The AWS CloudWatch Alarm Audit CLI is a lightweight, read-only command-line interface designed to efficiently audit CloudWatch alarms across multiple AWS regions. It serves to identify various issues within alarm configurations that might affect monitoring effectiveness and system reliability.

Key Features

This utility helps in detecting CloudWatch alarms that have issues such as:

• Unconfigured Alarm Actions: Alarms that do not have any actions set up to respond to state changes.
• Disabled Alarm Actions: Alarms that have their actions disabled, rendering them ineffective.
• Prolonged ALARM or INSUFFICIENT_DATA States: Alarms that remain in alarming states for extended periods, which could indicate a larger issue that requires attention.

How to Use

To execute the CLI, run the following command in your terminal:

go run .

The tool provides several usage options, such as:

# Identify broken alarms across all regions (including no actions, disabled actions, and stale states over 7 days)
go run . --only-broken --stale 7d

# List alarms currently in ALARM state for a specific region (outputs in JSON format)
go run . --regions eu-west-1 --state ALARM --json

# Find alarms that do not take any actions when triggered

go run . --no-actions --actions-disabled

Output Summary

By default, the tool outputs a table with relevant details, including:

• Region
• Alarm Name
• Current State
• Time Since Last State Change
• Detected Issues

For those requiring structured data, the --json flag can be used for JSON output.

Required AWS Permissions

Ensure that the following permissions are granted to utilize this tool effectively:

• cloudwatch:DescribeAlarms
• ec2:DescribeRegions

Limitations

The tool operates in a read-only mode, meaning it does not make any changes to alarms, does not auto-fix issues, and doesn't create dashboards. This ensures that audit processes align with best practices without risk to existing configurations.