In this case I would suggest setting up an API Gateway which exposes and HTTP API endpoint which calls into the Cloudwatch service. Since you don't want to use any AWS credentials in the clean machine you can authorize through creating API Keys by choosing security for your endpoint as "Open with access key", so that you can access the backend service over HTTP