Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure ALARM Actions for CloudWatch Alarms

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon CloudWatch alarms have at least one action configured for the ALARM state (alarmActionRequired: true).

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

In Amazon CloudWatch, you have the option to define the actions an alarm will perform as it transitions between the OK, ALARM, and INSUFFICIENT_DATA states. Configuring actions for the ALARM state in Amazon CloudWatch alarms is crucial to trigger immediate responses when monitored metrics breach thresholds. This ensures swift issue resolution, minimizes downtime, and enables automated remedies, maintaining system health and preventing disruptions.

Audit

To determine if CloudWatch alarms have at least one action configured for the ALARM state, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console available at https://console.aws.amazon.com/cloudwatch/.

03 In the main navigation panel, under Alarms, choose All alarms.

04 Select the Amazon CloudWatch alarm that you want to examine, choose Actions, and select Edit.

05 Choose Step 2 - optional Configure actions from the left menu and check for any actions configured for the In alarm state trigger. If there are no actions where Alarm state trigger is set to In alarm, the selected Amazon CloudWatch alarm does not have any actions configured for the ALARM state.

06 Repeat steps no. 4 and 5 for Amazon CloudWatch alarm created within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-alarms command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon CloudWatch alarm created in the selected AWS region: 

aws cloudwatch describe-alarms 
  --region us-east-1 
  --query 'MetricAlarms[].AlarmName'

02 The command output should return a table with the requested alarm names: 

[
	"DiskWritesOpsAlarm",
	"TargetTrackingAlarm"
]

03 Run describe-alarms command (OSX/Linux/UNIX) using the name of the Amazon CloudWatch alarm that you want to examine as the identifier parameter and custom query filters to describe the ARN of each action configured for the ALARM state: 

aws cloudwatch describe-alarms 
  --region us-east-1 
  --alarm-names "DiskWritesOpsAlarm" 
  --query 'MetricAlarms[*].AlarmActions[]'

04 The command output should return the requested networking information: 

[]

If the describe-alarms command output returns an empty array (i.e. []), as shown in the example above, the selected Amazon CloudWatch alarm does not have any actions configured for the ALARM state.

05 Repeat steps no. 3 and 4 for each Amazon CloudWatch alarm available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To configure ALARM actions for your Amazon CloudWatch alarms, perform the following operations:

The most common form of alarm action involves alerting individuals through dispatching a message to an Amazon Simple Notification Service (SNS) topic. As an example, this section will demonstrate how to create and configure an ALARM action that sends alert notifications via an Amazon SNS topic.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console available at https://console.aws.amazon.com/cloudwatch/.

03 In the main navigation panel, under Alarms, choose All alarms.

04 Select the Amazon CloudWatch alarm that you want to configure, choose Actions, and select Edit.

05 Choose Step 2 - optional Configure actions from the left menu and perform the following actions:

  1. Choose Add notification from the Notification section to create a notification action.
  2. For Alarm state trigger choose In alarm to create an ALARM-based action.
  3. For Send a notification to the following SNS topic, choose Create new topic, provide a unique name for the SNS topic in the Create a new topic… box, provide one or more email addresses in the Email endpoints that will receive the notification… box, and choose Create topic to create the required Amazon SNS topic.
  4. Select Next, Next, and choose Update alarm to apply the changes.

06 Use your preferred email client to open the subscription message from the AWS Notifications, then click on the appropriate link to confirm your new SNS topic subscription.

07 Repeat steps no. 4 - 6 for Amazon CloudWatch alarm created within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create the Amazon SNS topic required to send alert notifications whenever your Amazon CloudWatch alarm is triggered: 

aws sns create-topic
  --region us-east-1
  --name cc-cloudwatch-alarm-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic: 

{
	"TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-cloudwatch-alarm-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints: 

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloudwatch-alarm-topic
  --protocol email
  --notification-endpoint alert@trendmicro.com
  --return-subscription-arn

04 The command output should return the ARN of the new SNS subscription: 

{
	"SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-cloudwatch-alarm-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (i.e. your email address) specified at the previous step (the command should not produce an output): 

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloudwatch-alarm-topic
  --token 4377392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d15578ded6f9a5c43aec62d83ef5f49109da730143

06 Run **put-metric-alarm** command (OSX/Linux/UNIX) to update the selected Amazon CloudWatch alarm in order add the ALARM action required. The following command request example adds an ALARM action that sends alert notifications to the SNS topic created at the previous steps, identified by the ARN "arn:aws:sns:us-east-1:123456789012:cc-cloudwatch-alarm-topic" (if successful, the command does not produce an output): 

aws cloudwatch put-metric-alarm
  --region us-east-1
  --alarm-name "DiskWritesOpsAlarm"
  --metric-name "DiskWriteOps"
  --namespace "AWS/EC2"
  --statistic Sum
  --comparison-operator GreaterThanOrEqualToThreshold
  --evaluation-periods 1
  --period 300
  --threshold 100
  --actions-enabled
  --alarm-actions "arn:aws:sns:us-east-1:123456789012:cc-cloudwatch-alarm-topic"

07 Repeat steps no. 6 for Amazon CloudWatch alarm available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.

References

Publication date Sep 1, 2023

Related CloudWatch rules