Creating alarms Metrics and dimensions AWS WAF metrics AWS WAF dimensions AWS Shield Advanced metrics and alarms AWS Firewall Manager notifications

Monitoring with Amazon CloudWatch

You can monitor web requests and web ACLs and rules using Amazon CloudWatch, which collects and processes raw data from AWS WAF and AWS Shield Advanced into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that you can access historical information and gain a better perspective on how your web application or service is performing. For more information, see What is CloudWatch in the Amazon CloudWatch User Guide.

Note

CloudWatch metrics and alarms are not enabled for Firewall Manager.

Creating Amazon CloudWatch alarms

You can create an Amazon CloudWatch alarm that sends an Amazon SNS message when the alarm changes state. An alarm watches a single metric over a time period that you specify, and performs one or more actions based on the value of the metric relative to a specified threshold over a number of time periods. The action is a notification sent to an Amazon SNS topic or Auto Scaling policy. Alarms invoke actions for sustained state changes only. CloudWatch alarms do not invoke actions simply because they are in a particular state; the state must have changed and been maintained for a specified number of periods.

AWS WAF and AWS Shield Advanced metrics and dimensions

You can use the following procedures to view the metrics for AWS WAF and AWS Shield Advanced.

Note

Amazon CloudWatch metrics and alarms are not enabled for AWS Firewall Manager.

To view metrics using the CloudWatch console

Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace.

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
If necessary, change the Region. From the navigation bar, choose the Region where your AWS resources are located. For more information, see AWS Regions and Endpoints.

To view AWS WAF metrics for CloudFront, you must choose the US East (N. Virginia) Region.
In the navigation pane, choose Metrics.
On the All metrics tab, choose the appropriate service.

To view metrics using the AWS CLI

For AWS WAF, at a command prompt use the following command:


aws cloudwatch list-metrics --namespace "WAF"

For Shield Advanced, at a command prompt use the following command:


aws cloudwatch list-metrics --namespace "DDoSProtection"

AWS WAF metrics

The WAF namespace includes the following metrics.

Metric	Description
`AllowedRequests`	The number of allowed web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum
`BlockedRequests`	The number of blocked web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum
`CountedRequests`	The number of counted web requests. Reporting criteria: There is a nonzero value. A counted web request is one that matches at least one of the rules. Request counting is typically used for testing. Valid statistics: Sum
`PassedRequests`	The number of passed requests for a rule group. Reporting criteria: There is a nonzero value. Passed requests are requests that don't match any of the rules. Valid statistics: Sum

AWS WAF dimensions

AWS WAF for an Amazon CloudFront distribution can use the following dimension combinations:

Rule, WebACL
RuleGroup, WebACL
Rule, RuleGroup

AWS WAF for an Amazon API Gateway REST API or an Application Load Balancer can use the following dimension combinations:

Region, Rule, WebACL
Region, RuleGroup, WebACL
Region, Rule, RuleGroup

Dimension	Description
`Rule`	One of the following: The metric name of the `Rule`. ALL, which represents all rules within a WebACL or `RuleGroup`. `Default_Action` (only when combined with the `WebACL` dimension), which represents the action assigned to any request that doesn't match any rule with either an allow or block action.
`RuleGroup`	The metric name of the `RuleGroup`.
`WebACL`	The metric name of the `WebACL`.
`Region`	The Region of the Application Load Balancer.

AWS Shield Advanced metrics and alarms

This section discusses the metrics and alarms available with AWS Shield Advanced.

AWS Shield Advanced metrics

Shield Advanced reports metrics to Amazon CloudWatch on an AWS resource more frequently during DDoS attacks than while no attacks are underway. Shield Advanced reports metrics once a minute during an attack, and then once right after the attack ends. While no attacks are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms.

Shield Advanced provides the following metrics.

Metric	Description
`DDoSDetected`	Indicates whether a DDoS event is underway for a particular Amazon Resource Name (ARN). This metric has a value of 1 during an attack and a value of 0 otherwise.
`DDoSAttackBitsPerSecond`	The number of bits observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for layer 3 and layer 4 DDoS events. This metric has a non-zero value during an attack and a value of 0 otherwise. Units: Bits
`DDoSAttackPacketsPerSecond`	The number of packets observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for layer 3 and layer 4 DDoS events. This metric has a non-zero value during an attack and a value of 0 otherwise. Units: Packets
`DDoSAttackRequestsPerSecond`	The number of requests observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for layer 7 DDoS events. The metric is reported only for the most significant layer 7 events. This metric has a non-zero value during an attack and a value of 0 otherwise. Units: Requests

For the global services Amazon CloudFront and Amazon Route 53, metrics are reported in the US East (N. Virginia) Region.

Shield Advanced posts the DDoSDetected metric with no other dimensions. The other metrics include the appropriate AttackVector dimensions:

ACKFlood
ChargenReflection
DNSReflection
GenericUDPReflection
MemcachedReflection
MSSQLReflection
NetBIOSReflection
NTPReflection
PortMapper
RequestFlood
RIPReflection
SNMPReflection
SSDPReflection
SYNFlood
UDPFragment
UDPTraffic
UDPReflection

Creating AWS Shield Advanced alarms

You can use AWS Shield Advanced metrics for Amazon CloudWatch alarms. CloudWatch alarms send notifications or automatically make changes to the resources that you are monitoring based on rules that you define.

For detailed instructions on creating a CloudWatch alarm, see the Amazon CloudWatch User Guide. When creating the alarm on the CloudWatch console, after choosing Create an alarm, choose AWSDDOSProtectionMetrics to use the Shield Advanced metrics. You can then create an alarm based on a specific volume of traffic, or you can trigger an alarm whenever a metric is non-zero. The second option triggers an alarm for any potential attack observed by Shield Advanced.

Note

The AWSDDOSProtectionMetrics are available only to Shield Advanced customers.

For more information, see What is CloudWatch in the Amazon CloudWatch User Guide.

AWS Firewall Manager notifications

AWS Firewall Manager doesn't record metrics, so you can't create Amazon CloudWatch alarms specifically for Firewall Manager. However, you can configure Amazon SNS notifications to alert you to potential attacks. To create Amazon SNS notifications in Firewall Manager, see To create an Amazon SNS topic in Firewall Manager (console).

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

View protection changes of your resources using AWS Config

Logging API calls with AWS CloudTrail