Check provider logo

CloudWatch metric alarm has actions configured for the ALARM state

cloudwatch_alarm_actions_alarm_state_configured

Severityhigh
Servicecloudwatch
by Prowler
resilience

Amazon CloudWatch metric alarms are evaluated for actions configured for the ALARM state. The finding flags alarms that have no action to execute when their monitored metric crosses its threshold.

Risk

Without an ALARM action, threshold breaches trigger no notification or automated response. This delays detection and containment, risking:

  • Availability: prolonged outages or missed scale-out
  • Integrity/confidentiality: unchecked anomalies enabling tampering or data loss
Run this check with Prowler CLI

prowler aws --checks cloudwatch_alarm_actions_alarm_state_configured

Run in Prowler Cloud

Recommendation

Assign at least one ALARM-state action per alarm (e.g., notify via SNS or run automated remediation with Lambda/SSM). Keep actions enabled, apply least privilege to targets, and regularly test. For critical metrics, add redundant paths (EventBridge) for defense in depth.

Remediation

CLI

aws cloudwatch put-metric-alarm --alarm-name <alarm-name> --metric-name <metric-name> --namespace <namespace> --statistic <statistic> --period <period-seconds> --evaluation-periods <evaluation-periods> --threshold <threshold> --comparison-operator <comparison-operator> --alarm-actions <action-arn>

Native IaC
Terraform
Other
  1. Open the AWS Console and go to CloudWatch > Alarms
  2. Select the target alarm and choose Edit (or Modify alarm)
  3. In Actions, under When alarm state is ALARM, add an action (e.g., select an SNS topic or other supported action)
  4. Click Save changes

Source Code

Resource Type

AwsCloudWatchAlarm

References