Creating a CloudWatch alarm based on anomaly detection - Amazon CloudWatch

Creating a CloudWatch alarm based on anomaly detection

You can create an alarm based on CloudWatch anomaly detection, which analyzes past metric data and creates a model of expected values. The expected values take into account the typical hourly, daily, and weekly patterns in the metric.

You set a value for the anomaly detection threshold, and CloudWatch uses this threshold with the model to determine the "normal" range of values for the metric. A higher value for the threshold produces a thicker band of "normal" values.

You can choose whether the alarm is triggered when the metric value is above the band of expected values, below the band, or either above or below the band.

You also can create anomaly detection alarms on single metrics and the outputs of metric math expressions. You can use these expressions to create graphs that visualize anomaly detection bands.

Cross-account or cross-Region alarms based on anomaly detection are not supported.

For more information, see Using CloudWatch anomaly detection.


If you're already using anomaly detection for visualization purposes on a metric in the Metrics console and you create an anomaly detection alarm on that same metric, then the threshold that you set for the alarm doesn't change the threshold that you already set for visualization. For more information, see Creating a graph.

To create an alarm that's based on anomaly detection

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Alarms, and then choose All alarms.

  3. Choose Create alarm.

  4. Do one of the following:

    • Choose the service namespace that contains your metric, and then continue choosing options as they appear to narrow down your options. When a list of metrics appears, select the check box that's next to your metric.

    • In the search box, enter the name of a metric, dimension, or resource ID, and press Enter on your keyboard. Select one of the results, and then continue choosing options as they appear until a list of metrics appears. Select the check box that's next to your metric.

  5. Choose Graphed metrics.

    1. (Optional) Under the Statistic column, choose the dropdown, and then select one of the predefined statistics or percentiles. You can use the search box in the dropdown to specify a custom percentile, such as p95.45.

    2. (Optional) Under the Period column, choose the dropdown, and then select one of the predefined evaluation periods.


      When CloudWatch evaluates your alarm, it aggragates the period into a single datapoint. For an anomaly detection alarm, the evaluation period must be one minute or longer.

    3. (Optional) Under the Y axis column, you can specify whether the Y-axis legend appears on the left or right side of the graph.


      This option can be used only while you're creating your alarm.

  6. Choose Select metric.

  7. Under Conditions, specify the following:

    1. Choose Anomaly detection.

      If the model for this metric and statistic already exists, CloudWatch displays the anomaly detection band in the sample graph at the top of the screen. If the model does not already exist, the model is generated when you are done creating the alarm. It takes up to 15 minutes for the actual anomaly detection band generated by the model to appear in the graph. Before that, the band you see is an approximation of the anomaly detection band. To see the graph in a longer time frame, choose Edit at the top right of the page.

    2. For Whenever metric is, specify when to trigger the alarm. For example, when the metric is greater than, lower than, or outside the band (in either direction).

    3. For Anomaly detection threshold, choose the number to use for the anomaly detection threshold. A higher number creates a thicker band of "normal" values that is more tolerant of metric changes. A lower number creates a thinner band that will go to ALARM state with smaller metric deviations. The number does not have to be a whole number.

    4. Choose Additional configuration. For Datapoints to alarm, specify how many evaluation periods (data points) must be in the ALARM state to trigger the alarm. If the two values here match, you create an alarm that goes to ALARM state if that many consecutive periods are breaching.

      To create an M out of N alarm, specify a number for the first value that is lower than the number for the second value. For more information, see Evaluating an alarm.

    5. For Missing data treatment, choose how the alarm behaves when some data points are missing. For more information, see Configuring how CloudWatch alarms treat missing data.

    6. If the alarm uses a percentile as the monitored statistic, a Percentiles with low samples box appears. Use it to choose whether to evaluate or ignore cases with low sample rates. If you choose Ignore (maintain alarm state), the current alarm state is always maintained when the sample size is too low. For more information, see Percentile-based CloudWatch alarms and low data samples.

  8. Choose Next.

  9. Under Notification, select an SNS topic to notify when the alarm is in ALARM state, OK state, or INSUFFICIENT_DATA state.

    To send multiple notifications for the same alarm state or for different alarm states, choose Add notification.

    Choose Remove if you don't want the alarm to send notifications.

  10. You can set up the alarm to perform EC2 actions when it changes state, or to create a Systems Manager OpsItem or incident when it goes into ALARM state. To do this, choose the appropriate button and then choose the alarm state and action to perform.

    For more information about Systems Manager actions, see Configuring CloudWatch to create OpsItems from alarms and Incident creation.


    To create an alarm that performs an AWS Systems Manager Incident Manager action, you must have certain permissions. For more information, see Identity-based policy examples for AWS Systems Manager Incident Manager.

  11. Choose Next.

  12. Under Name and description, enter a name and description for your alarm, and choose Next.


    The alarm name must contain ASCII characters only.

  13. Under Preview and create, confirm that your alarm's information and conditions are correct, and choose Create alarm.

Modifying an anomaly detection model

After you create an alarm, you can adjust the anomaly detection model. You can exclude certain time periods from being used in the model creation. It is critical that you exclude unusual events such as system outages, deployments, and holidays from the training data. You can also specify whether to adjust the model for Daylight Savings Time changes.

To adjust the anomaly detection model for an alarm

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Alarms, All alarms.

  3. Choose the name of the alarm. If necessary, use the search box to find the alarm.

  4. Choose View in metrics.

  5. In the lower part of the screen, choose Edit model.

  6. To exclude a time period from being used to produce the model, choose Add another time range to exclude from training. Then, select or enter the days and times to exclude from training and choose Apply.

  7. If the metric is sensitive to Daylight Savings Time changes, select the appropriate time zone in the Metric timezone box.

  8. Choose Update.

Deleting an anomaly detection model

Using anomaly detection for an alarm accrues charges. As a best practice, if your alarm no longer needs an anomaly dection model, delete the alarm first and the model second. When anomaly dection alarms are evaluated, any missing anomaly detectors are created on your behalf. If you delete the model without deleting the alarm, the alarm automatically recreates the model.

To delete an alarm

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Alarms, All Alarms.

  3. Choose the name of the alarm.

  4. Choose Actions, Delete.

To delete the anomaly detection model that was used for an alarm

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Metrics.

  3. On the All metrics tab, enter a search term in the search field, such as a metric name or resource name, and press Enter.

    For example, if you search for the CPUUtilization metric, you see the namespaces and dimensions that have this metric.

  4. In the results, select the metric that had the anomaly detection model.

  5. Choose the Graphed metrics tab.

  6. Select the anomaly detection band that you want to remove, and then choose delete anomaly detection model.