Profile Applicability:

  • Level 1

Description:

CloudWatch Alarms monitor the metrics of your AWS resources and services, triggering notifications or actions when a defined threshold is breached. It's essential to configure actions for CloudWatch Alarms, especially for the ALARM state, to ensure that critical issues are addressed promptly. These actions might include sending notifications via Amazon SNS, invoking AWS Lambda functions, or triggering EC2 Auto Scaling actions.

Rationale:

Without specifying actions for the ALARM state, AWS will not automatically notify the appropriate team members or systems about issues affecting the monitored resources. This could result in delayed response times, especially for high-priority incidents. Configuring appropriate actions ensures timely notifications and mitigation actions, improving operational responsiveness and reducing service downtime.

Impact:

  • Positive Impact: Ensures that critical issues are addressed promptly by notifying the right parties or triggering predefined mitigation actions.

  • Negative Impact: None, except the effort required to configure the actions.

Default Value:

By default, CloudWatch Alarms may not have actions configured for the ALARM state unless explicitly set up during alarm creation. Alerts without actions configured may lead to delays in issue resolution.

Pre-Requisite:

  • IAM Permissions: Permissions to view and manage CloudWatch Alarms and their actions (cloudwatch:DescribeAlarms, cloudwatch:PutAlarm, sns:Publish, etc.).

  • AWS Services: CloudWatch, SNS, Lambda, EC2 Auto Scaling.

  • Tools Required: AWS Management Console, AWS CLI.

Remediation:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch console: AWS CloudWatch Console.

  3. In the left navigation pane, click Alarms.

                     

  1. For each alarm that you want to audit, do the following:

    • Select the alarm.

                         

  • Click on Actions, then Modify Alarm.

  • In the Actions section, ensure that there are actions configured for the ALARM state.

  • If there are no actions configured, add actions such as sending an SNS notification or invoking a Lambda function.

                 

  1. Save the changes after configuring the necessary actions.

Using AWS CLI:

List all alarms with the following command:

aws cloudwatch describe-alarms --query 'Alarms[*].AlarmName'

For each alarm, describe the alarm's details to check the actions configured for the ALARM state:

aws cloudwatch describe-alarms --alarm-names <AlarmName>

Ensure actions are defined for the ALARM state. If no actions are configured, add actions with the following command:

 aws cloudwatch put-metric-alarm \
  --alarm-name <AlarmName> \
  --metric-name <MetricName> \
  --namespace <Namespace> \
  --statistic <Statistic> \
  --threshold <Threshold> \
  --comparison-operator <ComparisonOperator> \
  --period <Period> \
  --evaluation-periods <EvaluationPeriods> \
  --alarm-actions <SNS_ARN or Lambda ARN>

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to CloudWatch → Alarms.              

  3. For each alarm, click Actions → Modify Alarm.

  4. In the Actions section, configure the ALARM state actions:

    • Select Send Notification and choose an SNS topic or configure any other action (e.g., Lambda, Auto Scaling).

  5. Save the configuration after adding the necessary actions.

  6. Repeat for other alarms if needed.

Using AWS CLI:

List all alarms:

aws cloudwatch describe-alarms --query 'Alarms[*].AlarmName'

Describe each alarm to check its configuration:

aws cloudwatch describe-alarms --alarm-names <AlarmName>

Update the alarm with actions:

 aws cloudwatch put-metric-alarm \
  --alarm-name <AlarmName> \
  --metric-name <MetricName> \
  --namespace <Namespace> \
  --statistic <Statistic> \
  --threshold <Threshold> \
  --comparison-operator <ComparisonOperator> \
  --period <Period> \
  --evaluation-periods <EvaluationPeriods> \
  --alarm-actions <SNS_ARN or Lambda ARN>

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch > Alarms.

  3. Identify the alarm for which the action was updated.

  4. Edit the alarm configuration by selecting the alarm and clicking Actions > Edit.

  5. Remove the specified actions for the ALARM state, leaving the action section blank or reverting to the previous action (if applicable).

  6. Save the changes to finalize the configuration.

Using AWS CLI:

Retrieve the configuration of the specific alarm to identify the current actions:

aws cloudwatch describe-alarms --alarm-names <alarm-name>

Remove or revert the action for the ALARM state by updating the alarm configuration:

aws cloudwatch put-metric-alarm \
--alarm-name <alarm-name> \
--alarm-actions []

  1. Verify the updated alarm configuration:

    aws cloudwatch describe-alarms --alarm-names <alarm-name>

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

8.5

Collect detailed audit logs and configure retention for log management.

v7

6.3

Enable system logging and configure appropriate retention policies.