CloudWatch Alarms
Last updated
Last updated
Once you've set up a metric filter on a log group, you can then set up an alarm based on it. This allows you to monitor specific behaviour in your AWS account more efficiently or take automated actions based on particular parameters.
With your metric filter selected on the log group, select Create alarm.
You can then select the actions you want to be taken when the alarm enters a specific state.
An alarm can be in one of three states. The alarm enters the In alarm state when the rules set out for the threshold are met. If the metric falls within the defined threshold, it transfers to the OK state. The alarm will display as Insufficient data if there has been nothing published to the metric for it to compare.
Now I’ll be setting up a metric on a log group that captures all management events from CloudTrail. The metric will look for when policies are deleted from your account. i’ll then set up an alarm that triggers when one of these events happens. Finally, i’ll use metric filter syntax to search through the logs to find information about a user's activities.
Navigate to the CloudWatch console and select the log group called MetrolioLogGroup. Use the Action drop-down menu to create a metric filter for the log group. Use the following metric syntax to filter for events where a user has deleted a policy: {($.eventName=DeletePolicy)}. Ignore the Test pattern panel and select Next. Name the filter PolicyDeleteFilter. Use LogMetrics for the namespace, PolicyDelete for the metric name, and 1 for the metric value.
Next, With your new metric selected, click on Create alarm. For the statistic type, choose Sum and change the period to 1 minute. We want the alarm to trigger if the filter finds even one of these events, so set a Static Threshold using the Greater/Equal operator with a threshold value of 1. Remove the alarm state trigger. Set the alarm name to be Metrolio-Policy-Delete and click to create it.
Next, To trigger the alarm, navigate to the IAM console and select Policies on the left-hand side. Delete the policy called Delete-Me
You've been asked to provide information on what a developer with the username "Hades12" has been doing in AWS. Using the filter pattern syntax described in the briefing panel, search "MetrolioLogGroup" in CloudWatch logs and determine the name of the policy the user has created.
Within the logs, if you filter by “Hades12” you will be able to find the policy.
You'll then be able to specify what will trigger the alarm. The statistic option lets you determine whether you want the total of the metric in a specific period (Sum), the maximum value that was published, or the average of the values published in the period. More options are detailed in the . The threshold is what the value gets compared against to determine whether to change the state of the alarm. A static threshold is a value that doesn’t change, whereas Anomaly detection uses historical data to try and determine if the value seen in the account is out of the ordinary. You can then select whether the alarm should trigger if the value seen in the account is above or below the threshold. Finally, the number the alarm will compare the statistic against is the threshold value. We decided to have the metric filter publish 1 every time it matches a log event. If we want the alarm to trigger every time that pattern is seen, we'll set the threshold value to 1 and the comparison to Greater/Equal. If we wanted the alarm to trigger when there were more than five events in the period, we would set the value to 5 and the comparison to Lower.
You can define actions for each of these states. Alarms can send notifications via SNS, so you'll be notified when the metric filter spots the specified behavior. There are also more specific options for EC2 events, such as triggering auto-scaling and system manager actions detailed in the .
