Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

How do I configure custom CloudWatch alarm notifications?

2 minute read

I want to create an Amazon CloudWatch alarm notification for a state change to include the log events that triggered the alarm.

Short description

You can configure metric filters to match specific log events, such as AWS CloudTrail events that contain AccessDenied or UnauthorizedOperations errors. Then, use CloudWatch Logs to get metrics. To monitor metrics, create a CloudWatch alarm.

By default, a CloudWatch alarm that uses Amazon Simple Notification Service (Amazon SNS) delivers a preformatted notification that contains alarm and metric details. To determine what caused the state change, you can incorporate the log events that triggered the CloudWatch alarm into the notification.

To invoke an AWS Lambda function when the alarm state changes, use the CloudWatch alarm direct Lambda integration. The Lambda function can then publish a custom notification with the related log events.

Resolution

Prerequisite: Make sure that you have an existing CloudWatch alarm that monitors a custom metric from a metric filter. For more information, see Create a CloudWatch alarm based on a static threshold.

Create an AWS Lambda function

Configure a Lambda function to perform the following actions:

Parse the CloudWatch alarm event details, such as alarm name, description, timestamp, and reason for state change. You can incorporate the details into the custom message.

Use CloudWatch Logs Insights to analyze log data in the related CloudWatch log group.
When the alarm changes state, the Lambda function issues the StartQuery API call to run a query against the log group. The following example query summarizes CloudTrail API calls that fail with an AccessDenied or UnauthorizedOperation error:

filter (errorCode="AccessDenied" or errorCode="UnauthorizedOperation")
| stats count(*) as Hits by errorCode, errorMessage, sourceIPAddress, userIdentity.arn
| sort Hits desc

Use GetQueryResults to retrieve corresponding results.
Use the Amazon SNS Publish API to deliver a custom message that contains alarm details and CloudWatch Logs Insights query results.

Related information

How do I customize the default Amazon SNS email subject line?

Topics: Management & Governance Networking & Content Delivery
Tags: Amazon CloudWatch
Language: English

AWS OFFICIALUpdated a year ago

No comments

Relevant content

How to set up AWS Config with CloudWatch Metrics/Alarms?
AlarmNotificaitons
asked a year ago
CloudWatch Alarm configuration
Accepted Answer
misterMaine
asked 3 years ago
AWS CloudWatch alarms for failed SQL Agent job notifications
RLLG
asked a year ago
Can I use event bridge with AWS Config Rules while formatting the payload sent to SNS topic to be formatted like a CloudWatch Alarm? Or use CloudWatch Alarm directly?
AlarmNotificaitons
asked a year ago
Generate specific parameters to appear in SNS email notification in CloudWatch Alarm for a Log Group
Accepted Answer
rePost-User-7010889
asked 3 years ago
How do I use EventBridge to create a custom response for a CloudWatch alarm?
AWS OFFICIALUpdated 10 months ago
How do I configure a CloudWatch alarm with an encrypted SNS topic?
AWS OFFICIALUpdated a year ago
How can I receive SNS notifications about Amazon RDS for SQL Server error and agent log events that match a CloudWatch filter pattern?
AWS OFFICIALUpdated 2 years ago
How do I monitor AWS VPN tunnels using Amazon CloudWatch alarms?
AWS OFFICIALUpdated 3 years ago
Using Bedrock Agent For CloudWatch Alarm to quickly get started with AWS service Alerts
SUPPORT ENGINEER
whb
published a year ago