This chapter covers EC2 Enhanced Monitoring and the CloudWatch Agent, two critical tools for gaining deep visibility into your EC2 instances beyond basic hypervisor-level metrics. For the SOA-C02 exam, this topic appears in roughly 10-15% of questions, often in the context of troubleshooting performance issues or configuring custom monitoring. You will learn the differences between standard CloudWatch metrics, enhanced monitoring, and the CloudWatch Agent, how to install and configure the agent, and the specific exam traps around which metrics require the agent versus those available by default. Master this, and you'll confidently answer questions on monitoring memory, disk, and custom application metrics.
Jump to a section
Imagine you are the facilities manager for a large office building. The building has basic power and water meters at the main entrance that record total consumption every hour. That's the standard EC2 monitoring (hypervisor-level metrics). But you need to know which floor is drawing too much power, or if a specific server room is overheating. So you install smart sub-meters on each floor's electrical panel and water pipes, and you deploy temperature sensors in each room. These sub-meters are the CloudWatch Agent. They are separate devices that you must install and configure; they don't come with the building. They collect detailed metrics at 1-second intervals (rather than 5-minute intervals) and can send alerts if a server room hits 85°F. The sub-meters also log data locally for a short time in case the network to your central monitoring station goes down. You can even program them to collect custom data, like the number of times a door opens. The basic meters at the main entrance give you the 'status' of the building (instance health), but the sub-meters give you the 'performance' (memory, disk, custom app metrics). For the SOA-C02 exam, think of the CloudWatch Agent as your smart sub-meter that you install inside the instance to get granular, OS-level visibility.
What is EC2 Enhanced Monitoring and the CloudWatch Agent?
EC2 Enhanced Monitoring (also called Detailed Monitoring) is a feature that enables EC2 instances to send metrics to CloudWatch at a 1-minute frequency instead of the default 5-minute frequency. However, Enhanced Monitoring only covers hypervisor-level metrics such as CPU, network, and disk I/O (the same metrics available at 5-minute intervals, but more granular). It does NOT provide OS-level metrics like memory usage, disk space, or process-level information. To get those, you need the CloudWatch Agent.
The CloudWatch Agent is a software package that you install on an EC2 instance (or on-premises server) to collect system-level metrics and custom logs. It replaces the older CloudWatch Logs Agent and the deprecated EC2Config service (for Windows). The agent can collect:
Memory (RAM) usage
Swap usage
Disk space utilization
Disk I/O per device (additional to hypervisor metrics)
Network connections per interface
Custom metrics from your application
Log files for forwarding to CloudWatch Logs
How It Works: The Mechanism
The CloudWatch Agent runs as a background service on the instance. It uses a JSON configuration file (usually located at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json on Linux or C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json on Windows) to determine what to collect and where to send it. The agent collects metrics at a configurable interval (default 60 seconds) and sends them to CloudWatch via the CloudWatch API. It can also send logs to CloudWatch Logs.
The agent uses the AWS SDK to authenticate. It requires IAM permissions to put metrics and logs. The recommended approach is to attach an IAM role to the EC2 instance with the CloudWatchAgentServerPolicy managed policy. For on-premises servers, you create an IAM user with programmatic access and configure the agent with those credentials.
Key Components and Defaults
Collection Interval: Default is 60 seconds. You can set it to 1 second for high-resolution metrics (additional cost).
Metrics Collected: The agent can collect CPU metrics (user, system, idle, etc.), memory (used, available, cached, etc.), disk (used, free, total, percent used), network (bytes in/out, packets in/out), swap (used, free), and process stats (if you configure the procstat plugin).
Log Collection: The agent can tail log files and send them to CloudWatch Logs. It supports multi-line logs and timestamp extraction.
Configuration File: The agent uses a JSON configuration that can be generated using the wizard (amazon-cloudwatch-agent-config-wizard) or written manually.
SSM Integration: You can use AWS Systems Manager (SSM) to deploy the agent at scale using the AWS-ConfigureAWSPackage document.
Metrics Storage Resolution: By default, metrics are stored at 60-second resolution. You can enable high-resolution metrics (1-second) by setting "metrics_collected": {"cpu": {"measurement": ["cpu_usage_idle"], "metrics_collection_interval": 1}}.
Configuration and Verification Commands
Installation (Linux - Amazon Linux 2/Ubuntu/CentOS):
sudo yum install amazon-cloudwatch-agent -y # Amazon Linux 2
sudo apt-get install amazon-cloudwatch-agent # UbuntuConfiguration Wizard:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizardThis interactive wizard creates the configuration file. You can also manually edit the JSON file.
Start the Agent:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.jsonThe -m ec2 indicates the source of credentials (EC2 instance role). Use -m onPrem for on-premises.
Verify Agent Status:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a statusCheck Logs:
sudo tail -f /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.logWindows Installation: Download the agent from AWS or use SSM. Run the MSI. Then use the wizard or manually configure.
How It Interacts with Related Technologies
CloudWatch Metrics: The agent publishes metrics under the CWAgent namespace (or a custom namespace you define). These metrics appear in the CloudWatch console alongside EC2 metrics but are separate.
CloudWatch Logs: The agent sends log streams to CloudWatch Logs, which can then be used with log metrics, subscriptions, or export to S3.
CloudWatch Alarms: You can create alarms on agent-collected metrics (e.g., memory usage > 90%).
AWS Systems Manager: Use SSM Run Command or State Manager to install and configure the agent across fleets.
IAM: The instance must have an IAM role with cloudwatch:PutMetricData and logs:PutLogEvents permissions. The managed policy CloudWatchAgentServerPolicy includes these.
EC2 Instance Metadata: The agent uses the instance metadata service (IMDS) to retrieve the region and instance ID.
Important Exam Details
The CloudWatch Agent is required to see memory metrics. Many candidates mistakenly think Enhanced Monitoring provides memory metrics — it does not.
The agent is also required for disk space utilization. The default EC2 metrics only show disk I/O (read/write operations), not disk space.
The agent can be configured to collect metrics from on-premises servers, not just EC2.
The agent supports both Linux and Windows.
The agent can collect custom metrics by using the append_dimensions feature to add instance metadata as dimensions.
The agent can collect logs from multiple paths and supports log rotation.
The agent uses the cwagent user on Linux to run; ensure it has read permissions on log files.
For high-resolution metrics (1-second), you must set the metrics_collection_interval to 1 in the config file and the metric store resolution to 1 in the PutMetricData call (the agent does this automatically when interval is 1).
Cost: Detailed CloudWatch metrics (1-minute) and custom metrics incur additional charges. High-resolution metrics (1-second) cost more.
Common Exam Traps
Trap: Enhanced Monitoring provides OS-level metrics. Reality: It only provides hypervisor-level metrics at 1-minute granularity. For memory, disk, and process metrics, you need the CloudWatch Agent.
Trap: The CloudWatch Logs Agent is the same as the CloudWatch Agent. Reality: The CloudWatch Agent is the newer, unified agent that collects both metrics and logs. The old CloudWatch Logs Agent is deprecated.
Trap: You can get memory metrics from EC2 without any additional setup. Reality: Memory metrics are not available from the hypervisor; you must install the agent.
Trap: The agent automatically sends all possible metrics. Reality: You must configure what metrics to collect via the JSON config file.
Trap: The agent works only with EC2 instances. Reality: It works with on-premises servers too, using IAM user credentials.
Trap: The agent uses the default CloudWatch namespace 'AWS/EC2'. Reality: It uses the namespace 'CWAgent' by default, but you can customize it.
Detailed Configuration Example
Below is a sample configuration file that collects CPU, memory, disk, and network metrics every 60 seconds, and sends logs from /var/log/syslog:
{
"agent": {
"metrics_collection_interval": 60,
"logfile": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log"
},
"metrics": {
"namespace": "CWAgent",
"metrics_collected": {
"cpu": {
"measurement": ["cpu_usage_idle", "cpu_usage_user", "cpu_usage_system"],
"metrics_collection_interval": 60
},
"mem": {
"measurement": ["mem_used_percent"],
"metrics_collection_interval": 60
},
"disk": {
"measurement": ["used_percent"],
"resources": ["*"],
"metrics_collection_interval": 60
},
"net": {
"measurement": ["bytes_sent", "bytes_recv"],
"metrics_collection_interval": 60
}
},
"append_dimensions": {
"InstanceId": "${aws:InstanceId}",
"InstanceType": "${aws:InstanceType}"
}
},
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/syslog",
"log_group_name": "syslog",
"log_stream_name": "{instance_id}",
"timestamp_format": "%b %d %H:%M:%S"
}
]
}
}
}
}Metrics Collected by Default vs. Agent
| Metric Category | Default EC2 Metrics (5-min) | Enhanced Monitoring (1-min) | CloudWatch Agent (OS-level) | |-----------------|-----------------------------|-----------------------------|-----------------------------| | CPU | CPUUtilization | CPUUtilization (1-min) | cpu_usage_idle, user, system, etc. | | Network | NetworkIn, NetworkOut | Same (1-min) | bytes_sent, bytes_recv, packets, etc. | | Disk I/O | DiskReadOps, DiskWriteOps | Same (1-min) | disk_io (per device) | | Memory | Not available | Not available | mem_used_percent, mem_available, etc. | | Disk Space | Not available | Not available | disk_used_percent, disk_free, etc. | | Swap | Not available | Not available | swap_used_percent | | Processes | Not available | Not available | procstat (if configured) | | Logs | Not available | Not available | Log file collection |
High-Resolution Metrics
The CloudWatch Agent supports publishing metrics at sub-minute resolution (down to 1 second). To enable high-resolution metrics, set metrics_collection_interval to 1 in the configuration file. When you do this, the agent automatically calls PutMetricData with StorageResolution=1. Note that high-resolution metrics are stored for only 3 hours by default, but you can extend retention by defining a metric filter or using the API. Also, high-resolution metrics cost more.
IAM Permissions
The instance role must have at least the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "*"
}
]
}The managed policy CloudWatchAgentServerPolicy provides these permissions.
Troubleshooting
Agent not sending metrics: Check the agent log file for errors. Verify IAM permissions. Ensure the configuration file is valid JSON.
Metrics not appearing in CloudWatch: Check the namespace (default is CWAgent). Wait a few minutes after starting the agent.
Logs not being sent: Verify the log file path exists and is readable by the cwagent user (Linux). Check timestamp format matches the log entries.
Agent fails to start: Run the fetch-config command with -s to stop and start. Check if the configuration file has syntax errors using jq or a JSON validator.
Best Practices
Use SSM to deploy the agent at scale.
Use the configuration wizard to generate the initial config, then customize.
Monitor agent health by sending a heartbeat metric (e.g., a custom metric with value 1 every interval).
Set up CloudWatch alarms on key metrics like memory and disk usage.
For log collection, use log groups and streams logically (e.g., by instance ID or environment).
Regularly update the agent to the latest version.
Exam Objective Mapping
This content directly maps to SOA-C02 Domain 1: Monitoring, Objective 1.1: Implement monitoring and reporting. Specifically, you need to know:
How to configure EC2 detailed monitoring
How to install and configure the CloudWatch Agent
Which metrics require the agent vs. are available by default
How to use the agent for log collection
How to interpret metrics and create alarms
How to troubleshoot common monitoring issues
Identify Monitoring Requirements
First, determine what you need to monitor. If you only need hypervisor-level metrics (CPU, network, disk I/O) at 1-minute granularity, you can enable EC2 Detailed Monitoring without installing any agent. If you need OS-level metrics (memory, disk space, swap, processes) or custom application metrics, you must install the CloudWatch Agent. Also decide if you need log collection. This step is critical because many exam questions test whether you know when to use the agent versus simple detailed monitoring.
Create IAM Role with Permissions
For the CloudWatch Agent to send metrics and logs, the EC2 instance must have an IAM role with the appropriate permissions. The managed policy `CloudWatchAgentServerPolicy` grants `cloudwatch:PutMetricData`, `logs:PutLogEvents`, and other required actions. If you are using on-premises servers, create an IAM user with programmatic access and store the credentials in the agent's configuration file. Without proper permissions, the agent will fail to send data, which is a common exam trap.
Install the CloudWatch Agent
On Linux, use the package manager (yum, apt, etc.) to install the `amazon-cloudwatch-agent` package. On Windows, download and run the MSI installer. Alternatively, use AWS Systems Manager to install the agent at scale using the `AWS-ConfigureAWSPackage` document. The agent can also be installed on on-premises servers via the same package. After installation, the agent is not yet configured; you must provide a configuration file.
Configure the Agent Using Wizard or Manual JSON
Run the configuration wizard (`amazon-cloudwatch-agent-config-wizard`) to interactively create a JSON configuration file. The wizard asks what metrics to collect (CPU, memory, disk, network, etc.), the collection interval, and log file paths. Alternatively, you can manually write the JSON file. The configuration defines the metrics namespace (default `CWAgent`), metrics to collect, dimensions to append (e.g., InstanceId), and log collection settings. The wizard is recommended for first-time setup.
Start the Agent and Verify
Use the command `sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:<path-to-config>` to load the configuration and start the agent. The `-m ec2` tells the agent to use the instance's IAM role. Verify the agent is running with `-a status`. Check the agent log file for errors. Then go to the CloudWatch console and look for metrics under the `CWAgent` namespace (or custom namespace). Metrics should appear within a few minutes. For logs, check that log streams are created in the specified log group.
In a real-world enterprise, you might manage hundreds of EC2 instances running a critical web application. Without the CloudWatch Agent, you have no visibility into memory or disk usage. One common scenario is a memory leak in the application that causes instances to become unresponsive. Without agent-collected memory metrics, you would only see CPU utilization rise, which is a secondary effect. By installing the agent and setting an alarm on mem_used_percent > 90%, you can proactively detect the leak before it causes downtime. In production, you would deploy the agent via Systems Manager State Manager to ensure all instances have the same configuration. You would also collect logs from the application's log files to CloudWatch Logs for centralized troubleshooting. Another scenario is monitoring disk space on data nodes. If a server runs out of disk, it can fail. The agent collects disk_used_percent per device, allowing you to set an alarm at 80% to trigger an automatic scaling or cleanup process. A common misconfiguration is forgetting to append dimensions like InstanceId or InstanceType, making it hard to identify which instance the metric belongs to. Also, if you set the collection interval too low (e.g., 1 second) without understanding the cost implications, your monthly bill can spike. In large fleets, you should use the CWAgent namespace and organize metrics with tags. Finally, when troubleshooting, always check the agent log file at /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log for errors like permission denied or invalid JSON.
The SOA-C02 exam tests your understanding of the CloudWatch Agent in several specific ways. First, you must know that memory metrics are NOT available by default or through Enhanced Monitoring. The exam will present a scenario where a SysOps admin needs to monitor memory usage, and the correct answer will be to install the CloudWatch Agent. A common wrong answer is 'Enable EC2 Detailed Monitoring' because candidates confuse detailed monitoring with OS-level metrics. Second, the exam tests the difference between the CloudWatch Agent and the deprecated CloudWatch Logs Agent. The agent is the unified solution. Third, you may be asked about IAM permissions: the CloudWatchAgentServerPolicy is the managed policy to use. Fourth, the exam tests configuration: you must know that the agent uses a JSON configuration file and that the wizard can generate it. Fifth, the exam may ask about high-resolution metrics: you must set metrics_collection_interval to 1 and understand the cost implications. Sixth, the exam tests log collection: the agent can collect logs from multiple paths, and you define log groups and streams in the config. Seventh, edge cases: if the agent is not sending metrics, check IAM permissions and the configuration file syntax. Also know that the agent can be used on on-premises servers with IAM user credentials. Finally, the exam may test the append_dimensions feature to add instance metadata as dimensions. The most common wrong answers are: (1) assuming Enhanced Monitoring gives memory metrics, (2) thinking the CloudWatch Logs Agent is the same, (3) forgetting to attach the IAM role, (4) thinking the agent automatically collects all metrics without configuration, and (5) confusing the agent with AWS Systems Manager Agent.
Memory and disk space metrics require the CloudWatch Agent; they are NOT available from EC2 hypervisor metrics or Enhanced Monitoring.
The CloudWatch Agent is the unified successor to the CloudWatch Logs Agent and the EC2Config service for Windows.
Use the `CloudWatchAgentServerPolicy` managed IAM policy for the instance role to allow the agent to publish metrics and logs.
The agent configuration is a JSON file; use the `amazon-cloudwatch-agent-config-wizard` to generate it interactively.
To start the agent with a config file, run: `sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:<path>`
High-resolution metrics (1-second) are enabled by setting `metrics_collection_interval` to 1 in the config; they incur higher costs.
The agent can be deployed at scale using AWS Systems Manager (SSM) with the `AWS-ConfigureAWSPackage` document.
For on-premises servers, use IAM user credentials instead of an instance role and specify `-m onPrem` when starting the agent.
The agent appends dimensions like InstanceId and InstanceType via the `append_dimensions` setting in the config.
Common troubleshooting steps: check the agent log file at `/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log`, verify IAM permissions, and validate JSON syntax.
These come up on the exam all the time. Here's how to tell them apart.
EC2 Default Monitoring
5-minute metric resolution
Free of charge
Only hypervisor-level metrics (CPU, network, disk I/O)
No memory, disk space, or process metrics
Enabled by default
EC2 Detailed Monitoring (Enhanced Monitoring)
1-minute metric resolution
Additional cost per metric
Same hypervisor-level metrics, just more granular
Still no OS-level metrics
Must be explicitly enabled per instance
CloudWatch Agent (Unified)
Collects both metrics and logs
Supports custom metrics and dimensions
Actively maintained and recommended
Works on EC2 and on-premises
Uses JSON configuration file
CloudWatch Logs Agent (Deprecated)
Collects logs only
No metric collection capability
Deprecated, no new features
EC2 only (via user data or manual install)
Uses config file with different format
CloudWatch Agent Metrics
Namespace: CWAgent (default)
Includes memory, disk space, swap, process stats
Configurable collection interval (down to 1 second)
Requires IAM permissions for PutMetricData
Cost based on number of custom metrics
EC2 Hypervisor Metrics
Namespace: AWS/EC2
Only CPU, network, disk I/O, status checks
Fixed 5-min or 1-min (if detailed monitoring enabled)
No additional IAM needed (uses instance metadata)
Cost only if detailed monitoring enabled
Mistake
EC2 Enhanced Monitoring provides memory and disk space metrics.
Correct
Enhanced Monitoring only provides hypervisor-level metrics (CPU, network, disk I/O) at 1-minute granularity. Memory and disk space are OS-level metrics that require the CloudWatch Agent.
Mistake
The CloudWatch Agent and CloudWatch Logs Agent are the same thing.
Correct
The CloudWatch Agent is the newer, unified agent that collects both metrics and logs. The CloudWatch Logs Agent is deprecated and only collects logs. You should use the CloudWatch Agent for new deployments.
Mistake
The agent automatically sends all possible OS metrics without configuration.
Correct
You must specify which metrics to collect in the JSON configuration file. The agent does not collect anything until configured.
Mistake
The agent only works on EC2 instances.
Correct
The CloudWatch Agent can also be installed on on-premises servers. For on-premises, you use IAM user credentials instead of an instance role.
Mistake
Detailed monitoring (1-minute) is free.
Correct
Detailed monitoring incurs additional charges per metric per month. High-resolution metrics (1-second) cost even more. Always consider cost when enabling detailed monitoring or custom metrics.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You must install the CloudWatch Agent on the instance. Memory is an OS-level metric that is not available from the EC2 hypervisor. After installing the agent, configure it to collect the `mem` metrics (e.g., `mem_used_percent`). The agent will send these metrics to CloudWatch under the `CWAgent` namespace. Then you can create CloudWatch alarms on memory usage. For exam purposes, remember that Enhanced Monitoring does NOT provide memory metrics.
The CloudWatch Agent is the newer, unified agent that collects both metrics and logs. The CloudWatch Logs Agent is deprecated and only collects logs. For any new deployment, you should use the CloudWatch Agent. The agent uses a JSON configuration file, while the logs agent used a different config format. The agent also supports on-premises servers and custom metrics.
Use AWS Systems Manager (SSM). First, ensure the instances have the SSM Agent installed and an IAM role that allows SSM actions. Then use the `AWS-ConfigureAWSPackage` document to install the CloudWatch Agent. You can also use State Manager to associate a configuration document that installs and configures the agent. Alternatively, you can use a custom AMI with the agent pre-installed.
The agent needs permissions to call `cloudwatch:PutMetricData` and `logs:PutLogEvents`, `logs:CreateLogStream`, `logs:CreateLogGroup`, `logs:DescribeLogStreams`, and `logs:DescribeLogGroups`. The easiest way is to attach the `CloudWatchAgentServerPolicy` managed policy to the instance's IAM role. For on-premises, create an IAM user with these permissions and configure the agent with the access key and secret key.
Yes. The CloudWatch Agent can be installed on Linux or Windows servers running on-premises. Instead of using an IAM role, you create an IAM user with programmatic access and store the credentials in the agent's configuration file. When starting the agent, use `-m onPrem` instead of `-m ec2`. The agent will then send metrics and logs to CloudWatch just like it does for EC2 instances.
The default namespace is `CWAgent`. You can change it by setting the `namespace` field in the `metrics` section of the configuration file. The EC2 hypervisor metrics use the namespace `AWS/EC2`. Always check the namespace when looking for agent-collected metrics in the CloudWatch console.
First, check the agent log file at `/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log` on Linux or `C:\ProgramData\Amazon\AmazonCloudWatchAgent\Logs\amazon-cloudwatch-agent.log` on Windows. Look for errors like "AccessDenied" (IAM issue) or "invalid config" (JSON syntax). Verify the IAM role has the correct permissions. Ensure the agent is running with `sudo systemctl status amazon-cloudwatch-agent`. Check that the configuration file is valid JSON and that the metrics collection interval has passed. Also verify that the instance has network connectivity to CloudWatch endpoints.
You've just covered EC2 Enhanced Monitoring and CloudWatch Agent — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?