In a we discussed how to auto-subscribe a to a Lambda function using . So that we don’t need a manual process to ensure all Lambda logs would go to our log aggregation service. previous post CloudWatch Log Group CloudWatch Events Whilst this is useful in its own right, it only scratches the surface of what we can do. and makes it easy to automate many day-to-day operational steps. With the help of of course ;-) CloudTrail CloudWatch Events Lambda I work with and heavily. Whenever you create a new API, or make changes, there are several things you need to do: API Gateway Lambda enable for the deployment stage Detailed Metrics set up a dashboard in CloudWatch, showing request count, latencies and error counts set up for p99 latencies and error counts CloudWatch Alarms Because these are manual steps, they often get missed. Have you ever forgotten to update the dashboard after adding a new endpoint to your API? And did you also remember to set up a p99 latency alarm on this new endpoint? How about alarms on the no. of 4XX or 5xx errors? Most teams I have dealt with have some conventions around these, but without a way to enforce them. The result is that the convention is applied in patches and cannot be relied upon. I find this approach doesn’t scale with the size of the team. It works when you’re a small team. Everyone has a shared understanding, and the necessary discipline to follow the convention. When the team gets bigger, you need automation to help enforce these conventions. Fortunately, we can automate away these manual steps using the same pattern. In the unit of my course , I demonstrated how you can do this in 3 simple steps: Monitoring Production-Ready Serverless captures the request to . CloudTrail CreateDeployment API Gateway pattern against this captured request. CloudWatch Events function to enable detailed metrics, and create alarms for each endpoint. Lambda a) b) If you use the framework, then you might have a function that looks like this: Serverless auto-create-api-alarms: handler: functions/create-alarms.handler events: - cloudwatchEvent: event: source: - aws.apigateway detail-type: - AWS API Call via CloudTrail detail: eventSource: - apigateway.amazonaws.com eventName: - CreateDeployment environment: alarm_actions: arn:aws:sns:#{AWS::Region}:#{AWS::AccountId}:NotifyMe ok_actions: arn:aws:sns:#{AWS::Region}:#{AWS::AccountId}:NotifyMe iamRoleStatements: - Effect: Allow Action: apigateway:GET Resource: - arn: aws:apigateway:#{AWS::Region}::/restapis/* - arn: aws:apigateway:#{AWS::Region}::/restapis/*/stages/${self:custom.stage} - Effect: Allow Action: apigateway:PATCH Resource: arn:aws:apigateway:#{AWS::Region}::/restapis/*/stages/${self:custom.stage} - Effect: Allow Action: cloudwatch:PutMetricAlarm Resource: "*" Couple of things to note from the code above: I’m using the plugin to give the function a tailored IAM role serverless-iam-roles-per-function The function needs the permission to enable detailed metrics apigateway:PATCH The function needs the permission to get the API name and REST endpoints apigateway:GET The function needs the permission to create the alarms cloudwatch:PutMetricAlarm The environment variables specify SNS topics for the CloudWatch Alarms The captured event looks like this: { : , : , : , : , : , : , : , : [], : { : , : { : , : , : , : , : , : , : { : { : , : } }, : }, : , : , : , : , : , : , : { : , : { : }, : }, : { : , : , : { : , : , : }, : { : , : , : , : [ ] }, : { : , : , : }, : { : , : , : } }, : , : , : , : } } "version" "0" "id" "dee9a69c-8166-1ad7-41d4-1dad201e29f6" "detail-type" "AWS API Call via CloudTrail" "source" "aws.apigateway" "account" "374852340821" "time" "2018-04-09T00:17:47Z" "region" "us-east-1" "resources" "detail" "eventVersion" "1.05" "userIdentity" "type" "IAMUser" "principalId" "AIDAIRMUZZEGPO27IPFYW" "arn" "arn:aws:iam::374852340821:user/yan.cui" "accountId" "374852340821" "accessKeyId" "ASIAJNZDKN26DXPZFYQE" "userName" "yan.cui" "sessionContext" "attributes" "mfaAuthenticated" "false" "creationDate" "2018-04-09T00:17:30Z" "invokedBy" "cloudformation.amazonaws.com" "eventTime" "2018-04-09T00:17:47Z" "eventSource" "apigateway.amazonaws.com" "eventName" "CreateDeployment" "awsRegion" "us-east-1" "sourceIPAddress" "cloudformation.amazonaws.com" "userAgent" "cloudformation.amazonaws.com" "requestParameters" "restApiId" "8kbasri6v7" "createDeploymentInput" "stageName" "dev" "template" false "responseElements" "id" "cj2y0f" "createdDate" "Apr 9, 2018 12:17:47 AM" "deploymentUpdate" "restApiId" "8kbasri6v7" "deploymentId" "cj2y0f" "template" false "deploymentStages" "deploymentId" "cj2y0f" "restApiId" "8kbasri6v7" "template" false "templateSkipList" "position" "deploymentDelete" "deploymentId" "cj2y0f" "restApiId" "8kbasri6v7" "template" false "self" "deploymentId" "cj2y0f" "restApiId" "8kbasri6v7" "template" false "requestID" "6e25bd56-3b8b-11e8-a351-e5e3d3161fe7" "eventID" "a150d941-7a54-4572-97b2-0614a81fd25b" "readOnly" false "eventType" "AwsApiCall" We can find the and inside the attribute. That’s all we need to figure out what endpoints are there, and so what alarms we need to create. restApiId stageName detail.requestParameters Inside the handler function, which you can find , we perform a few steps: here enable detailed metrics with an call to API Gateway updateStage get the list of REST endpoints with a call to API Gateway getResources get the REST API name with a call to API Gateway getRestApi for each of the REST endpoints, create a p99 latency alarm in the namespace AWS/ApiGateway Now, every time I create a new API, I will have to alert me when the 99 percentile latency for an endpoint goes over 1 second, for 5 minutes in a row. CloudWatch Alarms All this, with just a few lines of code :-) You can take this further, and have other Lambda functions to: create CloudWatch Alarms for 5xx errors for each endpoint create CloudWatch Dashboard for the API So there you have it, a useful pattern for automating away manual ops tasks! And before you even have to ask, yes I’m aware of serverless plugin by the folks. It looks neat, but it’s ultimately still something the developer has to remember to do. this ACloudGuru That requires discipline. My experience tells me that you cannot rely on discipline, ever. Which is why, I prefer to have a platform in place that will generate these alarms instead. Hi, my name is . I’m an and the author of . I have run production workload at scale in AWS for nearly 10 years and I have been an architect or principal engineer with a variety of industries ranging from banking, e-commerce, sports streaming to mobile gaming. I currently work as an independent consultant focused on AWS and serverless. Yan Cui AWS Serverless Hero Production-Ready Serverless You can contact me via , and . Email Twitter LinkedIn Check out my new course, . Complete Guide to AWS Step Functions In this course, we’ll cover everything you need to know to use AWS Step Functions service effectively. Including basic concepts, HTTP and event triggers, activities, design patterns and best practices. Get your copy . here Come learn about operational for AWS Lambda: CI/CD, testing & debugging functions locally, logging, monitoring, distributed tracing, canary deployments, config management, authentication & authorization, VPC, security, error handling, and more. BEST PRACTICES You can also get off the face price with the code . 40% ytcui Get your copy . here