CloudWatch RUM App Monitor with AWS CDK

CloudWatch RUM allows you to monitor your web application and analyze user sessions in near real-time. In this short post, I will describe how you can automate the creation of a RUM App Monitor with AWS CDK.

CDK Code

I am using CDK V2, and the imports you will need are

import * as cdk from 'aws-cdk-lib';
import * as rum from 'aws-cdk-lib/aws-rum';
import * as cognito from 'aws-cdk-lib/aws-cognito';
import * as iam from 'aws-cdk-lib/aws-iam';

I am only considering the case where an application has just anonymous users. First, I create a Cognito Identity Pool and enable unauthenticated identites.

const applicationName = `example.com`;

const cwRumIdentityPool = new cognito.CfnIdentityPool(this, 'cw-rum-identity-pool', {
  allowUnauthenticatedIdentities: true,
});

I create an IAM role that can be assumed by Cognito for unauthenticated users.

const cwRumUnauthenticatedRole = new iam.Role(this, 'cw-rum-unauthenticated-role', {
  assumedBy: new iam.FederatedPrincipal(
    'cognito-identity.amazonaws.com', 
    {
      "StringEquals": {
        "cognito-identity.amazonaws.com:aud": cwRumIdentityPool.ref
      },
      "ForAnyValue:StringLike": {
        "cognito-identity.amazonaws.com:amr": "unauthenticated"
      }
    },
    "sts:AssumeRoleWithWebIdentity"
  )
});

I give permission to the role to rum:PutRumEvents for the specific App Monitor that I will create in a later step.

cwRumUnauthenticatedRole.addToPolicy(new iam.PolicyStatement({
  effect: iam.Effect.ALLOW,
  actions: [
    "rum:PutRumEvents"
  ],
  resources: [
    `arn:aws:rum:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:appmonitor/${applicationName}`
  ]
}));

I attach the role to the Identity Pool for unauthenticated users.

const cwRumIdentityPoolRoleAttachment = new cognito.CfnIdentityPoolRoleAttachment(this, 
  'cw-rum-identity-pool-role-attachment', 
  {
    identityPoolId: cwRumIdentityPool.ref,
    roles: {
      "unauthenticated": cwRumUnauthenticatedRole.roleArn
    }
  });

Finally, I create the App Monitor and pass in the role as the guest role.

const cwRumAppMonitor = new rum.CfnAppMonitor(this, 'cw-rum-app-monitor', {
  domain: domainName,
  name: applicationName,
  appMonitorConfiguration: {
    allowCookies: true,
    enableXRay: false,
    sessionSampleRate: 1,
    telemetries: ['errors', 'performance', 'http'],
    identityPoolId: cwRumIdentityPool.ref,
    guestRoleArn: cwRumUnauthenticatedRole.roleArn
  },
  cwLogEnabled: true,
});

Instal CloudWatch RUM web client

To start collecting data you must install the CloudWatch RUM web client in your application.

Log into the Console, navigate to CloudWatch and then RUM under Application Monitoring. Find your App Monitor and follow the installation instructions under Configuration tab.