The CloudWatch Provider offers a direct integration with AWS CloudWatch, enabling Keep users to receive CloudWatch alarms within the Keep platform. This integration centralizes the monitoring and alerting capabilities, allowing for timely responses to changes in the infrastructure or application health.

Key Features:

  • Webhook Integration: Facilitates automatic subscription to AWS SNS topics linked with CloudWatch alarms, ensuring that Keep is notified of all relevant alarms.
  • Support for Custom SNS Topics: Allows the use of both pre-existing SNS topics and the specification of custom SNS topics for alarm notifications.
  • Broad Monitoring Scope: Utilizes CloudWatch’s comprehensive alarm system to monitor application and infrastructure health.
  • Adaptable Authentication: Accommodates both permanent and temporary AWS credentials to suit various security and operational requirements.

Connecting with the Provider

To integrate CloudWatch with Keep, you’ll need the following:

  • An AWS account with permissions to access CloudWatch and SNS services.
  • A configured Keep account with API access.
  • Appropriate AWS IAM permissions for the CloudWatch provider.

Required AWS IAM Permissions (Scopes)

To ensure the CloudWatch provider operates seamlessly, certain AWS IAM permissions (referred to as “scopes”) are necessary. These scopes enable the provider to perform actions such as reading alarm details, updating alarm configurations, and subscribing to SNS topics. Below is a list of the required scopes along with explanations:

Mandatory Scopes

  • cloudwatch:DescribeAlarms
    • Description: Necessary to retrieve information about CloudWatch alarms.
    • Documentation: API_DescribeAlarms
    • Alias: Describe Alarms
    • Mandatory: Yes
    • This scope is crucial for the provider to fetch and list all CloudWatch alarms.

Optional Scopes

  • cloudwatch:PutMetricAlarm

    • Description: Required to update alarm configurations, particularly to add Keep as an SNS action on alarms.
    • Documentation: API_PutMetricAlarm
    • Alias: Update Alarms
    • This scope allows the modification of existing CloudWatch alarms to integrate with Keep notifications.
  • sns:ListSubscriptionsByTopic

    • Description: Allows listing all subscriptions for a given SNS topic, enabling Keep to subscribe itself.
    • Documentation: SNS Access Policy
    • Alias: List Subscriptions
    • Essential for the provider to manage subscriptions to SNS topics for alarm notifications.
  • logs:GetQueryResults

    • Description: Required for retrieving the results of CloudWatch Logs Insights queries.
    • Documentation: API_GetQueryResults
    • Alias: Read Query Results
    • Enables the provider to fetch query results from CloudWatch Logs Insights.
  • logs:DescribeQueries

    • Description: Necessary to describe the results of CloudWatch Logs Insights queries.
    • Documentation: API_DescribeQueries
    • Alias: Describe Query Results
    • This scope is used to access detailed information about queries executed in CloudWatch Logs Insights.
  • logs:StartQuery

    • Description: Allows starting CloudWatch Logs Insights queries.
    • Documentation: API_StartQuery
    • Alias: Start Logs Query
    • Critical for initiating logs analysis and queries within CloudWatch Logs Insights.
  • iam:SimulatePrincipalPolicy

    • Description: Permits Keep to test the scopes of the current IAM role without making any resource modifications.
    • Documentation: API_SimulatePrincipalPolicy
    • Alias: Simulate IAM Policy
    • This scope is useful for verifying the permissions associated with the IAM role used by Keep, ensuring it has the necessary access without altering any AWS resources.
While some scopes are optional, having them configured can enhance the integration capabilities and provide a more comprehensive monitoring solution within Keep.

Authentication Configuration

Connecting CloudWatch to Keep requires:

  • AWS Access Key & Secret: Your AWS credentials with access to CloudWatch and SNS.
  • Region: The AWS region your CloudWatch alarms and SNS topics reside in.
  • Session Token (optional): Necessary for temporary AWS credentials.
  • CloudWatch SNS Topic (optional): An ARN or name of the SNS topic for sending notifications. Optional if your alarms are already configured with an SNS topic.

Setting Up the Integration

For a seamless setup process, ensure your AWS IAM roles are properly configured with the necessary permissions for CloudWatch and SNS access.


  1. Configure AWS IAM Roles: Ensure the IAM role used by the CloudWatch provider has permissions for cloudwatch:DescribeAlarms, cloudwatch:PutMetricAlarm, sns:ListSubscriptionsByTopic, and other relevant actions.
  2. Specify Authentication Details: In the Keep platform, enter the AWS Access Key, Secret, and Region details in the CloudWatch provider configuration.
  3. Set Up SNS Topic (Optional): If using a custom SNS topic, specify its ARN or name in the provider configuration. Keep will use this topic to listen for alarm notifications.
  4. Activate the Provider: Finalize the setup in Keep to start receiving CloudWatch alarms.


  • Ensure the AWS credentials provided have the correct permissions and are not expired.
  • Verify that the SNS topics are correctly configured to send notifications to Keep.
  • Check the CloudWatch alarms to ensure they are active and correctly configured to trigger under the desired conditions.