Description The Amazon CloudWatch Agent FIPS container provides secure metrics and logs collection capabilities in compliance with Federal Information Processing Standards (FIPS). This agent enables monitoring of system and application metrics, log collection, and custom metrics gathering while maintaining FIPS 140-2 compliance for regulated environments.
Key Features Core capabilities and strengths of this container
FIPS 140-2 compliant monitoring capabilities Secure metrics and logs collection System and application performance monitoring Custom metrics support with FIPS encryption Common Use Cases Typical scenarios where this container excels
Government and regulated industry deployments Secure cloud infrastructure monitoring Compliance-focused environments Enterprise security operations Pull Latest Image Download the container image from the registry
docker pull clnstrt-images.cleanstart.com/$ORGANIZATION/amazon-cloudwatch-agent-fips:latestdocker pull clnstrt-images.cleanstart.com/$ORGANIZATION/amazon-cloudwatch-agent-fips:latest-devBasic Run Run the container with basic configuration
bash docker run -d --name cloudwatch-agent \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /proc:/host/proc:ro \
-v /sys:/host/sys:ro \
clnstrt-images.cleanstart.com/$ORGANIZATION/amazon-cloudwatch-agent-fips:latestProduction Deployment Deploy with production security settings
bash docker run -d --name cloudwatch-agent-prod \
--read-only \
--security-opt=no-new-privileges \
--user 1000:1000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /proc:/host/proc:ro \
-v /sys:/host/sys:ro \
-v /etc/cwagent/config.json:/etc/cwagent/config.json:ro \
clnstrt-images.cleanstart.com/$ORGANIZATION/amazon-cloudwatch-agent-fips:latestVolume Mount Mount configuration and log directories
bash docker run -d \
-v /etc/cwagent:/etc/cwagent \
-v /var/log:/var/log:ro \
clnstrt-images.cleanstart.com/$ORGANIZATION/amazon-cloudwatch-agent-fips:latestPort Forwarding Run with custom port mappings
bash docker run -d -p 8125:8125/udp clnstrt-images.cleanstart.com/$ORGANIZATION/amazon-cloudwatch-agent-fips:latestEnvironment Variables Configuration options available through environment variables
AWS_REGION AWS region for CloudWatch us-east-1
CW_CONFIG_CONTENT CloudWatch Agent configuration as JSON string CWAGENT_USER User to run the CloudWatch agent cwagentCWAGENT_GROUP Group to run the CloudWatch agent cwagentSecurity Best Practices Recommended security configurations and practices
Use IAM roles for AWS authentication Implement least privilege access principles Enable FIPS mode in configuration Regular security patches and updates Secure configuration file permissions Monitor agent logs for security events Use encrypted communications Implement proper access controls Kubernetes Security Context Recommended security context for Kubernetes deployments
yaml securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: ["SYS_PTRACE"]Documentation Resources Essential links and resources for further information