Alerting for Amazon Elasticsearch Service - Amazon Elasticsearch Service

Alerting for Amazon Elasticsearch Service

The alerting feature notifies you when data from one or more Elasticsearch indices meets certain conditions. For example, you might want to receive an email if your application logs more than five HTTP 503 errors in one hour, or you might want to page a developer if no new documents have been indexed in the past 20 minutes. To get started, open Kibana and choose Alerting.

Alerting requires Elasticsearch 6.2 or higher. Full documentation for the feature is available in the Open Distro for Elasticsearch documentation.


Compared to Open Distro for Elasticsearch, the Amazon Elasticsearch Service alerting feature has some notable differences.

Amazon SNS Support

Amazon ES supports Amazon SNS for notifications. This integration with Amazon SNS means that, in addition to standard destinations (Slack, custom webhooks, and Amazon Chime), the alerting feature can send emails, text messages, and even run AWS Lambda functions using SNS topics. For more information about Amazon SNS, see the Amazon Simple Notification Service Developer Guide.

To add Amazon SNS as a destination

  1. Open Kibana.

  2. Choose Alerting.

  3. Choose the Destinations tab and then Add Destination.

  4. Provide a unique name for the destination.

  5. For Type, choose Amazon SNS.

  6. Provide the SNS topic ARN.

  7. Provide the ARN for an IAM role within your account that has the following trust relationship and permissions (at minimum):

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" }] }
    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sns:Publish", "Resource": "sns-topic-arn" }] }

    For more information, see Adding IAM Identity Permissions in the IAM User Guide.

  8. Choose Create.

Alerting Settings

Open Distro for Elasticsearch lets you modify certain alerting settings using the _cluster/settings API (for example, opendistro.alerting.monitor.max_monitors). Amazon ES uses the default values, and you can't change them.

You can, however, disable the alerting feature. Send the following request:

PUT _cluster/settings { "persistent" : { "opendistro.scheduled_jobs.enabled" : false } }

If you previously created monitors and want to stop the creation of daily alerting indices, delete all alert history indices:

DELETE .opendistro-alerting-alert-history-*

Alerting Permissions

To use the Amazon ES alerting feature on a domain that uses fine-grained access control, you must map the all_access role to your user or backend role.