Overview

The CloudWatch Provider offers a direct integration with AWS CloudWatch, enabling Keep users to receive CloudWatch alarms within the Keep platform. This integration centralizes the monitoring and alerting capabilities, allowing for timely responses to changes in the infrastructure or application health.

Key Features:

  • Webhook Integration: Facilitates automatic subscription to AWS SNS topics linked with CloudWatch alarms, ensuring that Keep is notified of all relevant alarms.
  • Support for Custom SNS Topics: Allows the use of both pre-existing SNS topics and the specification of custom SNS topics for alarm notifications.
  • Broad Monitoring Scope: Utilizes CloudWatch’s comprehensive alarm system to monitor application and infrastructure health.
  • Adaptable Authentication: Accommodates both permanent and temporary AWS credentials to suit various security and operational requirements.

Connecting with the Provider

To integrate CloudWatch with Keep, you’ll need the following:

  • An AWS account with permissions to access CloudWatch and SNS services.
  • A configured Keep account with API access.
  • Appropriate AWS IAM permissions for the CloudWatch provider.

Setting Up the Integration

For a seamless setup process, ensure your AWS IAM roles are properly configured with the necessary permissions for CloudWatch and SNS access.

Authentication

This provider requires authentication.

  • region: AWS region (required: True, sensitive: False)
  • access_key: AWS access key (Leave empty if using IAM role at EC2) (required: False, sensitive: True)
  • access_key_secret: AWS access key secret (Leave empty if using IAM role at EC2) (required: False, sensitive: True)
  • session_token: AWS Session Token (required: False, sensitive: True)
  • cloudwatch_sns_topic: AWS Cloudwatch SNS Topic [ARN or name] (required: False, sensitive: False)
  • protocol: Protocol to use for the webhook (required: True, sensitive: False)

Certain scopes may be required to perform specific actions or queries via the provider. Below is a summary of relevant scopes and their use cases:

  • cloudwatch:DescribeAlarms: Required to retrieve information about alarms. (mandatory) (Documentation)
  • cloudwatch:PutMetricAlarm: Required to update information about alarms. This mainly use to add Keep as an SNS action to the alarm. (Documentation)
  • sns:ListSubscriptionsByTopic: Required to list all subscriptions of a topic, so Keep will be able to add itself as a subscription. (Documentation)
  • logs:GetQueryResults: Part of CloudWatchLogsReadOnlyAccess role. Required to retrieve the results of CloudWatch Logs Insights queries. (Documentation)
  • logs:DescribeQueries: Part of CloudWatchLogsReadOnlyAccess role. Required to describe the results of CloudWatch Logs Insights queries. (Documentation)
  • logs:StartQuery: Part of CloudWatchLogsReadOnlyAccess role. Required to start CloudWatch Logs Insights queries. (Documentation)
  • iam:SimulatePrincipalPolicy: Allow Keep to test the scopes of the current user/role without modifying any resource. (Documentation)

In workflows

This provider can be used in workflows.

As “step” to query data, example:

steps:
    - name: Query cloudwatch
      provider: cloudwatch
      config: "{{ provider.my_provider_name }}"
      with:
        log_group: {value}  
        log_groups: {value}  
        remove_ptr_from_results: {value}  
        query: {value}  
        hours: {value}

Check the following workflow examples:

Steps:

  1. Configure AWS IAM Roles: Ensure the IAM role used by the CloudWatch provider has permissions for cloudwatch:DescribeAlarms, cloudwatch:PutMetricAlarm, sns:ListSubscriptionsByTopic, and other relevant actions.
  2. Specify Authentication Details: In the Keep platform, enter the AWS Access Key, Secret, and Region details in the CloudWatch provider configuration.
  3. Set Up SNS Topic (Optional): If using a custom SNS topic, specify its ARN or name in the provider configuration. Keep will use this topic to listen for alarm notifications.
  4. Activate the Provider: Finalize the setup in Keep to start receiving CloudWatch alarms.

Troubleshooting

  • Ensure the AWS credentials provided have the correct permissions and are not expired.
  • Verify that the SNS topics are correctly configured to send notifications to Keep.
  • Check the CloudWatch alarms to ensure they are active and correctly configured to trigger under the desired conditions.

Webhook Integration Modifications

The webhook integration for CloudWatch adds Keep as a subscriber to the SNS topics associated with CloudWatch alarms. This integration allows Keep to receive notifications for all alarms triggered within the AWS environment. The integration automatically gains access to the following scopes within CloudWatch:

  • cloudwatch:DescribeAlarms