See a sample investigation Set up operational investigations

Getting started

To set up CloudWatch investigations, you create an investigation group. You can also see a sample investigation to get an overall idea of how they work.

Topics

See a sample investigation
Set up operational investigations

See a sample investigation

If you'd like to see the CloudWatch investigations feature in action before you configure it for your account, you can walk through a sample investigation. The sample investigation doesn't use your data and doesn't make data calls or start API operations in your account.

To view the sample investigation

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
In the left navigation pane, choose AI Operations, Overview.
Choose Try a sample investigation.

The console displays the sample investigation, with suggestions and findings in the right pane. In each popup, choose Next to advance to the next part of the sample walkthrough.

Set up operational investigations

To set up CloudWatch investigations in your account, you create an investigation group. Creating an investigation group is a one-time setup task. Settings in the investigation group help you centrally manage the common properties of your investigations, such as the following:

Who can access the investigations
Whether investigation data is encrypted with a customer managed AWS Key Management Service key.
How long investigations and their data are retained by default.

Currently, you can have one investigation group per account. Each investigation in your account will be part of this investigation group.

To create an investigation group and set up CloudWatch investigations, you must be signed in to an IAM principal that has the either the AIOpsConsoleAdminPolicy or the AdministratorAccess IAM policy attached, or to an account that has similar permissions.

Note

To be able to choose the recommended option of creating a new IAM role for CloudWatch investigations operational investigations, you must be signed in to an IAM principal that has the iam:CreateRole, iam:AttachRolePolicy, and iam:PutRolePolicy permissions.

Important

CloudWatch investigations uses cross-Region inference to distribute traffic across different AWS Regions. For more information, see Cross-Region inference.

To create an investigation group and enable CloudWatch investigations in your account

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
In the left navigation pane, choose AI Operations, Configuration.
Choose Configure for this account.
Optionally change the retention period for investigations. For more information about what the retention period governs, see CloudWatch investigations data retention.
(Optional) To encrypt your investigation data with a customer managed AWS KMS key, choose Customize encryption settings and follow the steps to create or specify a key to use. If you don't specify a customer managed key, CloudWatch investigations uses an AWS owned key for encryption. For more information, see Encryption of investigation data.
If you haven't already done so, use the IAM console to provision access for your users to be able to see and manage investigations. We provide IAM roles for administrators, operators, and viewers. For more information, see User permissions.
For Amazon AI Operations Developer permissions, choose one of the following. For more information about these options, see How to control what data CloudWatch investigations has access to during investigations.

To be able to choose either of the first two options, you must be signed in to an IAM principal that has the iam:CreateRole, iam:AttachRolePolicy, and iam:PutRolePolicy permissions.
- The recommended option is to choose Auto-create a new role with default investigation permissions. If you choose this option, the assistant is granted the AIOpsAssistantPolicy IAM policy. For more information about the contents of this policy, see IAM policy for CloudWatch investigations (AIOpsAssistantPolicy).
- Choose Create a new role from AWS policy templates to customize the permissions that CloudWatch investigations will have during investigations. If you choose this option, you must be sure to scope down the policy to only the permissions that you want CloudWatch investigations to have during investigations.
- Choose Assign an existing role if you already have a role with the permissions that you want to use.
  
  If you choose this option, you must make sure the role includes a trust policy that names aiops.amazonaws.com as the service principal. For more information about using service principals in trust policies, see AWS service principals
  
  We also recommend that you include a Condition section with the account number, to prevent a confused deputy situation. The following example trust policy illustrates both the service principal and the Condition section.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "aiops.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "123456789012"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:aiops:us-east-1:123456789012:*"
                }
            }
        }
    ]
}
```
Choose Create Investigation group, you can now create an investigation from an Alarm, metric, or log insight.
Choose Complete setup.

Optionally, you can setup additional recommended configurations to enhance your experience.

In the left navigation pane, choose AI Operations, Configuration.
For Enhanced integrations, choose to allow CloudWatch investigations access to additional services in your system, to enable it to gather more data and be more useful.
1. In the Tags for application boundary detection section, enter the existing custom tag keys for custom applications in your system. Resource tags help CloudWatch investigations narrow the search space when it is unable to discover definite relationships between resources. For example, to discover that an Amazon ECS service depends on an Amazon RDS database, CloudWatch investigations can discover this relationship using data sources such as X-Ray and CloudWatch Application Signals. However, if you haven't deployed these features, CloudWatch investigations will attempt to identify possible relationships. Tag boundaries can be used to narrow the resources that will be discovered by CloudWatch investigations in these cases.
  
  You don't need to enter tags created by myApplications or AWS CloudFormation, because CloudWatch investigations can automatically detect those tags.
2. CloudTrail records events about changes in your system including deployment events. These events can often be useful to CloudWatch investigations to create hypotheses about root causes of issues in your system. In the CloudTrail for change event detection section, you can give CloudWatch investigations some access to the events logged by AWS CloudTrail by enabling Allow the assistant access to CloudTrail change events through the CloudTrail Event history. For more information, see Working with CloudTrail Event history.
3. The X-Ray for topology mapping and Application Signals for health assessment sections point out other AWS services that can help CloudWatch investigations find information. If you have deployed them and you have granted the AIOpsAssistantPolicy IAM policy to CloudWatch investigations, it will be able to access X-Ray and Application Signals telemetry.
  
  For more information about how these services help CloudWatch investigations, see X-Ray and CloudWatch Application Signals
You can integrate CloudWatch investigations with a chat channel using AWS Chatbot in chat applications. This makes it possible to receive notifications about an investigation through the chat channel. CloudWatch investigations and AWS Chatbot support chat channels in the following applications:
- Slack
- Microsoft Teams
If you want to integrate with a chat channel, we recommend that you complete some additional steps before you proceed. For more information, see Integration with third-party chat systems.

Then, perform the following steps to integrate with a chat channel in chat applications:
- In the Chat client integration section, choose Select SNS topic.
- Select the SNS topic to use for sending notifications about your investigations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS services where investigations are supported

Investigate operational issues in your environment