Creating a CloudWatch alarm based on anomaly detection - Amazon CloudWatch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Creating a CloudWatch alarm based on anomaly detection

You can create an alarm based on CloudWatch anomaly detection, which analyzes past metric data and creates a model of expected values. The expected values take into account the typical hourly, daily, and weekly patterns in the metric.

You set a value for the anomaly detection threshold, and CloudWatch uses this threshold with the model to determine the "normal" range of values for the metric. A higher value for the threshold produces a thicker band of "normal" values.

You can choose whether the alarm is triggered when the metric value is above the band of expected values, below the band, or either above or below the band.

You also can create anomaly detection alarms on single metrics and the outputs of metric math expressions. You can use these expressions to create graphs that visualize anomaly detection bands.

For more information, see Using CloudWatch anomaly detection.


If you're already using anomaly detection for visualization purposes on a metric in the Metrics console and you create an anomaly detection alarm on that same metric, then the threshold that you set for the alarm doesn't change the threshold that you already set for visualization. For more information, see Creating a graph.

To create an alarm based on anomaly detection

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Alarms, All alarms.

  3. Choose Create alarm.

  4. Choose Select Metric.

  5. Choose Select Metric and do one of the following:

    • Choose the service namespace that contains the metric that you want. To narrow the choices, continue choosing options as they appear. When a list of metrics appears, select the check box next to the metric that you want.

    • In the search box, enter the name of a metric, dimension, or resource ID and press Enter. Then choose one of the results and continue until a list of metrics appears. Select the check box next to the metric that you want.

  6. Choose the Graphed metrics tab.

    1. Under Statistic , choose one of the statistics or predefined percentiles, or specify a custom percentile (for example, p95.45).

    2. Under Period, choose the evaluation period for the alarm. When evaluating the alarm, each period is aggregated into one data point. For anomaly detection alarms, the value must be one minute or longer.

      You can also choose whether the y-axis legend appears on the left or right while you're creating the alarm. This preference is used only while you're creating the alarm.

    3. Choose Select metric.

      The Specify metric and conditions page appears, showing a graph and other information about the metric and statistic you have selected.

  7. Under Conditions, specify the following:

    1. Choose Anomaly detection.

      If the model for this metric and statistic already exists, CloudWatch displays the anomaly detection band in the sample graph at the top of the screen. If the model does not already exist, the model is generated when you are done creating the alarm. It takes up to 15 minutes for the actual anomaly detection band generated by the model to appear in the graph. Before that, the band you see is an approximation of the anomaly detection band. To see the graph in a longer time frame, choose Edit at the top right of the page.

    2. For Whenever metric is, specify when to trigger the alarm. For example, when the metric is greater than, lower than, or outside the band (in either direction).

    3. For Anomaly detection threshold, choose the number to use for the anomaly detection threshold. A higher number creates a thicker band of "normal" values that is more tolerant of metric changes, and a lower number creates a thinner band that will go to ALARM state with smaller metric deviations. The number does not have to be a whole number.

    4. Choose Additional configuration. For Datapoints to alarm, specify how many evaluation periods (data points) must be in the ALARM state to trigger the alarm. If the two values here match, you create an alarm that goes to ALARM state if that many consecutive periods are breaching.

      To create an M out of N alarm, specify a number for the first value that is low than the number for the second value. For more information, see Evaluating an alarm.

    5. For Missing data treatment, choose how the alarm behaves when some data points are missing. For more information, see Configuring how CloudWatch alarms treat missing data.

    6. If the alarm uses a percentile as the monitored statistic, a Percentiles with low samples box appears. Use it to choose whether to evaluate or ignore cases with low sample rates. If you choose ignore (maintain alarm state), the current alarm state is always maintained when the sample size is too low. For more information, see Percentile-based CloudWatch alarms and low data samples.

  8. Choose Next.

  9. Under Notification, select an SNS topic to notify when the alarm is in ALARM state, OK state, or INSUFFICIENT_DATA state.

    To send multiple notifications for the same alarm state or for different alarm states, choose Add notification.

    Choose Remove if you don't want the alarm to send notifications.

  10. You can set up the alarm to perform EC2 actions when it changes state, or to create a Systems Manager OpsItem or incident when it goes into ALARM state. To do this, choose the appropriate button and thenchoose the alarm state and action to perform.

    For more information about Systems Manager actions, see Configuring CloudWatch to create OpsItems from alarms and Incident creation.


    To create an alarm that performs an SSM Incident Manager action, you must have certain permissions. For more information, see Identity-based policy examples for Amazon Systems Manager Incident Manager.

  11. When finished, choose Next.

  12. Enter a name and description for the alarm. The name must contain only ASCII characters. Then, choose Next.

  13. Under Preview and create, confirm that the information and conditions are what you want, and then choose Create alarm.

Modifying an anomaly detection model

After you create an alarm, you can adjust the anomaly detection model. You can exclude certain time periods from being used in the model creation. It is critical that you exclude unusual events such as system outages, deployments, and holidays from the training data. You can also specify whether to adjust the model for Daylight Savings Time changes.

To adjust the anomaly detection model for an alarm

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Alarms.

  3. Choose the name of the alarm. Use the search box to find the alarm if necessary.

  4. Choose View in metrics.

  5. In the lower part of the screen, choose Edit model.

  6. To exclude a time period from being used to produce the model, choose Add another time range to exclude from training. Then select or enter the days and times to exclude from training and choose Apply.

  7. If the metric is sensitive to Daylight Savings Time changes, select the appropriate time zone in the Metric timezone box.

  8. Choose Update.

Deleting an anomaly detection model

Using anomaly detection for an alarm accrues Amazon charges. If you no longer need an anomaly detection model for an alarm, you should delete the alarm and then the model. If you delete the model without deleting the alarm, the alarm automatically recreates the model.

To delete an alarm

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Alarms.

  3. Choose the name of the alarm.

  4. Choose Actions, Delete.

To delete the anomaly detection model that was used for an alarm

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Metrics.

  3. On the All metrics tab, enter a search term in the search field, such as a metric name or resource name, and press Enter.

    For example, if you search for the CPUUtilization metric, you see the namespaces and dimensions with this metric.

  4. In the results, select the metric that had the anomaly detection model.

  5. Choose the Graphed metrics tab.

  6. In the lower part of the screen, choose Edit model and then choose Delete model.