Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Actions for CloudWatch Alarms

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all your Amazon CloudWatch alarms have active actions (ActionEnabled: true).

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Automated alarm actions will promptly notify you whenever a monitored metric exceeds the set threshold. If the alarm action is disabled, no procedures will be initiated upon alarm state changes, thus missing notifications about fluctuations in monitored metrics. We strongly recommend enabling Amazon CloudWatch alarm actions to quickly address both security and operational concerns.


Audit

To determine if Amazon CloudWatch alarms have active actions (ActionEnabled: true), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console available at https://console.aws.amazon.com/cloudwatch/.

03 In the main navigation panel, under Alarms, choose All alarms.

04 Click on the name (link) of the Amazon CloudWatch alarm that you want to examine and select the Details tab to view the alarm configuration details.

05 Check the Actions attribute value to determine if the CloudWatch alarm has active actions. If the Actions attribute value (status) is set to Actions disabled, the selected Amazon CloudWatch alarm does not have any active actions configured.

06 Repeat steps no. 4 and 5 for Amazon CloudWatch alarm created within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-alarms command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CloudWatch alarm created in the selected AWS region:

aws cloudwatch describe-alarms 
  --region us-east-1 
  --query 'MetricAlarms[].AlarmName'

02 The command output should return a table with the requested alarm names:

[
	"DiskWritesOpsAlarm",
	"TargetTrackingAlarm"
]

03 Run describe-alarms command (OSX/Linux/UNIX) using the name of the Amazon CloudWatch alarm that you want to examine as the identifier parameter and custom query filters to determine if the selected alarm has active actions:

aws cloudwatch describe-alarms 
  --region us-east-1 
  --alarm-names "DiskWritesOpsAlarm" 
  --query 'MetricAlarms[*].ActionsEnabled'

04 The command output should return the requested information (true for activated, false for deactivated):

[
	false
]

If the describe-alarms command output returns false, as shown in the output example above, the selected Amazon CloudWatch alarm does not have any active actions configured.

05 Repeat steps no. 3 and 4 for each Amazon CloudWatch alarm available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To ensure that all your Amazon CloudWatch alarms have active actions (i.e. ActionEnabled: true), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console available at https://console.aws.amazon.com/cloudwatch/.

03 In the main navigation panel, under Alarms, choose All alarms.

04 Select the Amazon CloudWatch alarm that you want to activate actions for, choose Actions, select Alarm actions - new, and choose Enable.

05 Repeat step no. 4 for each Amazon CloudWatch alarm that you want to configure, available within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run enable-alarm-actions command (OSX/Linux/UNIX) to enable actions for the selected Amazon CloudWatch alarm (if successful, the command does not produce an output):

aws cloudwatch enable-alarm-actions 
  --region us-east-1 
  --alarm-names "DiskWritesOpsAlarm"

02 Repeat step no. 1 for each Amazon CloudWatch alarm that you want to configure, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the Remediation process for other regions.

References

Publication date Sep 1, 2023