diff --git a/dashboards/base/datasources/cloudwatch.yaml b/dashboards/base/datasources/cloudwatch.yaml
new file mode 100644
index 0000000..1b188e7
--- /dev/null
+++ b/dashboards/base/datasources/cloudwatch.yaml
@@ -0,0 +1,27 @@
+# Amazon CloudWatch data source. The agent persona boards (ops, kill-switch,
+# agentgateway, finance) graph CloudWatch-native AWS metrics that have no
+# Prometheus equivalent — AWS/SQS queue depth, AWS/States Step Functions
+# execution health, AWS/Events rule failures, AWS/Bedrock throttling. These
+# exist in CloudWatch natively (no exporter), so Grafana queries them directly.
+#
+# access=proxy: AMG queries CloudWatch using its workspace IAM role, which the
+# landing-zone AMG service role grants CloudWatch read access to, and the
+# workspace's data_sources list enables the CloudWatch plugin. authType
+# ec2_iam_role uses that ambient role (no static keys). Region is us-west-2
+# across every environment, so this needs no per-env overlay patch.
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: cloudwatch
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: external
+  datasource:
+    name: CloudWatch
+    uid: cloudwatch
+    type: cloudwatch
+    access: proxy
+    jsonData:
+      authType: ec2_iam_role
+      defaultRegion: us-west-2
diff --git a/dashboards/base/kustomization.yaml b/dashboards/base/kustomization.yaml
index 83a9321..3a4c06f 100644
--- a/dashboards/base/kustomization.yaml
+++ b/dashboards/base/kustomization.yaml
@@ -13,6 +13,7 @@ resources:
   - datasources/prometheus.yaml
   - datasources/loki.yaml
   - datasources/tempo.yaml
+  - datasources/cloudwatch.yaml
   # Grafana-managed SLO / burn-rate alert rules (folder + per-system rule groups),
   # reconciled onto the external Amazon Managed Grafana.
   - alerting/folder.yaml