☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Types of CloudWatch Alarms:
  • Alarm States:
  • Alarm Configuration Parameters:
  • Alarm Actions:
  • Key Features:
  • Handling Missing Data:
  • Using Composite Alarms to Reduce Noise:
  • Alarm Management:
  • Best Practices for Avoiding False Alarms:
  1. CloudWatch
  2. Amazon CloudWatch

CloudWatch Alarms

Overview

Amazon CloudWatch alarms allow you to monitor metrics or mathematical expressions and trigger actions based on threshold violations. Alarms help you automate responses, send notifications, and track resource health by evaluating metrics over time.

Types of CloudWatch Alarms:

  1. Metric Alarms:

    • Monitors a single metric or math expression.

    • Triggers actions like notifications, EC2 actions (stop, reboot), Auto Scaling, or creating incidents in Systems Manager.

  2. Composite Alarms:

    • Combines multiple metric or composite alarms using rules.

    • Reduces alert noise by triggering only when multiple alarms are in the alarm state.

    • Supports SNS notifications and Systems Manager actions, but not EC2 or Auto Scaling actions.

Alarm States:

  • OK: The metric is within the defined threshold.

  • ALARM: The metric exceeds the threshold.

  • INSUFFICIENT_DATA: Not enough data is available to determine the state.

Alarm Configuration Parameters:

  • Period: Time window to evaluate the metric (e.g., 1 minute, 5 minutes).

  • Evaluation Periods: Number of periods to evaluate.

  • Datapoints to Alarm: Number of data points that must breach the threshold to trigger the alarm. This supports M out of N alarms (e.g., 2 out of 3 data points must breach the threshold).

Alarm Actions:

  • SNS Notifications: Notify applications or users.

  • Lambda Functions: Automate custom actions.

  • EC2 Actions: Stop, reboot, or terminate instances.

  • Auto Scaling: Scale resources up or down.

  • Systems Manager: Create OpsItems or incidents for management.

Key Features:

  • High-Resolution Alarms: Supports periods of 10 or 30 seconds for high-frequency metrics.

  • Alarms on Math Expressions: Monitor derived metrics from multiple metrics.

  • Cross-Account Alarms: Monitor metrics across AWS accounts (except for composite alarms).

Handling Missing Data:

  • Not Breaching: Treat missing data as within the threshold.

  • Breaching: Treat missing data as violating the threshold.

  • Ignore: Keep the current alarm state.

  • Missing: Set the alarm to INSUFFICIENT_DATA state.

Using Composite Alarms to Reduce Noise:

  • Combine multiple alarms and trigger only when all underlying alarms breach thresholds.

  • Example: A composite alarm could go into the ALARM state only when both "CPUUtilization" and "MemoryUsage" alarms are in the alarm state.

Alarm Management:

  • Dashboards: Visualize alarms with color-coded states (gray: INSUFFICIENT_DATA, red: ALARM).

  • Favorites: Bookmark recently visited or important alarms.

  • Testing: Use the CloudWatch console or AWS CLI to simulate alarm states for testing.

Best Practices for Avoiding False Alarms:

  • Use M out of N configurations to avoid triggering alarms due to transient data fluctuations.

  • Configure alarms to treat missing data appropriately to prevent false positives.

  • Avoid premature transitions to alarm state by using shorter evaluation periods.

PreviousFilter Pattern SyntaxNextAlarm Recommendations

Last updated 8 months ago