Monitoring with Amazon CloudWatch
You can monitor web requests and web ACLs and rules using Amazon CloudWatch, which collects and processes raw data from AWS WAF and AWS Shield Advanced into readable, near real-time metrics. You can use statistics in Amazon CloudWatch to gain a perspective on how your web application or service is performing. For more information, see What is CloudWatch in the Amazon CloudWatch User Guide.
CloudWatch metrics and alarms are not enabled for Firewall Manager.
Creating Amazon CloudWatch alarms
You can create an Amazon CloudWatch alarm that sends an Amazon SNS message when the alarm changes state. An alarm watches a single metric over a time period that you specify, and performs one or more actions based on the value of the metric relative to a specified threshold over a number of time periods. The action is a notification sent to an Amazon SNS topic or Auto Scaling policy. Alarms invoke actions for sustained state changes only. CloudWatch alarms do not invoke actions simply because they are in a particular state; the state must have changed and been maintained for a specified number of periods.
AWS WAF and AWS Shield Advanced metrics and dimensions
Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace.
-
The AWS WAF namespace is
AWS/WAFV2 -
The Shield Advanced namespace is
AWS/DDoSProtection
AWS WAF reports metrics once a minute.
Shield Advanced reports metrics once a minute during an event and less frequently other times.
Use the following procedures to view the metrics for AWS WAF and AWS Shield Advanced.
To view metrics using the CloudWatch console
Sign in to the AWS Management Console and open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
If necessary, change the Region to the one where your AWS resources are located. For CloudFront, choose the US East (N. Virginia) Region.
-
In the navigation pane, under Metrics, choose All metrics and then search under the Browse tab for the service.
To view metrics using the AWS CLI
-
For AWS/WAFV2, at a command prompt use the following command:
aws cloudwatch list-metrics --namespace "AWS/WAFV2"For Shield Advanced, at a command prompt use the following command:
aws cloudwatch list-metrics --namespace "AWS/DDoSProtection"
AWS WAF metrics and dimensions
AWS WAF reports metrics once a minute. AWS WAF provides the following
metrics and dimensions in the AWS/WAFV2 namespace.
Web ACL, rule group, and rule metrics | |
|---|---|
| Metric | Description |
|
The number of allowed web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
The number of blocked web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
The number of counted web requests. Reporting criteria: There is a nonzero value. A counted web request is one that matches at least one of the rules. Request counting is typically used for testing. Valid statistics: Sum |
|
The number of web requests that had CAPTCHA controls applied. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether they have a valid CAPTCHA token. Valid statistics: Sum |
|
|
The number of web requests that had CAPTCHA controls applied and that had a valid CAPTCHA token. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
The number of passed requests. This is only used for requests that go through a rule group evaluation without matching any of the rule group rules. Reporting criteria: There is a nonzero value. Passed requests are requests that don't match any of the rules in the rule group. Valid statistics: Sum |
Web ACL, rule group, and rule dimensions | |
|---|---|
| Dimension | Description |
|
|
Required for all protected resource types except for Amazon CloudFront distributions. |
|
|
One of the following:
|
|
|
The metric name of the |
|
|
The metric name of the |
For any single web request, AWS WAF emits metrics for at most 100 labels. Your web ACL evaluation can apply more than 100 labels and match against more than 100 labels, but only the first 100 will be reflected in these metrics.
Label and AWS WAF Bot Control metrics | |
|---|---|
| Metric | Description |
|
|
The number of labels applied to web requests by rules that had an allow action setting. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of labels applied to web requests by rules that had a block action setting. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of labels applied to web requests by rules that had a count action setting. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of labels applied to web requests by rules that had a CAPTCHA action setting. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
Label and AWS WAF Bot Control dimensions | |
|---|---|
| Dimension | Description |
|
|
Required for all protected resource types except for Amazon CloudFront distributions. |
|
|
The metric name of the |
|
|
The metric name of the |
|
|
The namespace prefix of the web ACL or rule group where the
matching rule is specified. Used for the metrics
AllowedRequests and
BlockedRequests. |
|
|
The label applied to the web request by the matching rule.
Used for the metrics AllowedRequests and
BlockedRequests. |
Free bot visibility metrics | |
|---|---|
| Metric | Description |
|
|
The percentage of sampled requests that have allow action. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The percentage of sampled requests that have block action. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
Free bot visibility dimensions | |
|---|---|
| Dimension | Description |
|
|
Required for all protected resource types except for Amazon CloudFront distributions. |
|
|
The metric name of the |
|
|
The metric name of the of the detected bot category, based on the web request labels. |
AWS Shield Advanced metrics and alarms
This section discusses the metrics and alarms available with AWS Shield Advanced.
AWS Shield Advanced metrics
Shield Advanced reports metrics to Amazon CloudWatch on an AWS resource more frequently during DDoS events than while no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends. While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms.
Shield Advanced reports metrics in the US East (N. Virginia) Region, us-east-1 for the following:
The global services Amazon CloudFront and Amazon RouteĀ 53.
-
Protection groups. For information about protection groups, see AWS Shield Advanced protection groups.
Detection metrics
Shield Advanced provides the following detection metrics and dimensions in the
AWS/DDoSProtection namespace.
Detection metrics | |
|---|---|
| Metric | Description |
DDoSDetected |
Indicates whether a DDoS event is underway for a
particular Amazon Resource Name (ARN). This metric has a non-zero value during an event. |
DDoSAttackBitsPerSecond |
The number of bits observed during a DDoS event for a
particular Amazon Resource Name (ARN). This metric is
available only for network and transport layer (layer 3 and layer 4) DDoS events.
This metric has a non-zero value during an event. Units: Bits |
DDoSAttackPacketsPerSecond |
The number of packets observed during a DDoS event for a
particular Amazon Resource Name (ARN). This metric is
available only for network and transport layer (layer 3 and layer 4) DDoS events.
This metric has a non-zero value during an event. Units: Packets |
DDoSAttackRequestsPerSecond |
The number of requests observed during a DDoS event for a
particular Amazon Resource Name (ARN). This metric is
available only for layer 7 DDoS events. The metric is
reported only for the most significant layer 7 events.
This metric has a non-zero value during an event. Units: Requests |
Shield Advanced posts the DDoSDetected metric with no other
dimensions. The remaining detection metrics include the
AttackVector dimensions that correspond to the type of
attack, from the following list:
-
ACKFlood -
ChargenReflection -
DNSReflection -
GenericUDPReflection -
MemcachedReflection -
MSSQLReflection -
NetBIOSReflection -
NTPReflection -
PortMapper -
RequestFlood -
RIPReflection -
SNMPReflection -
SSDPReflection -
SYNFlood -
UDPFragment -
UDPTraffic -
UDPReflection
Mitigation metrics
Shield Advanced provides the following mitigation metrics and dimensions in
the AWS/DDoSProtection namespace.
Mitigation metrics | |
|---|---|
| Metric | Description |
VolumePacketsPerSecond |
The number of packets per second that were dropped or
passed by a mitigation that was deployed in response to
a detected event. Units: packets |
Mitigation dimensions | |
|---|---|
| Dimension | Description |
|
|
Amazon Resource Name (ARN) |
|
|
The outcome of an applied mitigation. Possible values
are |
Top contributors metrics
Shield Advanced provides the following mitigation metrics and dimensions in
the AWS/DDoSProtection namespace.
Top contributors metrics | |
|---|---|
| Metric | Description |
VolumePacketsPerSecond |
The number of packets per second for a top
contributor. Units: packets |
VolumeBitsPerSecond |
The number of bits per second for a top contributor.
Units: bits |
Shield Advanced posts top contributors metrics by dimension combinations that characterize the event contributors. You can use any of the following combinations of dimensions for any of the top contributors metrics:
-
ResourceArn,Protocol -
ResourceArn,Protocol,SourcePort -
ResourceArn,Protocol,DestinationPort -
ResourceArn,Protocol,SourceIp -
ResourceArn,Protocol,SourceAsn -
ResourceArn,TcpFlags
Top contributors dimensions | |
|---|---|
| Dimension | Description |
|
|
Amazon Resource Name (ARN). |
|
|
IP protocol name, either |
|
|
Source TCP or UDP port. |
|
|
Destination TCP or UDP port. |
|
|
Source IP address. |
|
|
Source autonomous system number (ASN). |
|
|
A combination of flags present in a TCP packet,
separated by
a
dash ( |
Creating AWS Shield Advanced alarms
You can use AWS Shield Advanced metrics for Amazon CloudWatch alarms. CloudWatch sends notifications or automatically make changes to the resources that you are monitoring based on rules that you define.
For detailed instructions on creating a CloudWatch alarm, see the Amazon CloudWatch User Guide. When creating the alarm on the CloudWatch console, to use the Shield Advanced metrics, after choosing Create an alarm, choose AWSDDOSProtectionMetrics . You can then create an alarm based on a specific volume of traffic, or you can trigger an alarm whenever a metric is non-zero. The second option triggers an alarm for any potential attack that Shield Advanced observes.
The AWSDDOSProtectionMetrics are available only to Shield Advanced customers.
For more information, see What is CloudWatch in the Amazon CloudWatch User Guide.
AWS Firewall Manager notifications
AWS Firewall Manager doesn't record metrics, so you can't create Amazon CloudWatch alarms specifically for Firewall Manager. However, you can configure Amazon SNS notifications to alert you to potential attacks. To create Amazon SNS notifications in Firewall Manager, see Step 4: Configure Amazon SNS notifications and Amazon CloudWatch alarms.
