Observability with Amazon CloudWatch
AgentCore payments supports observability through Amazon CloudWatch, so you can monitor and troubleshoot your payment integration.
-
Amazon CloudWatch is the AWS monitoring and observability service. It collects and tracks metrics, logs, and traces from your AWS resources, giving you visibility into application performance.
-
Vended logs are logs that AWS services publish on your behalf directly to your CloudWatch log group. Unlike application logs that you instrument yourself, vended logs are generated automatically by the service. You configure where to deliver them.
-
Spans represent units of work within a request (for example, an API call and its downstream operations). Use spans to trace the flow of a request through the system and identify latency bottlenecks or failures.
After you complete the following setup procedures, any data plane API call (for example, CreatePaymentInstrument) produces logs and trace data in your configured CloudWatch log group.
Prerequisites
-
A CloudWatch log group as the delivery destination (for example,
/bedrock-agentcore/payments/my-logs). If you do not have one, create one using the console or CLI. -
The resource ARN of your PaymentManager.
Create a log group:
Example
IAM permissions
Your IAM user or role must have the following permissions to create log and span delivery resources:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsVendedDelivery", "Effect": "Allow", "Action": [ "logs:CreateDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteDelivery", "logs:DeleteDeliveryDestination", "logs:DeleteDeliverySource", "logs:DeleteLogGroup", "logs:DeleteResourcePolicy", "logs:DescribeLogGroups", "logs:DescribeResourcePolicies", "logs:GetDelivery", "logs:GetDeliveryDestination", "logs:GetDeliverySource", "logs:PutDeliveryDestination", "logs:PutDeliverySource", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:PutRetentionPolicy" ], "Resource": "*" }, { "Sid": "XRayApplicationSignalsCloudTrail", "Effect": "Allow", "Action": [ "xray:GetTraceSegmentDestination", "xray:ListResourcePolicies", "xray:PutResourcePolicy", "xray:PutTelemetryRecords", "xray:PutTraceSegments", "xray:UpdateTraceSegmentDestination", "application-signals:StartDiscovery", "cloudtrail:CreateServiceLinkedChannel" ], "Resource": "*" }, { "Sid": "CreateServiceLinkedRoleForAppSignals", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:*:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals" }, { "Sid": "BedrockAgentCoreVendedLogDelivery", "Effect": "Allow", "Action": "bedrock-agentcore:AllowVendedLogDeliveryForResource", "Resource": "*" } ] }
Vended logs
Vended logs appear as application logs in your configured log group. These are generated automatically by the AgentCore payments service for every data plane API call.
Vended spans
Vended spans are trace records for individual requests. Use them to visualize request flow in AWS X-Ray. Each span represents a unit of work (for example, an API call and its downstream operations), enabling you to identify latency bottlenecks or failures.
Span names
AgentCore payments emits one span per data plane API call. Span names follow the pattern Bedrock.AgentCore.Payments.<Operation>:
| Span Name | Description |
|---|---|
|
|
Process a payment transaction |
|
|
Create a payment instrument |
|
|
Retrieve a payment instrument |
|
|
List payment instruments |
|
|
Delete a payment instrument |
|
|
Get instrument balance |
|
|
Create a payment session |
|
|
Retrieve a payment session |
|
|
List payment sessions |
|
|
Delete a payment session |
Span attributes
Each span includes the following attributes for filtering and analysis in AWS X-Ray:
| Attribute | Description |
|---|---|
|
|
The Payment Manager ID for this request |
|
|
The Payment Connector ID (when applicable) |
|
|
The Payment Instrument ID (when applicable) |
|
|
The Payment Session ID (when applicable) |
|
|
The payment amount (ProcessPayment only) |
|
|
The payment currency (ProcessPayment only) |
|
|
Remaining session budget after payment (ProcessPayment only) |
|
|
Total session budget (ProcessPayment only) |
|
|
The merchant address (payTo) for the transaction (ProcessPayment only) |
|
|
The agent name, if provided via the |
|
|
Latency of credential token retrieval from AgentCore Identity (ProcessPayment only) |
Standard AWS attributes are also included on every span:
-
aws.region— The AWS Region -
aws.account.id— The caller’s account ID -
aws.resource.arn— The PaymentManager ARN -
aws.request_id— The request ID -
http.response.status_code— The HTTP response status code
Vended metrics
AgentCore payments publishes the following metrics to your Amazon CloudWatch namespace. Use these to build dashboards, set alarms, and monitor payment health.
| Metric | Unit | Description |
|---|---|---|
|
|
Count |
Number of successful API calls |
|
|
Count |
Number of failed API calls |
|
|
Milliseconds |
End-to-end latency per API call |
|
|
None |
Payment amount processed (ProcessPayment only) |
|
|
Count |
Number of throttled requests |
|
|
Count |
Number of client-side validation errors |
|
|
Count |
Number of active payment sessions |
|
|
Count |
Total payment requests |
|
|
Count |
Successful payment transactions |
|
|
Count |
Failed payment transactions |
|
|
Milliseconds |
Payment processing latency |
Metric dimensions
Metrics are published with the following dimensions for filtering:
-
Operation — The API operation name (always present)
-
PaymentManagerId — The Payment Manager ID (when available)
-
PaymentConnectorId — The Payment Connector ID (when available)
-
AgentName — The agent name (when provided via header)
-
Currency — The payment currency (for SpendAmount metric)
Enable observability
Example
For more information on AgentCore observability, see AgentCore Observability. For gateway-specific metrics and spans, see AgentCore generated gateway observability data.
