Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.2.3.6. Creating CloudWatch Custom Metrics and Metric Filters, Alarms, and Notifications (Amazon SNS, Lambda)

3.2.3.6. Installing & Configuring Agents (SSM Agent, CloudWatch Agent)

Agents extend AWS's management and monitoring capabilities onto your instances. Without them, you're limited to basic infrastructure metrics and no remote management.

SSM Agent:
  • Pre-installed on Amazon Linux 2, Ubuntu 16.04+, Windows Server 2016+
  • Enables: Run Command, Patch Manager, State Manager, Session Manager, Inventory
  • Requires: IAM instance profile with AmazonSSMManagedInstanceCore managed policy
  • Communication: HTTPS to SSM endpoints (needs internet access or VPC endpoints)
CloudWatch Agent:
  • Collects OS metrics (memory, disk, processes) and custom application logs
  • Install via SSM Distributor or manual download
  • Configuration stored in SSM Parameter Store for fleet-wide consistency
# Install CloudWatch Agent via SSM
aws ssm send-command \
  --document-name "AWS-ConfigureAWSPackage" \
  --targets "Key=tag:Role,Values=WebServer" \
  --parameters '{"action":["Install"],"name":["AmazonCloudWatchAgent"]}'

# Store agent config in Parameter Store
aws ssm put-parameter \
  --name "AmazonCloudWatch-linux-config" \
  --type String \
  --value file://cloudwatch-agent-config.json

# Apply config via SSM
aws ssm send-command \
  --document-name "AmazonCloudWatch-ManageAgent" \
  --targets "Key=tag:Role,Values=WebServer" \
  --parameters '{"action":["configure"],"optionalConfigurationSource":["ssm"],"optionalConfigurationLocation":["AmazonCloudWatch-linux-config"]}'

Unified CloudWatch Agent replaced the legacy CloudWatch Logs Agent and custom metrics scripts. It handles both metrics and logs in a single process.

Exam Trap: The CloudWatch Agent runs as root (Linux) or LocalSystem (Windows) and needs its own IAM permissions separate from the SSM Agent. The agent requires cloudwatch:PutMetricData for custom metrics and logs:PutLogEvents for log delivery. A common setup error is attaching only the SSM managed policy but not the CloudWatch Agent policy (CloudWatchAgentServerPolicy).

Alvin Varughese
Written byAlvin Varughese•Founder•15 professional certifications