Create a alarm to notify when ip addresses are running low - amazon-web-services

Is there any way to create a alarm in AWS for ip-addresses are about to running out?
Thanks!

There is no standard Amazon CloudWatch alarm for monitoring available IP addresses in a subnet. However, you could:
Create an AWS Lambda function that scans the subnet(s) and sends a custom metric to CloudWatch
Create an Amazon CloudWatch Events rule that triggers the Lambda function at a desired interval
Create an Alarm on the custom metric to notify you when the metric drops below a desired level
The benefit of this approach is that you will retain a history, within the custom metric, of the number of available IP addresses. However, it would involve a separate custom metric and alarm for each subnet.
Alternatively, you could configure the Lambda function to send a message to an Amazon SNS topic whenever there is a low quantity of IP addresses in a subnet. Then, subscribe to the SNS topic to receive notification. While there is no history available, it requires less configuration because it doesn't use CloudWatch.

Related

Create an alarm based on a CloudWatch insight query

My problem:
I would like to blacklist IPs which are accessing my public AWS API Gateway endpoint more than 5 times a hour.
My proposed solution:
Requests are logged to CloudWatch
Requests are counted and grouped by IP
An alarm monitors IPs send a message to a SNS topic in case the threshold is met
Lambda is triggered by the message and blacklists the IP
I am able to log and count the IPs by using the Insight query below:
fields ip
| stats count() as ipCount by ip
| filter ispresent(ip)
| sort ipCount desc
What I am struggling to accomplish is getting an CloudWatch Alarm based on this query.
I have searched a lot but no success. Any ideas on how to create such a metric / alert?
I know you planned to do a custom Lambda, but check if WAF already fulfills your use case. For example, the rate limit section in this article here clearly allows you to define the rate per 5-minutes for a given IP:
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-creating.html
If you are not doing anything else, a custom Lambda function may not be needed.
EDIT
If you want to go down the path of CloudWatch alarms, I think you can define a metric filter to create a CloudWatch metric. Then you can create the alarm based on the metric.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/MonitoringLogData.html
The best approche is to use the managed services "AWS WAF" which is perfectly integrated with your APIs.
The problem with a custom solution, is the latency, time to aggregate logs, count, and the cost, because each time a lambda will run with queries....
In API Gateway you can attach a WAF Web ACL directly, you can indicate the rate per 5 min, per 10min... for you need, is the job of the WAF.

CloudWatch Monitoring and Notifications

I am using various AWS services (Lambda, Glue, S3, Redshift, EC2) for ETL processing. I am trying to create a 'log ETL flow' to have monitoring and notifications sent out (email or otherwise) when a step fails in the process.
I have checked that each service I am using has metrics being logged in CloudWatch. I am now trying to figure out a smart way of processing this data in order to send out notifications when a step fails and/or have a central monitoring of the entire flow.
Are there any best practices or examples of this setup?
It seems to be the perfect case for the CloudWatch Alarms.
You can create a CloudWatch alarm that watches a single CloudWatch metric or the result of a math expression based on CloudWatch metrics. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods. The action can be an Amazon EC2 action, an Amazon EC2 Auto Scaling action, or a notification sent to an Amazon SNS topic.
You can create a chain CloudWatch Alarm -> SNS
You can either use SNS to notify users via SMS or Push Notifications.
Or you can do one step more SNS -> SES to deliver emails.

Stopping EC2 instance when custom cloudwatch metric passes limit

I'm trying to find a way to make an Amazon EC2 instance stop automatically when a certain custom metric on CloudWatch passes a limit. So far if I've understood correctly based on these articles:
Discussion Forum: Custom Metric EC2 Action
CloudWatch Documentation: Create Alarms to Stop, Terminate, Reboot, or Recover an Instance
This will only work if the metric is defined as follows:
Tied to certain instance
With type of System/Linux
However in my case I have a custom metric that is actually not instance-related but "global" and if a certain limit is passed, I would need to stop all instances, no matter from which instance the limiting log is received.
Does anybody know if there is way to make this work? What I'd need is some way to make CloudWatch work like this:
If arbitrary custom metric value passes a certain limit -> stop defined instances not tied to the metric itself.
The main problem is that the EC2 option is greyed out as the metric is not tied to certain EC2 instance and I'm not sure if there's any way to do this without actually making the metric itself certain instance related.
Have the custom CloudWatch metric post alerts to an SNS topic.
Have the SNS topic trigger a Lambda function that shuts down your EC2 instances via a call to the AWS API.

How to use CloudWatch to check if you AWS RDS instance's is down

I want to know when my RDS Instance is down (in a "failed" or other state). Going through this article: Monitoring Amazon RDS and looking at the Cloudwatch Metrics when trying to create an alarm, it doesn't seem possible to use CloudWatch to check the status directly (if its "available" or not).
Is my only option to use the other metrics to indirectly if its down (eg. CPU usage at 0%)? If so which metrics should I use?
You don't use CloudWatch for this. RDS will notify you of this sort of issue directly. You just need to setup event notification in RDS.
See documentation: Using Amazon RDS Event Notification

AWS EC2 Alarm that triggers when log in

Is it possible to create a CloudWatch alarm that triggers when my EC2 instance is accessed from a remote location (using SSH login with key pairs, for example)?
There is no in-built capability to perform an action when users login to an Amazon EC2 instance. You would have to write a script that activates when users login, checks the situation and then triggers a notification.
Amazon CloudWatch alarms trigger when a metric exceeds a pre-determined value. Therefore, you would need to do the following:
Have your custom script detect the situation and then publish a custom metric to CloudWatch
Create an Alarm in CloudWatch that triggers when the metric exceeds your desired value (for example, when it is greater than zero)
Configure your alarm to respond as desired (eg send a notification via SNS)
If you just wish to receive a notification when the user logs-in, you could bypass CloudWatch and just have your script publish a message to the SNS (Simple Notification Service) topic directly. It would have the same result.