Greengrass edge monitoring metrics not updating in CloudWatch, missing device health data

max_418 · November 20, 2024, 2:43pm

Our Greengrass v2 edge devices stopped sending monitoring metrics to CloudWatch three days ago. The devices are operational and processing data normally, but CloudWatch dashboards show no new metrics since April 5th.

Greengrass CloudWatch integration was working fine for two months. Checking the Greengrass logs shows attempts to publish metrics but failures:


CloudWatch metrics publish failed
HTTP 403: Access Denied
Endpoint: monitoring.us-west-2.amazonaws.com

IAM role permissions haven’t changed recently according to CloudTrail. The metric publishing endpoint appears correct. We need visibility back for our edge fleet monitoring. Has anyone experienced CloudWatch integration suddenly breaking without configuration changes?

daniel_373 · November 22, 2024, 2:41pm

HTTP 403 from CloudWatch typically means IAM permissions issue even if the role itself hasn’t changed. Check if the IAM role’s trust relationship is still valid. Sometimes AWS service updates require trust policy updates. Also verify the Greengrass core device role has cloudwatch:PutMetricData permission.

giovanni775 · November 27, 2024, 9:05am

I’d also check if your IAM role has resource-level restrictions. If the policy limits cloudwatch:PutMetricData to specific metric namespaces and Greengrass changed its namespace format in a recent update, that would cause 403 errors. Look at the Resource field in your IAM policy - it might be too restrictive. Greengrass v2 uses AWS/Greengrass namespace by default.

giovanni775 · December 6, 2024, 4:10am

Good suggestions. Checked the IAM role trust relationship and it looks correct - it trusts credentials.iot.amazonaws.com as required. The policy does have cloudwatch:PutMetricData but I see it’s restricted to Resource: arn:aws:cloudwatch:::metric/CustomMetrics/*. That could be the issue if Greengrass uses AWS/Greengrass namespace. Would that restriction block Greengrass system metrics?

patricia_sys · December 29, 2024, 4:56am

I’ll provide the complete solution addressing all three focus areas:

Greengrass CloudWatch Integration: Greengrass v2 publishes system metrics through the aws.greengrass.Telemetry component. Verify this component is deployed and running:

sudo /greengrass/v2/bin/greengrass-cli component list
# Check aws.greengrass.Telemetry status

The component configuration should specify CloudWatch as the telemetry destination. Check component config:

{
  "telemetryPublisher": "CloudWatch",
  "publishInterval": "300",
  "metricsNamespace": "AWS/Greengrass"
}

IAM Role Permissions: Your IAM role has an incorrect Resource restriction. CloudWatch PutMetricData doesn’t use namespace in the Resource ARN. Update your IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "cloudwatch:PutMetricData",
    "Resource": "*",
    "Condition": {
      "StringEquals": {
        "cloudwatch:namespace": [
          "AWS/Greengrass",
          "CustomMetrics"
        ]
      }
    }
  }]
}

The Token Exchange Service (TES) role must also have these permissions. Verify TES role:

aws iot describe-role-alias --role-alias GreengrassCoreTokenExchangeRoleAlias

Ensure the role referenced has the CloudWatch policy attached.

Metric Publishing Endpoint: Verify the Greengrass core device can reach the CloudWatch endpoint. Test connectivity:

curl -I https://monitoring.us-west-2.amazonaws.com

If using VPC endpoints, ensure the endpoint policy allows cloudwatch:PutMetricData:

{
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "cloudwatch:PutMetricData",
    "Resource": "*"
  }]
}

Resolution Steps:

Update IAM policy to remove incorrect Resource restriction
Use Condition block with cloudwatch:namespace instead
Verify TES role has same permissions
Restart Greengrass core to pick up new credentials:
```
sudo systemctl restart greengrass
```


5. Monitor Greengrass logs for successful metric publishing:
   ```bash
   sudo tail -f /greengrass/v2/logs/aws.greengrass.Telemetry.log

Check CloudWatch console after 5-10 minutes for metrics in AWS/Greengrass namespace

The root cause is the Resource restriction in your IAM policy using an invalid ARN format for CloudWatch metrics. Metrics should appear in CloudWatch within 10 minutes of applying the corrected IAM policy and restarting Greengrass.

james_api · December 25, 2024, 5:13am

James is right about the ARN format issue. However, instead of using Resource: “*”, you can scope it properly using Condition blocks with cloudwatch:namespace. That maintains security while allowing Greengrass metrics. Check your Greengrass component configuration too - the telemetry component might need the correct CloudWatch endpoint configured for your region.

meganapi · December 28, 2024, 7:28am

Another thing to verify - make sure the Greengrass Token Exchange Service role has the necessary permissions. That’s separate from the component-level IAM role and handles credential vending for AWS service calls including CloudWatch. The TES role needs both cloudwatch:PutMetricData and logs:CreateLogStream permissions.

giovanni775 · December 17, 2024, 9:14pm

Yes, that Resource restriction is definitely your problem. CloudWatch metric ARN format doesn’t include the namespace in the Resource field the way you have it configured. The correct format for allowing Greengrass metrics is to use Resource: “*” for cloudwatch:PutMetricData or remove the Resource restriction entirely. CloudWatch uses the namespace parameter in the API call, not in the ARN. Your current policy is likely blocking all metric submissions because the ARN format doesn’t match. This probably broke when someone tightened IAM policies thinking they were improving security.

Topic		Views
Greengrass custom monitoring metrics not appearing in CloudWatch after component deployment AWS IoT question , monitoring , python , cloudwatch , iam-permissions , metrics-missing , gg-v2 , event-processin , greengrass-component	5	February 27, 2025
CloudWatch dashboard metrics not updating after ECS service deployment with custom metrics Amazon Web Services (AWS) question , devops-auto , iam , metrics , observability , aws-2020 , json , ecs , monitoring-gap	3	December 6, 2024
Device registry sync fails after Greengrass edge reboot with new devices missing AWS IoT question , edge-compute , iam-permission , network-connectivity , gg-v2 , greengrass , device-regis , greengrass-device-registry , registry-sync-fail	6	July 27, 2025
Edge gateway ML inference fails when triggered by AWS IoT Core Rules AWS IoT question , edge-computing , ml-inference , python , iam-permissions , gateway-mgmt , awsiot-25 , analytics-ml , iot-core-rules	5	May 13, 2025
Access denied error when Greengrass v2 component loads ML model from S3 AWS IoT question , security-policy , python , access-denied , iam-role , gg-v2 , greengrass-component , analytics-ml , s3-permissions	3	May 16, 2025
Greengrass v2 monitoring API returns incomplete metrics data for component health status AWS IoT question , monitoring , metrics , cloudwatch , health-check , api-sdk , gg-v2 , greengrass , component-status	5	November 18, 2024
Greengrass v2 gateway management alerts not forwarding to AWS IoT Core cloud endpoints AWS IoT question , iam , mqtt , gateway-mgmt , gg-v2 , alerts-not-forwarding , no-cloud-alerts , greengrass-v2 , subscriptions	3	January 24, 2025
CloudWatch dashboard missing custom metrics after Lambda runtime upgrade for analytics ETL jobs Amazon Web Services (AWS) question , analytics , lambda , observability , aws-2020 , python , monitoring-gaps , custom-metrics , cloudwatch	3	June 22, 2025
Greengrass v2 firmware update blocked by custom security policies AWS IoT question , json , access-denied , iam-policy , firmware-update , gg-v2 , greengrass , security-pol , component-permissions	7	December 20, 2024

Greengrass edge monitoring metrics not updating in CloudWatch, missing device health data

Related topics