AWS Config Support for Amazon CloudWatch Alarms
On June 1st, AWS Config announced support for Amazon CloudWatch alarms. CloudWatch alarms are used on any of your CloudWatch metrics to send notifications or take other automated actions.
You can now start tracking the current as well as historical configuration of your alarms and get notified via Amazon SNS when your alarm configuration changes. You can also use three new Config rules to verify the following:
- Your resources have CloudWatch alarms for the specified metric
- Alarm metrics have the right settings
- All alarms have at least one action configured
With this integration, you can view the historical configuration of your CloudWatch alarms and review all changes that occurred to them. This information is valuable in determining why certain CloudWatch alarms did not get triggered and how their configuration was modified. In this post, we show you two example scenarios in detail.
Config enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines.
Example: View configuration changes
Here’s an example showing how you can use Config to troubleshoot a scenario where customers are reporting service degradations for your application hosted on Amazon EC2 but you did not see any CloudWatch alarms. On the CloudWatch console, you can see spikes in CPU but start wondering why you did not see any alarms.
Config can help you with troubleshooting. We use the AWS Management Console in this example, but you can use the AWS CLI or SDKs as well.
First, log in to the Config console. For Resources, choose CloudWatch: Alarm. Choose Look up to see the list of CloudWatch alarms that Config has automatically discovered in your account. The following screenshot shows an example alarm on the Resource inventory page.
Look at the Config timeline for the SSM CPU Alarm. The following screenshot shows the timeline and configuration details.
For your alarm, you can see alarm settings such as Threshold and Comparison operator, and actions that would be taken under various alarm states. The timeline also shows you all configuration changes that were made after the alarm was created.
Choose Changes and notice that a change was made on April 9th to the alarm configuration, when the threshold was increased from 30 to 90. That explains why you did not see any alarms.
Using this information, you can fix these configuration issues in the CloudWatch console.
Example: Verify alarm configuration using Config rules
When you started seeing service degradations for your application hosted on EC2, you also noticed that no actions were configured on the alarm. Dynamic scaling wouldn’t occur, which explains why the application couldn’t handle the spikes in CPU. It is really important to configure actions for various alarm states: Alarm, OK, Insufficient.
AWS recommends that you continuously monitor all alarm configurations in your account and verify that they have the right settings and actions configured at all times. Administrators should immediately get notified of any deviation from the desired configuration.
Using Config, you can use the following rules to check alarm configuration:
Checks whether CloudWatch alarms have at least one alarm, INSUFFICIENT_DATA action, or OK action enabled. Optionally, checks whether any actions match one of the specified ARNs.
Checks whether the specified resource type has a CloudWatch alarm for the specified metric. For resource type, you can specify EBS volumes, EC2 instances, RDS clusters, or S3 buckets.
Checks whether CloudWatch alarms with the given metric name have the specified settings.
When these rules run, you immediately get notified about alarms that violate the above rules. You can check the Config Rule compliance status on the Config dashboard, as in the following screenshot.
By adding support for CloudWatch alarms in Config, you can now easily track alarm configuration changes and ensure that your alarms are configured per best practices.
About the Authors
Sid Gupta is a Sr. Product Manager for AWS Config. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Sid enjoys working with customers and help them implement cloud security best practices. In his spare time, he enjoys hiking, reading and spending time with his kids.
Shashi Prabhakar is a Solutions Architect at AWS. He loves working with customers to help design, architect and build variety of workloads. Shashi always gets excited to learn new Technologies and Businesses while working with customers. When not learning, he likes to run, play tennis, travel, spend time with wife and enjoy life.