Prerequisites

To get the most out of this guide, you will need to:

Features

The table below outlines the features available for this type of connection.
  • Native - This refers to when a database client connects through a specific protocol, such as an IDE or client libraries through hoop connect <connection-name>.
  • One Off - This term refers to accessing this connection from hoop web panel.
FeatureNativeOne OffDescription
TLS Termination ProxyThe local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.
AuditThe gateway stores and audits the queries being issued by the client
Data Masking (Google DLP)A policy can be enabled to mask sensitive fields dynamically when performing queries in the logs.
Data Masking (MS Presidio DLP)A policy can be enabled to mask sensitive fields dynamically when performing queries in the logs.
Credentials OffloadThe user authenticates via SSO instead of using the service credentials.
Interactive AccessInteractive access is available when using an IDE or connecting via a terminal for log analysis exploration.

Configuration

NameTypeRequiredDescription
AWS_ACCESS_KEY_IDenv-varyesThe AWS access key ID for CloudWatch Logs access
AWS_SECRET_ACCESS_KEYenv-varyesThe AWS secret access key for CloudWatch Logs access
AWS_REGIONenv-varyesThe AWS region where your CloudWatch log groups are located (e.g., us-east-1, eu-west-1)
The AWS credentials require the minimal set of IAM permissions to work:
  • logs:DescribeLogGroups
  • logs:FilterLogEvents
  • logs:GetLogEvents

Connection Setup

The flag --type custom/cloudwatch allows displaying the introspection schema in the web interface. 
hoop admin create conn my-cloudwatch -a <agent-name> \
    --type custom/cloudwatch \
    --overwrite \
    --schema=enabled \
    --skip-validation \
    -e AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE \
    -e AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
    -e AWS_REGION=us-west-2 \
    -- bash
Currently, CloudWatch connections cannot be created through the web interface. Use the CLI command above to create the connection, then it will be available in the web app for use.

Connection Usage

CLI

hoop exec my-cloudwatch \
  -i 'aws logs filter-log-events --log-group-name /aws/lambda/my-function'

Web panel

When you select a log group in the interface, the terminal will propagate the name as LOG_GROUP_NAME environment variable, allowing you to use it in your scripts. The example above shows the variable being used in a script to filter events from the /aws/lambda/my-function log group.
cloudwatch screenshot