Aws/alarm Investigation
CloudWatch alarm investigation and triage model.
Enriches CloudWatch alarms with metric activity, SNS subscription data, state-change history, and a verdict classifying each alarm as one of: healthy, stale, silent, noisy, orphaned, or unknown.
Authentication
Uses the default AWS credential chain (environment variables, shared config, instance profiles, ECS task roles). No credentials are stored in swamp.
Required IAM Permissions
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:GetMetricStatistics",
"sns:ListSubscriptionsByTopic"
],
"Resource": "*"
}Methods
investigate
Deep-dive enrichment for a single alarm by name. Fetches metric activity for
the last 24 hours, state-change history for the last 7 days, and SNS topic
subscription counts. Assigns a verdict and writes one alarm_detail resource.
swamp model method run <name> investigate alarmName="MyAlarm"triage
Fan-out enrichment across all (or filtered) alarms in the account. Writes one
alarm_detail resource per alarm plus a triage_summary resource with
aggregate verdict and state counts.
swamp model method run <name> triage
swamp model method run <name> triage stateFilter=ALARM limit=50Verdict Classifications
| Verdict | Condition |
|---|---|
| orphaned | INSUFFICIENT_DATA for > 365 days |
| silent | In ALARM with no alarm actions configured |
| stale | In ALARM for > 180 days |
| noisy | > 5 state changes in the last 7 days |
| healthy | OK, has actions, and has recent metric data points |
| unknown | None of the above patterns matched |
Resources
updated platforms
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types1/1earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned