send it to CloudWatch Logs to be written, and the other role is used to communicate with SSM to create and store your agent configuration file, allowing you to use the same agent configuration on your fleet of EC2 instances.
Create the first role, which will be used by your instances to collect log data using the following configuration information. I explained how to create roles in Chapter 3, Access Management, so please refer back to that chapter if you need assistance in role creation. I have avoided going into the details here:
- Select the type of trusted entity, then select AWS service.
- Choose the service that will use this role – select EC2.
- In the policy list, select both CloudWatchAgentServerPolicy and AmazonSSMManagedInstanceCore.
- In Role name, enter CloudWatchAgentServerRole or another meaningful name.
For...