AWS CloudWatch for Security: Metrics, Alarms, and Log Analysis
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
CloudWatch does more than monitor CPU utilization. When configured properly, it becomes a real-time detection layer for your AWS environment. The combination of custom metrics, metric filters, alarms, and Log Insights gives you visibility into security-relevant events without needing a third-party tool.
Security-Relevant Metrics and Alarms
Start with CloudTrail-based metric filters. Create filters in the CloudTrail log group for events that matter:
- Root account usage: filter for
{ $.userIdentity.type = "Root" } - Unauthorized API calls: filter for
{ $.errorCode = "AccessDenied" } - Console logins without MFA: filter for
{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" } - Security group changes: filter for
{ $.eventName = "AuthorizeSecurityGroupIngress" || $.eventName = "RevokeSecurityGroupIngress" }
Attach alarms to each metric filter and send notifications to an SNS topic. Use separate topics for high-severity (root usage, trail deletion) and medium-severity (security group changes) events so on-call engineers are not overwhelmed.
CloudWatch Log Insights
Log Insights is an underrated tool for security investigations. The query language is straightforward and runs across multiple log groups simultaneously.
To find all API calls from a specific IP address in the last 24 hours:
“ fields @timestamp, eventName, userIdentity.arn, sourceIPAddress | filter sourceIPAddress = "203.0.113.42" | sort @timestamp desc `
To detect unusual IAM activity:
`
fields @timestamp, eventName, userIdentity.arn
| filter eventSource = "iam.amazonaws.com"
| filter eventName like /Create|Attach|Put/
| stats count(*) as actions by userIdentity.arn
| sort actions desc
These queries return results in seconds across millions of log entries. Use saved queries to build a library of investigation playbooks your team can reuse.
Anomaly Detection
CloudWatch anomaly detection uses machine learning to establish baselines on your metrics and alert when values deviate. Apply this to custom metrics like failed authentication attempts, API call volumes per principal, and data transfer sizes. It takes about two weeks to build a reliable baseline, so set it up before you need it.
Custom Dashboards
Build security-focused dashboards that pull together metrics from GuardDuty findings, WAF blocked requests, VPC flow log rejects, and CloudTrail error events. A single pane showing security telemetry across your account helps during incidents and gives leadership visibility into your security posture without asking for a report.
Integration with Automation
Connect CloudWatch alarms to Lambda functions through SNS for automated response. Common automations: isolating a compromised instance by swapping its security group, revoking an IAM access key generating anomalous activity, or snapshotting an EBS volume for forensics.
Next Steps
- Explore AWS security monitoring topics in the skills library
- Run a skills assessment to benchmark your cloud monitoring capabilities
- Build a study plan with the coaching tool to cover the full AWS security stack
Related Guides in This Series
- Active Directory Security: Attack Paths and Hardening — HADESS | 2026
- AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
- AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
