We enabled enhanced monitoring on our RDS PostgreSQL instance yesterday to get more granular OS-level metrics, but CloudWatch is still only showing the basic database metrics. The enhanced monitoring toggle shows as enabled in the RDS console, and we’ve verified the IAM role is attached to the instance. We’re expecting to see process and thread metrics but they’re simply not appearing in CloudWatch logs.
Our monitoring IAM role has these policies:
aws rds modify-db-instance --db-instance-identifier prod-db \
--monitoring-interval 60 \
--monitoring-role-arn arn:aws:iam::123456789:role/rds-monitoring
The command executed successfully but still no enhanced metrics after 3 hours. Are we missing something in the CloudWatch agent configuration or IAM permissions?
The log group should be auto-created. This usually means the monitoring role lacks permissions to write to CloudWatch Logs. Your IAM role needs the AmazonRDSEnhancedMonitoringRole managed policy or equivalent permissions. Check if your custom role has logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents actions. Also verify the trust relationship allows rds.amazonaws.com to assume the role. I’ve seen cases where the role was attached but the trust policy was misconfigured.
I see you’ve found the issue, but wanted to add some details for anyone else hitting this. Enhanced monitoring data appears in CloudWatch Logs at the path /aws/rds/instance/{instance-name}/Enhanced_Monitoring with log streams named by timestamp.
For proper setup, your monitoring IAM role needs three components:
- IAM Permissions - Either attach AWS managed policy AmazonRDSEnhancedMonitoringRole or create custom policy with:
{
"Effect": "Allow",
"Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
"Resource": "arn:aws:logs:*:*:log-group:/aws/rds/*"
}
- Trust Relationship - Role must allow monitoring.rds.amazonaws.com service to assume it:
{
"Effect": "Allow",
"Principal": {"Service": "monitoring.rds.amazonaws.com"},
"Action": "sts:AssumeRole"
}
- RDS Configuration - Enable with monitoring interval (1, 5, 10, 15, 30, or 60 seconds).
Common issues beyond missing permissions include wrong region in role ARN, monitoring interval set to 0 (disabled), or CloudWatch agent not configured if you want custom metrics integration. The enhanced monitoring data includes 50+ OS metrics like CPU utilization per process, memory breakdown, disk I/O, and network stats that standard CloudWatch metrics don’t provide.
To query this data programmatically, use CloudWatch Logs Insights with the log group as source. The JSON structure includes processName, cpuUsedPc, memoryUsedPc fields that are very useful for performance analysis. Set up metric filters on these logs if you want to create CloudWatch alarms on enhanced metrics.
That was it! The role had monitoring permissions but was missing CloudWatch Logs write permissions. We had created a custom role instead of using the AWS managed policy. After adding the logs permissions, the log group appeared within minutes and metrics started flowing.
Quick tip - you can also use the AWS CLI to validate the role before applying it. Run aws iam get-role --role-name rds-monitoring and check the trust policy, then aws iam list-attached-role-policies to see what’s attached. Saves time troubleshooting after the fact.