Building Unified Monitoring with Amazon CloudWatch - Designing Metrics, Logs, and Alarms

Build unified monitoring with the three pillars of metrics, logs, and alarms. This article covers interactive analysis with Logs Insights, high-precision notifications with composite alarms, and leveraging Embedded Metric Format.

CloudWatch Overview and AWS Monitoring Foundation

CloudWatch is a fully managed service that provides monitoring, log management, and alarms for AWS resources and applications. It delivers unified monitoring through three pillars: metrics (numerical data), logs (text data), and alarms (threshold notifications). It automatically collects metrics from over 70 AWS services including EC2, Lambda, RDS, and DynamoDB, enabling basic monitoring without additional configuration. The free tier includes basic metric collection and 10 alarms, allowing small-scale environments to begin monitoring at no additional cost.

Metrics and Custom Metrics

AWS services automatically send standard metrics such as CPU utilization, network I/O, and request counts to CloudWatch. Custom metrics are sent via the PutMetricData API to monitor business metrics (orders per minute, revenue per hour). Embedded Metric Format (EMF) enables simultaneous log output and metric generation, streamlining custom metric submission from Lambda functions. High-resolution metrics allow data collection at 1-second intervals for detailed analysis of latency-sensitive workloads. Metric retention extends up to 15 months depending on resolution, supporting long-term trend analysis.

Alarms and Anomaly Detection

Alarms trigger SNS notifications or Lambda executions when a single metric exceeds a threshold. In addition to static thresholds, Anomaly Detection provides dynamic thresholds where machine learning models learn normal metric patterns and automatically detect deviations. Composite alarms combine multiple alarms with AND/OR logic to reduce false alerts. Alarm actions include SNS topic notifications, EC2 instance stop/restart, Auto Scaling policy execution, and Systems Manager Automation invocation. Integration with SNS enables simultaneous notification to multiple channels such as email, SMS, Slack, and PagerDuty, significantly reducing time from incident detection to initial response.

Logs Insights and Contributor Insights

CloudWatch Logs Insights is an interactive log analysis query engine that uses its own query language to search and aggregate log data. By combining commands such as fields, filter, stats, and sort, you can aggregate error logs, analyze latency distributions, and search for specific patterns. Automatic field detection extracts structured data from JSON-format logs, enabling easy aggregation and filtering. Metric filters record the occurrence count of specific log patterns as metrics, enabling real-time detection of error rate spikes. Contributor Insights automatically identifies the top N contributors from log data, such as the API with the most errors or the IP address with the most requests. Lambda Insights automatically collects performance metrics for serverless functions, including cold starts, memory utilization, and execution time. To deepen your operational monitoring expertise, specialized books on Amazon are a useful resource.

CloudWatch Cost Optimization

The main cost drivers for CloudWatch are custom metrics ($0.30/metric per month), log ingestion (approximately $0.50 per GB), and log storage (approximately $0.03 per GB per month). Basic metrics from EC2 and RDS are collected free of charge. Differentiate between standard resolution (60 seconds) and high resolution (1 second) for metrics, and limit high resolution to only the metrics that require it. Set retention periods per log group, such as 7 days for debug logs and 1 year for audit logs, to reduce storage costs. Use Embedded Metric Format to automatically extract metrics from application logs, reducing PutMetricData API calls. Regularly review and clean up unnecessary metric filters and alarms.

Summary

CloudWatch is a fully managed monitoring foundation with native integration across over 70 AWS services. Perform interactive log analysis with Logs Insights, and achieve high-precision notifications through anomaly detection and composite alarms. Multi-channel notification via SNS integration and automated remediation via Systems Manager elevate operational automation. Embedded Metric Format and Contributor Insights provide flexible collection of application-specific indicators.