What you'll need
- An AWS account with CloudWatch Logs already collecting your application logs
- Permission to create IAM users (or an existing user you can attach a policy to)
- The AWS region where the log groups live (e.g.
us-east-1)
Set it up
Create a dedicated IAM user
IAM → Users → Create user. Name it parumox-connector. Do not enable AWS Management Console access — this user is for programmatic API calls only.
Attach a read-only Logs policy
The simplest option is the AWS-managed policy CloudWatchLogsReadOnlyAccess. If you prefer least-privilege, create an inline policy with these actions on the log groups you want Parumox to query:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:StartQuery",
"logs:GetQueryResults",
"logs:FilterLogEvents"
],
"Resource": "*"
}]
}Generate an access key
The user → Security credentials → Create access key. Choose use case Application running outside AWS. Copy the Access key ID and Secret access key (download the CSV) — the secret is only shown once.
Identify your region
Use the AWS region system name (e.g. us-east-1, eu-west-1, ap-southeast-2), not the display name. CloudWatch Logs queries are region-scoped — if your log groups are in multiple regions, create one Parumox connector per region.
Permissions required
logs:DescribeLogGroups— used by the health checklogs:StartQuery+logs:GetQueryResults— used for Logs Insights querieslogs:FilterLogEvents— used for stream-level lookups
Paste into Parumox
Portal → Connectors → Add Connector → choose CloudWatch and fill in:
- Access Key ID — from step 3
- Secret Access Key — from step 3
- Region — system name from step 4
- Log Group Name — optional; restricts queries to a single group if set, otherwise the connector queries any group your IAM policy allows
Save. The health check runs DescribeLogGroups with a limit of 1 to confirm the keys work.