AWS CloudWatch#
Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+
A complete CloudWatch integration covering Logs Insights queries, log group management, alarm monitoring, metric statistics, and anomaly detection.
Tools#
Logs Insights#
execute_logs_insights_query — Logs Insights query#
Execute CloudWatch Logs Insights queries in a specified log group:
| Parameter | Description |
|---|---|
log_group_name |
Log group name (wildcards supported: /aws/lambda/*) |
query |
Logs Insights query statement |
start_time / end_time |
ISO 8601 time range |
Common query examples:
fields @timestamp, @message
| filter @message like /ERROR/
| sort @timestamp desc
| limit 100
filter eventSource = "s3.amazonaws.com" and errorCode exists
| stats count(*) as errorCount by errorCode
| sort errorCount desc
get_log_groups — Log group list#
List all CloudWatch log groups, including:
- Retention period
- Storage size
- Log group class (STANDARD / INFREQUENT_ACCESS)
Supports prefix filtering.
get_log_streams — Log stream list#
List all log streams within a log group, sorted by last event time descending. Use to quickly locate the most recently active stream.
get_log_events — Raw log events#
Retrieve raw log events from a specific log stream — no query language needed, suitable for reading small volumes of recent logs directly.
Alarms#
get_alarms — Alarm list#
List all CloudWatch alarms and their status:
| Status | Description |
|---|---|
ALARM |
Threshold breached, alarm is active |
OK |
Normal, threshold not breached |
INSUFFICIENT_DATA |
Not enough data to determine status |
Supports filtering by status, name prefix, and dimensions.
get_alarm_history — Alarm history#
Get the state transition and action history for an alarm.
Metrics#
get_metric_statistics — Metric statistics#
Query statistics for any CloudWatch metric:
| Parameter | Description |
|---|---|
namespace |
Metric namespace (e.g. AWS/EC2) |
metric_name |
Metric name (e.g. NetworkIn) |
statistics |
Statistical method: Average / Sum / Maximum / Minimum / SampleCount |
period |
Aggregation interval in seconds |
dimensions |
Filter dimensions (e.g. InstanceId) |
list_metrics — Metric discovery#
Discover all metrics under a given namespace and filter combinations.
get_metric_data — Multi-metric batch query#
Retrieve multiple metrics in a single request with custom MetricDataQueries — more efficient for monitoring dashboards with many metrics.
Anomaly detection#
describe_anomaly_detectors — Anomaly detector list#
List all active CloudWatch anomaly detectors, including metric, threshold, and trained baseline model details.
Configuration#
| Item | Description |
|---|---|
AWS_ACCESS_KEY_ID |
Access Key ID |
AWS_SECRET_ACCESS_KEY |
Secret Access Key |
AWS_DEFAULT_REGION |
Default region (e.g. us-east-1) |
AWS_SESSION_TOKEN |
Optional: temporary session token |
Investigation workflow#
1. get_alarms state_value:"ALARM"
→ Find all currently active alarms
2. get_alarm_history alarm_name:"<alarm name>"
→ Trace state transitions for a specific alarm
3. get_log_groups prefix:"/aws/lambda"
→ Find Lambda function log groups
4. execute_logs_insights_query
log_group:"/aws/lambda/payment-service"
query:"fields @timestamp, @message | filter @message like /Exception/ | sort @timestamp desc | limit 50"
start_time:"2026-02-15T00:00:00Z" end_time:"2026-02-15T23:59:59Z"
→ Investigate exceptions during a specific window
5. get_metric_statistics
namespace:"AWS/EC2" metric_name:"NetworkOut"
statistics:"Maximum" period:300
→ Identify abnormally high network egress