AWS CloudWatch
CloudWatch in Hoop simplifies AWS log analysis by providing direct access to log groups with automatic environment variable setup and an optimized interface for log exploration.
Prerequisites
To get the most out of this guide, you will need to:
- Either create an account in our managed instance or deploy your own hoop.dev instance
- You must be your account administrator to perform the following commands
Features
The table below outlines the features available for this type of connection.
- Native - This refers to when a database client connects through a specific protocol, such as an IDE or client libraries through
hoop connect <connection-name>
. - One Off - This term refers to accessing this connection from hoop web panel.
Feature | Native | One Off | Description |
---|---|---|---|
TLS Termination Proxy | The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted. | ||
Audit | The gateway stores and audits the queries being issued by the client | ||
Data Masking (Google DLP) | A policy can be enabled to mask sensitive fields dynamically when performing queries in the logs. | ||
Data Masking (MS Presidio DLP) | A policy can be enabled to mask sensitive fields dynamically when performing queries in the logs. | ||
Credentials Offload | The user authenticates via SSO instead of using the service credentials. | ||
Interactive Access | Interactive access is available when using an IDE or connecting via a terminal for log analysis exploration. |
Configuration
Name | Type | Required | Description |
---|---|---|---|
AWS_ACCESS_KEY_ID | env-var | yes | The AWS access key ID for CloudWatch Logs access |
AWS_SECRET_ACCESS_KEY | env-var | yes | The AWS secret access key for CloudWatch Logs access |
AWS_REGION | env-var | yes | The AWS region where your CloudWatch log groups are located (e.g., us-east-1 , eu-west-1 ) |
The AWS credentials require the minimal set of IAM permissions to work:
logs:DescribeLogGroups
logs:FilterLogEvents
logs:GetLogEvents
Connection Setup
The flag --type custom/cloudwatch
allows displaying the introspection schema in the web interface.
Currently, CloudWatch connections cannot be created through the web interface. Use the CLI command above to create the connection, then it will be available in the web app for use.
Connection Usage
CLI
Web panel
When you select a log group in the interface, the terminal will propagate the name as LOG_GROUP_NAME
environment variable, allowing you to use it in your scripts.
The example above shows the variable being used in a script to filter events from the /aws/lambda/my-function
log group.