AWS IoT metrics AWS IoT Core credential provider metrics Authentication metrics Server certificate OCSP stapling metrics Rule metrics Rule action metrics HTTP action specific metrics Message broker metrics Device shadow metrics Jobs metrics Device Defender audit metrics Device Defender detect metrics Device provisioning metrics LoRaWAN metrics Fleet indexing metrics Dimensions for metrics

AWS IoT metrics and dimensions

When you interact with AWS IoT, the service sends metrics and dimensions to CloudWatch every minute. You can use AWS IoT, use the CloudWatch console or AWS CLI to view these metrics.

To view metrics using the CloudWatch console, open the CloudWatch console. In the navigation pane, choose Metrics and then choose All metrics. In the Browse tab, search for AWS IoT to view the list of metrics. Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace.

To view metrics using AWS CLI, run the following command.


aws cloudwatch list-metrics --namespace "AWS/IoT"

CloudWatch displays the following groups of metrics for AWS IoT:

AWS IoT metrics
AWS IoT Core credential provider metrics
Authentication metrics
Server certificate OCSP stapling metrics
Rule metrics
Rule action metrics
HTTP action specific metrics
Message broker metrics
Device shadow metrics
Jobs metrics
Device Defender audit metrics
Device Defender detect metrics
Device provisioning metrics
LoRaWAN metrics
Fleet indexing metrics
Dimensions for metrics

AWS IoT metrics

Metric	Description
`AddThingToDynamicThingGroupsFailed`	The number of failure events associated with adding a thing to a dynamic thing group. The `DynamicThingGroupName` dimension contains the name of the dynamic groups that failed to add things.
`NumLogBatchesFailedToPublishThrottled`	The singular batch of log events that has failed to publish due to throttling errors.
`NumLogEventsFailedToPublishThrottled`	The number of log events within the batch that have failed to publish due to throttling errors.

AWS IoT Core credential provider metrics

Metric	Description
`CredentialExchangeSuccess`	The number of successful `AssumeRoleWithCertificate` requests to AWS IoT Core credentials provider.

Authentication metrics

Note

The authentication metrics are displayed in the CloudWatch console under Protocol Metrics.

Metric Description

Metric	Description
`Connection.AuthNError`	The number of connection attempts which AWS IoT Core rejects due to authentication failures. This metric only considers connections that send a Server Name Indication (SNI) string matching an endpoint of your AWS account. This metric includes connection attempts from external sources such as internet scanning tools or probing activities. The `Protocol` dimension contains the protocol used to send the connection attempt.

Connection.AuthNError

The number of connection attempts which AWS IoT Core rejects due to authentication failures. This metric only considers connections that send a Server Name Indication (SNI) string matching an endpoint of your AWS account. This metric includes connection attempts from external sources such as internet scanning tools or probing activities. The Protocol dimension contains the protocol used to send the connection attempt.

Server certificate OCSP stapling metrics

Metric	Description
RetrieveOCSPStapleData.Success	The OCSP response has been received and processed successfully. This response will be included during the TLS handshake for the configured domain. The `DomainConfigurationName` dimension contains the name of configured domain with enabled server certificate OCSP stapling.

Rule metrics

Metric	Description
`ParseError`	The number of JSON parse errors that occurred in messages published on a topic on which a rule is listening. The `RuleName` dimension contains the name of the rule.
`RuleMessageThrottled`	The number of messages throttled by the rules engine because of malicious behavior or because the number of messages exceeds the rules engine's throttle limit. The `RuleName` dimension contains the name of the rule to be triggered.
`RuleNotFound`	The rule to be triggered could not be found. The `RuleName` dimension contains the name of the rule.
`RulesExecuted`	The number of AWS IoT rules executed.
`TopicMatch`	The number of incoming messages published on a topic on which a rule is listening. The `RuleName` dimension contains the name of the rule.

Rule action metrics

Metric	Description
`Failure`	The number of failed rule action invocations. The `RuleName` dimension contains the name of the rule that specifies the action. The `ActionType` dimension contains the type of action that was invoked.
`Success`	The number of successful rule action invocations. The `RuleName` dimension contains the name of the rule that specifies the action. The `ActionType` dimension contains the type of action that was invoked.
`ErrorActionFailure`	The number of failed error actions. The `RuleName` dimension contains the name of the rule that specifies the action. The `ActionType` dimension contains the type of action that was invoked.
`ErrorActionSuccess`	The number of successful error actions. The `RuleName` dimension contains the name of the rule that specifies the action. The `ActionType` dimension contains the type of action that was invoked.

HTTP action specific metrics

Metric	Description
`HttpCode_Other`	Generated if the status code of the response from the downstream web service/application is not 2xx, 4xx or 5xx.
`HttpCode_4XX`	Generated if the status code of the response from the downstream web service/application is between 400 and 499.
`HttpCode_5XX`	Generated if the status code of the response from the downstream web service/application is between 500 and 599.
`HttpInvalidUrl`	Generated if an endpoint URL, after substitution templates are replaced, does not start with `https://`.
`HttpRequestTimeout`	Generated if the downstream web service/application does not return response within request timeout limit. For more information, see Service Quotas.
`HttpUnknownHost`	Generated if the URL is valid, but the service does not exist or is unreachable.

Message broker metrics

Note

The message broker metrics are displayed in the CloudWatch console under Protocol Metrics.

Metric	Description
`Connect.AuthError`	The number of connection requests that could not be authorized by the message broker. The `Protocol` dimension contains the protocol used to send the `CONNECT` message.
`Connect.ClientError`	The number of connection requests rejected because the MQTT message did not meet the requirements defined in AWS IoT quotas. The `Protocol` dimension contains the protocol used to send the `CONNECT` message.
`Connect.ClientIDThrottle`	The number of connection requests throttled because the client exceeded the allowed connect request rate for a specific client ID. The `Protocol` dimension contains the protocol used to send the `CONNECT` message.
`Connect.ServerError`	The number of connection requests that failed because an internal error occurred. The `Protocol` dimension contains the protocol used to send the `CONNECT` message.
`Connect.Success`	The number of successful connections to the message broker. The `Protocol` dimension contains the protocol used to send the `CONNECT` message.
`Connect.Throttle`	The number of connection requests that were throttled because the account exceeded the allowed connect request rate. The `Protocol` dimension contains the protocol used to send the `CONNECT` message.
`Ping.Success`	The number of ping messages received by the message broker. The `Protocol` dimension contains the protocol used to send the ping message.
`PublishIn.AuthError`	The number of publish requests the message broker was unable to authorize. The `Protocol` dimension contains the protocol used to publish the message. HTTP Publish doesn't support this metric.
`PublishIn.ClientError`	The number of publish requests rejected by the message broker because the message did not meet the requirements defined in AWS IoT quotas. The `Protocol` dimension contains the protocol used to publish the message. HTTP Publish doesn't support this metric.
`PublishIn.ServerError`	The number of publish requests the message broker failed to process because an internal error occurred. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message. HTTP Publish doesn't support this metric.
`PublishIn.Success`	The number of publish requests successfully processed by the message broker. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishIn.Throttle`	The number of publish request that were throttled because the client exceeded the allowed inbound message rate. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message. HTTP Publish doesn't support this metric.
`PublishOut.AuthError`	The number of publish requests made by the message broker that could not be authorized by AWS IoT. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishOut.ClientError`	The number of publish requests made by the message broker that were rejected because the message did not meet the requirements defined in AWS IoT quotas. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishOut.Success`	The number of publish requests successfully made by the message broker. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishOut.Throttle`	The number of publish requests that were throttled because the client exceeded the allowed outbound message rate. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishRetained.AuthError`	The number of publish requests with the `RETAIN` flag set that the message broker was unable to authorize. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishRetained.ServerError`	The number of retained publish requests the message broker failed to process because an internal error occurred. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishRetained.Success`	The number of publish requests with the `RETAIN` flag set that were successfully processed by the message broker. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`PublishRetained.Throttle`	The number of publish requests with the `RETAIN` flag set that were throttled because the client exceeded the allowed inbound message rate. The `Protocol` dimension contains the protocol used to send the `PUBLISH` message.
`Queued.Success`	The number of stored messages that were successfully processed by the message broker for clients that were disconnected from their persistent session. Messages with a QoS of 1 are stored while a client with a persistent session is disconnected.
`Queued.Throttle`	The number of messages that couldn't be stored and were throttled while clients with persistent sessions were disconnected. This occurs when clients exceed the Queued messages per second per account limit. Messages with a QoS of 1 are stored while a client with a persistent session is disconnected.
`Queued.ServerError`	The number of messages that haven't been stored for a persistent session because of an internal error. When clients with a persistent session are disconnected, messages with a Quality of Service (QoS) of 1 are stored.
`Subscribe.AuthError`	The number of subscription requests made by a client that could not be authorized. The `Protocol` dimension contains the protocol used to send the `SUBSCRIBE` message.
`Subscribe.ClientError`	The number of subscribe requests that were rejected because the `SUBSCRIBE` message did not meet the requirements defined in AWS IoT quotas. The `Protocol` dimension contains the protocol used to send the `SUBSCRIBE` message.
`Subscribe.ServerError`	The number of subscribe requests that were rejected because an internal error occurred. The `Protocol` dimension contains the protocol used to send the `SUBSCRIBE` message.
`Subscribe.Success`	The number of subscribe requests that were successfully processed by the message broker. The `Protocol` dimension contains the protocol used to send the `SUBSCRIBE` message.
`Subscribe.Throttle`	The number of subscribe requests that were throttled because the allowed subscribe request rate limits were exceeded for your AWS account. These limits include Subscriptions per second per account, Subscriptions per account, and Subscriptions per connection described in AWS IoT Core message broker and protocol limits and quotas. The `Protocol` dimension contains the protocol used to send the `SUBSCRIBE` message.
`Throttle.Exceeded`	This metric will display in CloudWatch when an MQTT client is throttled on packets per second per connection level limits. This metric doesn't apply to HTTP connections.
`Unsubscribe.ClientError`	The number of unsubscribe requests that were rejected because the `UNSUBSCRIBE` message did not meet the requirements defined in AWS IoT quotas. The `Protocol` dimension contains the protocol used to send the `UNSUBSCRIBE` message.
`Unsubscribe.ServerError`	The number of unsubscribe requests that were rejected because an internal error occurred. The `Protocol` dimension contains the protocol used to send the `UNSUBSCRIBE` message.
`Unsubscribe.Success`	The number of unsubscribe requests that were successfully processed by the message broker. The `Protocol` dimension contains the protocol used to send the `UNSUBSCRIBE` message.
`Unsubscribe.Throttle`	The number of unsubscribe requests that were rejected because the client exceeded the allowed unsubscribe request rate. The `Protocol` dimension contains the protocol used to send the `UNSUBSCRIBE` message.

Device shadow metrics

Note

The device shadow metrics are displayed in the CloudWatch console under Protocol Metrics.

Metric	Description
`DeleteThingShadow.Accepted`	The number of `DeleteThingShadow` requests processed successfully. The `Protocol` dimension contains the protocol used to make the request.
`GetThingShadow.Accepted`	The number of `GetThingShadow` requests processed successfully. The `Protocol` dimension contains the protocol used to make the request.
`ListThingShadow.Accepted`	The number of `ListThingShadow` requests processed successfully. The `Protocol` dimension contains the protocol used to make the request.
`UpdateThingShadow.Accepted`	The number of `UpdateThingShadow` requests processed successfully. The `Protocol` dimension contains the protocol used to make the request.

Jobs metrics

Metric	Description
`CanceledJobExecutionCount`	The number of job executions whose status has changed to `CANCELED` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`CanceledJobExecutionTotalCount`	The total number of job executions whose status is `CANCELED` for the given job. The `JobId` dimension contains the ID of the job.
`ClientErrorCount`	The number of client errors generated while executing the job. The `JobId` dimension contains the ID of the job.
`FailedJobExecutionCount`	The number of job executions whose status has changed to `FAILED` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`FailedJobExecutionTotalCount`	The total number of job executions whose status is `FAILED` for the given job. The `JobId` dimension contains the ID of the job.
`InProgressJobExecutionCount`	The number of job executions whose status has changed to `IN_PROGRESS` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`InProgressJobExecutionTotalCount`	The total number of job executions whose status is `IN_PROGRESS` for the given job. The `JobId` dimension contains the ID of the job.
`RejectedJobExecutionTotalCount`	The total number of job executions whose status is `REJECTED` for the given job. The `JobId` dimension contains the ID of the job.
`RemovedJobExecutionTotalCount`	The total number of job executions whose status is `REMOVED` for the given job. The `JobId` dimension contains the ID of the job.
`QueuedJobExecutionCount`	The number of job executions whose status has changed to `QUEUED` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`QueuedJobExecutionTotalCount`	The total number of job executions whose status is `QUEUED` for the given job. The `JobId` dimension contains the ID of the job.
`RejectedJobExecutionCount`	The number of job executions whose status has changed to `REJECTED` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`RemovedJobExecutionCount`	The number of job executions whose status has changed to `REMOVED` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`ServerErrorCount`	The number of server errors generated while executing the job. The `JobId` dimension contains the ID of the job.
`SuccededJobExecutionCount`	The number of job executions whose status has changed to `SUCCESS` within a time period that is determined by CloudWatch. (For more information about CloudWatch metrics, see Amazon CloudWatch Metrics.) The `JobId` dimension contains the ID of the job.
`SuccededJobExecutionTotalCount`	The total number of job executions whose status is `SUCCESS` for the given job. The `JobId` dimension contains the ID of the job.

Device Defender audit metrics

Metric Description

Metric	Description
`NonCompliantResources`	The number of resources that were found to be noncompliant with a check. The system reports the number of resources that were out of compliance for each check of each audit performed.
`ResourcesEvaluated`	The number of resources that were evaluated for compliance. The system reports the number of resources that were evaluated for each check of each audit performed.
`MisconfiguredDeviceDefenderNotification`	Notifies you when your SNS configuration for AWS IoT Device Defender is misconfigured. Dimensions

NonCompliantResources

The number of resources that were found to be noncompliant with a check. The system reports the number of resources that were out of compliance for each check of each audit performed.

ResourcesEvaluated

The number of resources that were evaluated for compliance. The system reports the number of resources that were evaluated for each check of each audit performed.

MisconfiguredDeviceDefenderNotification

Notifies you when your SNS configuration for AWS IoT Device Defender is misconfigured.

Dimensions

Device Defender detect metrics

Metric	Description
`NumOfMetricsExported`	The number of metrics exported for a cloud-side, device-side, or custom metric. The system reports the number of metrics exported for the account, for a specific metric. This metric is available only for customers using metrics export.
`NumOfMetricsSkipped`	The number of metrics skipped for a cloud-side, device-side, or custom metric. The system reports the number of metrics skipped for the account, for a specific metric due to insufficient permissions provided to Device Defender Detect to publish to the mqtt topic. This metric is available only for customers using metrics export.
`NumOfMetricsExceedingSizeLimit`	The number of metrics skipped for export for a cloud-side, device-side, or custom metric due to size exceeding MQTT message size constraints. The system reports the number of metrics skipped for export for the account, for a specific metric due to size exceeding MQTT message size constraints. This metric is available only for customers using metrics export.
`Violations`	The number of new violations of security profile behaviors that have been found since the last time an evaluation was performed. The system reports the number of new violations for the account, for a specific security profile, and for a specific behavior of a specific security profile.
`ViolationsCleared`	The number of violations of security profile behaviors that have been resolved since the last time an evaluation was performed. The system reports the number of resolved violations for the account, for a specific security profile, and for a specific behavior of a specific security profile.
`ViolationsInvalidated`	The number of violations of security profile behaviors for which information is no longer available since the last time an evaluation was performed (because the reporting device stopped reporting, or is no longer being monitored for some reason). The system reports the number of invalidated violations for the entire account, for a specific security profile, and for a specific behavior of a specific security profile.
`MisconfiguredDeviceDefenderNotification`	Notifies you when your SNS configuration for AWS IoT Device Defender is misconfigured. Dimensions

Device provisioning metrics

AWS IoT Fleet provisioning metrics
Metric	Description
`ApproximateNumberOfThingsRegistered`	The count of things that have been registered by Fleet Provisioning. While the count is generally accurate, the distributed architecture of AWS IoT Core makes it difficult to maintain a precise count of registered things. The statistic to use for this metric is: Max to report the total number of things that have been registered. For a count of things registered during the CloudWatch aggregation window, see the `RegisterThingFailed` metric. Dimensions: ClaimCertificateId
`CreateKeysAndCertificateFailed`	The number of failures that occurred by calls to the `CreateKeysAndCertificate` MQTT API. The metric is emitted in both Success (value = 0) and Failure (value = 1) cases. This metric can be used to track the number of certificates created and registered during the CloudWatch-supported aggregation windows, such as 5 min. or 1 hour. The statistics available for this metric are: Sum to report the number of failed calls. SampleCount to report the total number of successful and failed calls.
`CreateCertificateFromCsrFailed`	The number of failures that occurred by calls to the `CreateCertificateFromCsr` MQTT API. The metric is emitted in both Success (value = 0) and Failure (value = 1) cases. This metric can be used to track the number of things registered during the CloudWatch-supported aggregation windows, such as 5 min. or 1 hour. The statistics available for this metric are: Sum to report the number of failed calls. SampleCount to report the total number of successful and failed calls.
`RegisterThingFailed`	The number of failures that occurred by calls to the `RegisterThing` MQTT API. The metric is emitted in both Success (value = 0) and Failure (value = 1) cases. This metric can be used to track the number of things registered during the CloudWatch-supported aggregation windows, such as 5 min. or 1 hour. For the total number of things registered , see the `ApproximateNumberOfThingsRegistered` metric. The statistics available for this metric are: Sum to report the number of failed calls. SampleCount to report the total number of successful and failed calls. Dimensions: TemplateName

Just-in-time provisioning metrics
Metric	Description
`ProvisionThing.ClientError`	The number of times a device failed to provision due to a client error. For example, the policy specified in the template did not exist.
`ProvisionThing.ServerError`	The number of times a device failed to provision due to a server error. Customers can retry to provision the device after waiting and they can contact AWS IoT if the issue remains the same.
`ProvisionThing.Success`	The number of times a device was successfully provisioned.

LoRaWAN metrics

The following table shows the metrics for AWS IoT Core for LoRaWAN. For more information, see AWS IoT Core for LoRaWAN metrics.

AWS IoT Core for LoRaWAN metrics
Metric	Description
Active devices/gateways	The number of active LoRaWAN devices and gateways in your account.
Uplink message count	The number of uplink messages that are sent within a specified time duration for all active gateways and devices in your AWS account. Uplink messages are messages that are sent from your device to AWS IoT Core for LoRaWAN.
Downlink message count	The number of downlink messages that are sent within a specified time duration for all active gateways and devices in your AWS account. Downlink messages are messages that are sent from AWS IoT Core for LoRaWAN to your device.
Message loss rate	After you've added your device and connected to AWS IoT Core for LoRaWAN, your device can initiate an uplink message to start exchanging messages with the cloud. You can use this metric to then track the rate of uplink messages that are lost.
Join metrics	After you've added your device and gateway, you perform a join procedure so that your device can send uplink data and communicate with AWS IoT Core for LoRaWAN. You can use this metric to obtain information about join metrics for all active devices in your AWS account.
Average received signal strength indicator (RSSI)	You can use this metric to monitor the average RSSI (Received signal strength indicator) within the specified time duration. RSSI is a measurement that indicates if the signal is strong enough for a good wireless connection. This value is negative and must be closer to zero for a strong connection.
Average signal to noise ratio (SNR)	You can use this metric to monitor the average SNR (Signal-to-noise ratio) within the specified time duration. SNR is a measurement that indicates if the received signal is strong enough compared to the noise level for a good wireless connection. The SNR value is positive and must be greater than zero to indicate that the signal power is stronger than the noise power.
Gateway availability	You can use this metric to obtain information about the availability of this gateway within a specified time duration. This metric displays the websocket connection time of this gateway for a specified time duration.

Just-in-time provisioning metrics
Metric	Description
`ProvisionThing.ClientError`	The number of times a device failed to provision due to a client error. For example, the policy specified in the template did not exist.
`ProvisionThing.ServerError`	The number of times a device failed to provision due to a server error. Customers can retry to provision the device after waiting and they can contact AWS IoT if the issue remains the same.
`ProvisionThing.Success`	The number of times a device was successfully provisioned.

Fleet indexing metrics

AWS IoT fleet indexing metrics
Metric	Description
`NamedShadowCountForDynamicGroupQueryLimitExceeded`	A maximum of 25 named shadows per thing are processed for query terms that are not data source specific in dynamic thing groups. When this limit is breached for a thing, the `NamedShadowCountForDynamicGroupQueryLimitExceeded` event type will be emitted.

Dimensions for metrics

Metrics use the namespace and provide metrics for the following dimensions
Dimension	Description
`ActionType`	The action type specified by the rule that triggered the request.
`BehaviorName`	The name of the Device Defender Detect security profile behavior that is being monitored.
`ClaimCertificateId`	The `certificateId` of the claim used to provision the devices.
`CheckName`	The name of the Device Defender audit check whose results are being monitored.
`JobId`	The ID of the job whose progress or message connection success/failure is being monitored.
`Protocol`	The protocol used to make the request. Valid values are: MQTT or HTTP
`RuleName`	The name of the rule triggered by the request.
`ScheduledAuditName`	The name of the Device Defender scheduled audit whose check results are being monitored. This has the value `OnDemand` if the results reported are for an audit that was performed on demand.
`SecurityProfileName`	The name of the Device Defender Detect security profile whose behaviors are being monitored.
`TemplateName`	The name of the provisioning template.
`SourceArn`	Refers to the security profile for detect or the account arn for audit.
`RoleArn`	Refers to the role Device Defender attempted to assume.
`TopicArn`	Refers to the SNS topic Device Defender attempted to publish to.
`Error`	Gives a short description of the Error received while attempting to publish to the SNS topic. Possible values are: "KMSKeyNotFound": indicates the KMS key does not exist for the topic. "InvalidTopicName": indicates the SNS Topic is not valid. "KMSAccessDenied": indicates that the role does not have permissions to the KMS key for the Topic. "AuthorizationError": indicates that the role provided does not authorize Device Defender to publish to the SNS topic. "SNSTopicNotFound": indicates the provided SNS topic does not exist. "FailureToAssumeRole": indicates that the role provided does not authorize Device Defender to assume the role. "CrossRegionSNSTopic": indicates that the SNS topic exists in a different region.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create CloudWatch alarms

Monitor AWS IoT using CloudWatch Logs