I have Amazon CloudWatch configured to send custom metrics using the EC2Config service, but I receive credential errors. How do I resolve this?

If you are trying to send custom metrics to CloudWatch from an Amazon EC2 Windows instance using the EC2Config service, but are unable to do so, the Ec2ConfigLog file at C:\Program Files\Amazon\Ec2ConfigService\Logs might indicate a credential error message similar to the following:

2016-06-02 13:55:49: [Error] The component with id 'CloudWatch' has been flagged as being impaired and will not perform any work until EC2Config is restarted

2016-06-02 13:55:49: [Error] Failed to upload metrics to CloudWatch.

2016-06-02 13:55:49: [Error] Credential is not correct. Setting CloudWatchService IsImpaired to be true, Failed to upload metric to CloudWatch. Amazon.CloudWatch.AmazonCloudWatchException: The security token included in the request is invalid. ---> Amazon.Runtime.Internal.HttpErrorResponseException: The remote server returned an error: (403) Forbidden. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.

    at System.Net.HttpWebRequest.GetResponse()

    at Amazon.Runtime.Internal.HttpRequest.GetResponse()

    --- End of inner exception stack trace ---


The error indicates that there is an issue with the credentials being used to push metrics to CloudWatch. The credentials referenced in the AWS.EC2.Windows.CloudWatch.json file are located at C:\Program Files\Amazon\Ec2ConfigService\Settings. The error can occur if:

  • The credentials in the JSON file are incorrect.
  • There is a mismatch in the access key and secret key.
  • The user or role does not have permission to push metrics to CloudWatch.

To resolve this issue:

  • From the IAM console, download the credentials report, copy the user credentials from the .csv file, and paste them into the JSON file.
  • Make sure the access key and secret key of the user stored in the AWS.EC2.Windows.CloudWatch.json file have access to the following actions in the policy:
    CloudWatch metrics:
    CloudWatch Logs:
    "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents"

  • If you are using an IAM role with the instance, ensure the role has the right permissions. Also, make sure that no credentials are entered in the AWS.EC2.Windows.CloudWatch.json file.

Note: You cannot attach a role to an instance after the instance has been launched. This must be done during the launch of the instance.

CloudWatch, EC2Config service, custom metrics, custom Logs, Windows logs to CloudWatch 

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-11-28