Accessing servers via SSH or RDP just to install or configure monitoring agents isn’t scalable or secure. Luckily, with AWS Systems Manager (SSM), you can manage both Windows and Linux instances without ever opening SSH or RDP.
In this guide, we’ll:
- Configure CloudWatch Agent on Linux and Windows without terminal access.
- Store agent configuration in Parameter Store.
- Push custom metrics into CloudWatch under a custom namespace.
Why Go SSH-Free?
- No inbound ports → Security hardened (no 22/3389 open).
- Centralized configuration → Store CloudWatch Agent config in Parameter Store.
- Cross-platform support → Works across Linux & Windows.
- Auditable → All actions logged in CloudTrail.
Step 1: Prerequisites
- EC2 instances (Linux or Windows) running in AWS.
- SSM Agent installed (preinstalled on Amazon Linux 2, Ubuntu 20.04+, Windows Server 2016+).
- IAM Role attached to instances with:
AmazonSSMManagedInstanceCoreCloudWatchAgentServerPolicy
Step 2: Create CloudWatch Agent Config (JSON)
Here’s an example config for linux
{
"agent": {
"metrics_collection_interval": 60,
"run_as_user": "root"
},
"metrics": {
"namespace": "DDCWAgent",
"append_dimensions": {
"InstanceId": "${aws:InstanceId}"
},
"metrics_collected": {
"cpu": {
"measurement": [
"cpu_usage_idle",
"cpu_usage_user",
"cpu_usage_system"
],
"metrics_collection_interval": 60,
"totalcpu": true
},
"mem": {
"measurement": [
"mem_used_percent"
],
"metrics_collection_interval": 60
},
"disk": {
"measurement": [
"used_percent"
],
"metrics_collection_interval": 60,
"resources": [
"/"
]
},
"netstat": {
"measurement": [
"tcp_established",
"tcp_time_wait"
],
"metrics_collection_interval": 60
},
"statsd": {
"service_address": ":8125",
"metrics_collection_interval": 60
}
}
}
}
Example config for windows
{
"agent": {
"metrics_collection_interval": 60,
"run_as_user": "ssm-user"
},
"metrics": {
"namespace": "DDCWAgent",
"append_dimensions": {
"InstanceId": "${aws:InstanceId}"
},
"aggregation_dimensions": [
["InstanceId"]
],
"metrics_collected": {
"LogicalDisk": {
"measurement": [
"% Free Space",
"Free Megabytes"
],
"resources": [
"*"
],
"metrics_collection_interval": 60
},
"Memory": {
"measurement": [
"% Committed Bytes In Use",
"Available MBytes"
],
"metrics_collection_interval": 60
},
"Paging File": {
"measurement": [
"% Usage"
],
"metrics_collection_interval": 60
},
"CPU": {
"measurement": [
"% Idle Time",
"% Interrupt Time",
"% Privileged Time",
"% User Time",
"% Processor Time"
],
"metrics_collection_interval": 60,
"totalcpu": true
}
}
}
}
Step 3: Store Config in Parameter Store
- Go to AWS Console → Systems Manager → Parameter Store → Create parameter.
- Name:
/CloudWatch/AgentConfig/Linux(you can create separate ones for Windows) using the configs above. - Type:
StringorStringList. - Value: Paste the JSON from above.
Repeat for Windows if needed:
/CloudWatch/AgentConfig/Windows
Step 4: Install CloudWatch Agent via SSM
Still without SSH:
- Go to Systems Manager → Run Command.
- Choose AWS-ConfigureAWSPackage document.
- Targets → Select your EC2 instances.
- Action →
Install. - Name →
AmazonCloudWatchAgent.
This installs the CloudWatch Agent silently.
Step 5: Apply Config from Parameter Store
Now apply the JSON you stored earlier.
- Go to Run Command again.
- Select AmazonCloudWatch-ManageAgent document.
- Choose your instances.
Under “Mode” →
ec2.-
Under “Optional configuration location” → enter your Parameter Store path:
- Linux:
/CloudWatch/AgentConfig/Linux - Windows:
/CloudWatch/AgentConfig/Windows
- Linux:
Click Run.
The agent will fetch its configuration from Parameter Store and start pushing metrics.
Step 6: Verify Custom Metrics
- Open CloudWatch Console → Metrics.
- Look for the namespace
DDCWAgent. - You should see system metrics and your custom metrics under your defined namespace
Conclusion
By combining SSM + Parameter Store + CloudWatch Agent, you can:
- Manage agents without SSH/RDP.
- Centrally store configurations.
- Collect both system and custom metrics in CloudWatch.
This approach reduces operational overhead while improving security and observability.
Top comments (0)