Skip to main content

AWS CloudWatch

We support sending messages to the Amazon CloudWatch Service - a monitoring and observability service designed for DevOps engineers, developers, site reliability engineers (SREs), and IT managers.

CloudWatch Log Group

Follow the Working with log groups and log streams article on the AWS support site to set up a new CloudWatch Log Group. Once configured, copy the ARN of the new Log Group to set up a new Contact.

IAM Settings

The AWS CloudWatch integration requires an AWS IAM Access Key and Secret to authenticate requests against your AWS account, and the ARN of a CloudWatch Log Group. This key only requires the logs:CreateLogStream and logs:PutLogEvents permissions to the provided ARN.

You can use this IAM Policy to grant access to your CloudWatch Log Group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Alerts",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "your-log-group-arn:log-stream:*"
        }
    ]
}

Simply replace the your-log-group-arn value with the ARN of your CloudWatch Log Group, and apply this policy against the IAM Access Key.

tip

The Resource value should be the ARN of your CloudWatch Log Group, appended with :log-stream:*, for example:

arn:aws:logs:us-east-1:1234567890:log-group:rbl-events:log-stream:*

Make sure to change the region, account number, and log group name in the ARN.

Payload

The format of the body of the message delivered to your CloudWatch log stream uses JSON. For example:

{
    "event_sid": "PK4e343bdbfaf0b0a4106bf39975943a69e6fe4c063fe64948372f36180c5d2f75",
    "event_type": "contact.trigger",
    "title": "RBL Listing Event",
    "message": "1 hosts listed, 0 hosts delisted. See link for more details.",
    "url": "https:\/\/rbltrack.com\/fFMa1S"
}

Adding a Contact

You can add an AWS CloudWatch contact from the Manage ➡️ Contacts section of the Portal.

Select AWS CloudWatch from the Contact Type drop-down, enter the ARN of the CloudWatch Log Group, the Access Key & Secret of your IAM Access Key, a Frequency, and select one or more Contact Groups to associate with this new contact.

tip

The ARN of the CloudWatch Log Group ends with a *, which is required to properly create the underlying log streams. For example:

arn:aws:logs:us-east-1:1234567890:log-group:rbl-alerts:*

After clicking Add Contact, you'll receive a confirmation message with a confirmation link that you'll need to click on to confirm your contact.

If you don't receive the confirmation message for some reason, you can also click the Resend Auth option to resend the confirmation message. Once a contact is confirmed, it will be ready to use.