AWS CloudWatch and EC2 Role + Policy

Question

I've followed a great tutorial by Martin Thwaites outlining the process of logging to AWS CloudWatch using Serilog and.Net Core.

I've got the logging portion working well to text and console, but just can't figure out the best way to authenticate to AWS CloudWatch from my application. He talks about inbuilt AWS authentication by setting up an IAM policy which is great and supplies the JSON to do so but I feel like something is missing. I've created the IAM Policy as per the example with a LogGroup matching my appsettings.json, but nothing comes though on the CloudWatch screen.

My application is hosted on an EC2 instance. Are there more straight forward ways to authenticate, and/or is there a step missing where the EC2 and CloudWatch services are "joined" together?

More Info:
Policy EC2CloudWatch attached to role EC2Role .

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                ALL EC2 READ ACTIONS HERE
            ],
            "Resource": "*"
        },
        {
            "Sid": "LogStreams",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:cloudwatch-analytics-staging
:log-stream:*"
        },
        {
            "Sid": "LogGroups",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:cloudwatch-analytics-staging"

        }
    ]
}

Answer 1

In order to effectively apply the permissions, you need to assign the role to the EC2 instance.