skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aws/agent-toolkit-for-aws747 installs

querying-aws-cloudwatch

Runs SQL queries on CloudWatch Logs data exported as Apache Iceberg tables in S3 Tables. Covers VPC Flow Logs, WAF logs, CloudFront access logs, Route 53 resolver logs, Network Firewall logs, EKS audit logs, Verified Access logs, SES logs, VPC Lattice logs, Step Functions logs, NLB access logs, and 20+ other AWS vended data sources. Applies when analyzing network traffic, investigating security incidents, querying exported logs with SQL, enabling S3 Tables integration, configuring log export, correlating logs with other data, or running Athena queries on the aws-cloudwatch table bucket. Trigger phrases: query logs with SQL, analyze logs in Athena, SQL on VPC flow logs, investigate network traffic, run SQL on exported logs, enable S3 Tables for CloudWatch, correlate logs, historical log analysis, set up log querying.

How do I install this agent skill?

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill querying-aws-cloudwatch
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill provides safe and well-documented instructions for querying AWS CloudWatch Logs using SQL through Amazon Athena and S3 Tables. It includes security best practices for IAM configuration and permission management.

  • Socketpass

    No alerts

  • Snykwarn

    Risk: MEDIUM · 1 issue

What does this agent skill do?

Query AWS CloudWatch System Tables

Overview

Works best with the AWS MCP server for sandboxed execution and audit logging. All commands below use the AWS CLI and work in any environment with configured AWS credentials.

The CloudWatch Logs S3 Tables integration exports log data as Apache Iceberg tables in the AWS-managed aws-cloudwatch table bucket. This enables SQL analysis via Amazon Athena and correlation of log data with non-CloudWatch data (S3 metadata, business tables, etc.). Available at no additional storage charge beyond CloudWatch ingestion pricing.

Decision Tree

User intentUse this skill?Alternative
Run SQL across large volumes of log dataYes
Correlate logs with S3 metadata or other tablesYes — join across catalogs
Quick log search / pattern matchingNoCloudWatch Logs Insights (faster for ad-hoc)
Real-time log streaming/tailingNoCloudWatch Logs console or logs filter-log-events
Set up alarms on log patternsNoCloudWatch Metric Filters / Alarms
Query historical logs before integration was enabledNoCloudWatch Logs (no backfill in S3 Tables)

Supported Data Sources

The following data sources are available through the S3 Tables integration. Each data source has a namespace pattern used in SQL queries. Not all AWS vended data sources may be available in all Regions; check the CloudWatch console Data Sources tab for current availability.

Data SourceNamespace patternCommon use case
VPC Flow Logsamazon_vpc__flowNetwork traffic analysis, rejected connections
WAF Logsaws_waf__logsBlocked requests, rule hit analysis
CloudFront Access Logsamazon_cloudfront__accessCDN traffic patterns, error rates
Route 53 Resolver Query Logsamazon_route53resolver__queryDNS query analysis
Network Firewall Logsaws_networkfirewall__logsFirewall rule hits, dropped traffic
EKS Audit Logsamazon_eks__auditKubernetes API audit trail
Verified Access Logsamazon_verifiedaccess__logsZero-trust access decisions
SES Mail Logsamazon_ses__mailEmail delivery/bounce tracking
VPC Lattice Access Logsamazon_vpclattice__accessService-to-service access patterns
Step Functions Logsaws_stepfunctions__logsWorkflow execution debugging
Global Accelerator Flow Logsaws_globalaccelerator__flowGlobal network traffic
NLB Access Logselastic_load_balancing__nlb_accessLoad balancer request tracing
Shield Logsaws_shield__logsDDoS mitigation events
Cognito Logsamazon_cognito__logsAuth/identity operations
ElastiCache Logsamazon_elasticache__logsRedis slow log, engine log
SageMaker Logsamazon_sagemaker__logsML training/inference events
WorkMail Audit Logsamazon_workmail__auditEmail security/compliance
Bedrock Agent Logsaws_bedrock_agent_core__logsAI agent invocations
Client VPN Logsaws_client_vpn__connectionsVPN connection tracking
Entity Resolution Logsaws_entity_resolution__logsRecord matching operations
MediaPackage Access Logsaws_elemental_mediapackage__accessStreaming delivery metrics
MediaTailor Logsaws_elemental_mediatailor__logsAd insertion events
Transfer Family Logsaws_transfer_family__logsSFTP/FTPS file transfer tracking
Site-to-Site VPN Logsaws_site_to_site_vpn__logsVPN tunnel diagnostics

Note: This table lists the 24 most commonly queried data sources. The integration supports 43+ AWS vended data sources in total. Use list-namespaces on the aws-cloudwatch bucket to discover all available data sources in your account. Namespace patterns follow the convention <service>__<type>.

Common Tasks

1. Check If Configured

# Check if the aws-cloudwatch table bucket exists
aws s3tables list-table-buckets --region <REGION> \
  --query "tableBuckets[?name=='aws-cloudwatch']"
  • Empty result → integration not enabled. Guide user through setup.
  • Bucket exists but no namespaces → integration enabled but no log data yet (only captures events after association).

List available tables:

aws s3tables list-namespaces --table-bucket-arn arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/aws-cloudwatch --region <REGION>

aws s3tables list-tables --table-bucket-arn arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/aws-cloudwatch --namespace <NAMESPACE> --region <REGION>

2. Enable / Configure

Create integration:

aws observabilityadmin create-s3-table-integration \
  --region <REGION> \
  --encryption '{"SseAlgorithm": "aws:kms", "KmsKeyArn": "<KMS_KEY_ARN>"}' \
  --role-arn <SERVICE_ROLE_ARN>

Associate a specific data source (recommended):

aws logs associate-source-to-s3-table-integration \
  --region <REGION> \
  --integration-arn <INTEGRATION_ARN> \
  --data-source '{"name": "<source-name>", "type": "<source-type>"}'

Associate all data sources (wildcard):

⚠️ Warning: Wildcard association delivers all current and future data sources to S3 Tables. Use specific associations for tighter control over what log data lands in queryable tables.

aws logs associate-source-to-s3-table-integration \
  --region <REGION> \
  --integration-arn <INTEGRATION_ARN> \
  --data-source '{"name": "*", "type": "*"}'

For IAM requirements (service role trust policy, permissions policy, condition keys), see Security Considerations below.

3. Verify Permissions for Querying

Requires:

  • S3 Tables federated catalog registered in Glue (s3tablescatalog)
  • Lake Formation SELECT + DESCRIBE grants on the table (or IAM-only mode in supported regions)
  • Athena execution permissions

Grant access:

aws lakeformation grant-permissions \
  --principal DataLakePrincipalIdentifier=<ROLE_ARN> \
  --resource '{"Table": {"CatalogId": "<ACCOUNT>:s3tablescatalog/aws-cloudwatch", "DatabaseName": "<NAMESPACE>", "Name": "<TABLE>"}}' \
  --permissions DESCRIBE SELECT \
  --region <REGION>

4. Query

Query syntax:

"s3tablescatalog/aws-cloudwatch"."<namespace>"."<table>"

Constraints:

  • You MUST ALWAYS run get-tables on the target namespace and include the command in your response before writing any SQL query — schemas vary by data source. Never skip this step even if you already know the likely schema. Run get-tables once on the target namespace (one call returns all tables + columns + types + descriptions):

    aws glue get-tables --catalog-id "<ACCOUNT>:s3tablescatalog/aws-cloudwatch" --database-name "<namespace>" --region <REGION>
    
  • You MUST confirm workgroup and output location before executing

  • You MUST inform user that only logs received after association are available (no backfill)

Example — VPC Flow Logs rejected traffic:

SELECT srcaddr, dstaddr, dstport, protocol, packets, bytes
FROM "s3tablescatalog/aws-cloudwatch"."amazon_vpc__flow"."<table>"
WHERE action = 'REJECT'
ORDER BY bytes DESC
LIMIT 50;

Example — WAF blocked requests:

SELECT timestamp, action, terminatingRuleId, httpSourceId
FROM "s3tablescatalog/aws-cloudwatch"."aws_waf__logs"."<table>"
WHERE action = 'BLOCK'
ORDER BY timestamp DESC
LIMIT 50;

Example — correlate VPC Flow Logs with S3 object metadata:

SELECT f.srcaddr, f.dstaddr, f.bytes, j.key, j.record_type
FROM "s3tablescatalog/aws-cloudwatch"."amazon_vpc__flow"."<table>" f
JOIN "s3tablescatalog/aws-s3"."b_<bucket>"."journal" j
  ON f.srcaddr = j.source_ip_address
WHERE j.record_type = 'CREATE'
  AND f.action = 'ACCEPT';

Key Behaviors

  • No backfill — only new log events after association are delivered to S3 Tables
  • Retention follows log group — when log group retention expires, data is removed from the table
  • Deleting a log group removes its data from the S3 table
  • No additional storage charge — included in CloudWatch pricing
  • Schemas are per-data-source — always run get-tables on the target namespace before building complex queries

Troubleshooting

ErrorCauseFix
aws-cloudwatch bucket not foundIntegration not createdRun create-s3-table-integration
Bucket exists but no namespacesNo data sources associated, or no log traffic since associationAssociate sources; generate traffic
CATALOG_NOT_FOUND in AthenaS3 Tables not registered in GlueEnable integration: S3 console > Table buckets > Enable integration
AccessDenied on queryMissing Lake Formation grants or IAM permissionsSee Security Considerations below
Empty resultsLogs only flow after association; no backfillConfirm association exists and log source is actively generating data
Schema mismatch / column not foundLog type schema updated by AWSRun get-tables on the namespace to get current columns

Security Considerations

Service Role Trust Policy

The service role must allow logs.amazonaws.com to assume it. Always include aws:SourceAccount and aws:SourceArn condition keys to prevent confused deputy attacks:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<ACCOUNT>"
                },
                "ArnLike": {
                    "aws:SourceArn": ["arn:aws:logs:<REGION>:<ACCOUNT>:log-group:<LOG_GROUP_NAME>"]
                }
            }
        }
    ]
}

Service Role Permissions Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["logs:integrateWithS3Table"],
            "Resource": ["arn:aws:logs:<REGION>:<ACCOUNT>:log-group:<LOG_GROUP_NAME>"],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "<ACCOUNT>"
                }
            }
        }
    ]
}

KMS Key Policy (for encrypted data)

If using a customer managed KMS key, grant both service principals access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnableSystemTablesKeyUsage",
            "Effect": "Allow",
            "Principal": {"Service": "systemtables.cloudwatch.amazonaws.com"},
            "Action": ["kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt"],
            "Resource": "arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY_ID>",
            "Condition": {"StringEquals": {"aws:SourceAccount": "<ACCOUNT>"}}
        },
        {
            "Sid": "EnableS3TablesMaintenanceKeyUsage",
            "Effect": "Allow",
            "Principal": {"Service": "maintenance.s3tables.amazonaws.com"},
            "Action": ["kms:GenerateDataKey", "kms:Decrypt"],
            "Resource": "arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY_ID>",
            "Condition": {"StringLike": {"kms:EncryptionContext:aws:s3:arn": "<TABLE_OR_TABLE_BUCKET_ARN>/*"}}
        }
    ]
}

Data Sensitivity

Log data may contain PII including IP addresses, user agents, request parameters, and authentication tokens. Treat all exported log tables as sensitive by default.

Access Control Best Practices

  • Use Lake Formation column-level security to restrict access to sensitive columns (e.g., srcaddr, source_ip_address, httpRequest). Grant permissions to specific tables and columns rather than wildcards.
  • Configure SSE-KMS encryption on the Athena workgroup output bucket to protect query results at rest.
  • Prefer specific data source associations over wildcard (*/*) to limit which data sources are exported to queryable tables.

Audit Trail

Enable CloudTrail logging for Athena (StartQueryExecution, GetQueryResults) and Lake Formation (GrantPermissions, RevokePermissions) API calls to maintain an audit trail of who queried what data.

Additional Resources

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aws/agent-toolkit-for-aws/querying-aws-cloudwatch">View querying-aws-cloudwatch on skillZs</a>