**Introducing a new console experience for Amazon WAF** You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.amazonaws.cn/waf/latest/developerguide/working-with-console.html). # Monitoring with Amazon CloudWatch Monitoring with CloudWatch You can monitor web requests and web ACLs and rules using Amazon CloudWatch, which collects and processes raw data from Amazon WAF and Amazon Shield Advanced into readable, near real-time metrics. You can use statistics in Amazon CloudWatch to gain a perspective on how your web application or service is performing. For more information, see [What is CloudWatch](https://docs.amazonaws.cn/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*. **Note** CloudWatch metrics and alarms are not enabled for Firewall Manager. You can create an Amazon CloudWatch alarm that sends an Amazon SNS message when the alarm changes state. An alarm watches a single metric over a time period that you specify, and performs one or more actions based on the value of the metric relative to a specified threshold over a number of time periods. The action is a notification sent to an Amazon SNS topic or Auto Scaling policy. Alarms invoke actions for sustained state changes only. CloudWatch alarms do not invoke actions simply because they are in a particular state; the state must have changed and been maintained for a specified number of periods. **Topics** + [ # Viewing metrics and dimensions ](metrics_dimensions.md) + [ # Amazon WAF metrics and dimensions ](waf-metrics.md) + [ # Amazon Shield Advanced metrics ](shield-metrics.md) + [ # Amazon Firewall Manager notifications ](set-fms-alarms.md) # Viewing metrics and dimensions Viewing metrics and dimensions Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace. Amazon Firewall Manager doesn't record metrics. + The Amazon WAF namespace is `AWS/WAFV2` + The Shield Advanced namespace is `AWS/DDoSProtection` **Note** Amazon WAF reports metrics once a minute. Shield Advanced reports metrics once a minute during an event and less frequently other times. Use the following procedures to view the metrics for Amazon WAF and Amazon Shield Advanced. **To view metrics using the CloudWatch console** 1. Sign in to the Amazon Web Services Management Console and open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/). 1. If necessary, change the Region to the one where your Amazon resources are located. For CloudFront, choose the US East (N. Virginia) Region. 1. In the navigation pane, under **Metrics**, choose **All metrics** and then search under the **Browse** tab for the service. **To view metrics using the Amazon CLI** + For AWS/WAFV2, at a command prompt use the following command: ``` 1. aws cloudwatch list-metrics --namespace "AWS/WAFV2" ``` For Shield Advanced, at a command prompt use the following command: ``` 1. aws cloudwatch list-metrics --namespace "AWS/DDoSProtection" ``` # Amazon WAF metrics and dimensions Amazon WAF metrics and dimensionsUpdated Amazon WAF metrics and dimensions Two new Distributed Denial of Service (DDoS) prevention metrics are now published to the `Amazon/ApplicationELB` namespace: `LowReputationRequestsDenied` and `LowReputationPacketsDropped`.Updated Amazon WAF metrics and dimensions for silent Challenge Added `ChallengesAttempted`, `ChallengesSolved`, `ChallengesAttemptedSdk`, and `ChallengesSolvedSdk` to the Amazon Amazon WAF metrics and dimensions section.Updated Amazon WAF metrics and dimensions Added information on usage metrics to the Amazon WAF metrics and dimensions section.Amazon WAF metrics added new metrics for CAPTCHA JavaScript API Amazon WAF added two new metrics, `CaptchasAttemptedSdk` and `CaptchasSolvedSdk`, to show account-wide CAPTCHA puzzle attempts using the CAPTCHA JavaScript API. Amazon WAF metrics added dimensions and new metrics Amazon WAF added new dimension for `ManagedRuleSetRule` in rule metrics and new metrics for the matched rule action for label metrics. Amazon WAF metrics added dimensions Amazon WAF added new dimensions for viewing web ACL metrics. Amazon WAF reports metrics once a minute. Amazon WAF provides metrics and dimensions in the `AWS/WAFV2` namespace. You can see summary information for Amazon WAF metrics through the Amazon WAF console, in the protection pack (web ACL)'s traffic overview tab. For more information, go to the console or see [Traffic overview dashboards for protection packs (web ACLs)](web-acl-dashboards.md). You can see the following metrics for protection packs (web ACLs), rules, rule groups, and labels. + **Your rules** – Metrics are grouped by the rule action. For example, when you test a rule in Count mode, its matches are listed as `Count` metrics for the protection pack (web ACL). + **Your rule groups** – The metrics for your rule groups are listed under the rule group metrics. + **Rule groups owned by another account** – Rule group metrics are generally visible only to the rule group owner. However, if you override the rule action for a rule, the metrics for that rule will be listed under your protection pack (web ACL) metrics. Additionally, labels added by any rule group are listed in your protection pack (web ACL) metrics. Count action rules in rule groups do NOT emit web ACL dimension metrics - only Rule, RuleGroup, and Region dimensions. This applies even when the rule group is referenced in a web ACL. Rule groups in this category are [Amazon Managed Rules for Amazon WAF](aws-managed-rule-groups.md), [Amazon Web Services Marketplace rule groups](marketplace-rule-groups.md), [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md), and rule groups that are shared with you by another account. When a protection pack (web ACL) is deployed through Firewall Manager, any rules within the WebACL that have a Count action will not display their metrics in the member account. + **Labels** - Labels that were added to a web request during evaluation are listed in the protection pack (web ACL) label metrics. You can access the metrics for all labels, regardless of whether they were added by your rules and rule groups or by rules in a rule group that another account owns. **Topics** + [ ## Amazon WAF core metrics and dimensions ](#waf-metrics-general) + [ ## Label metrics and dimensions ](#waf-metrics-label) + [ ## Free bot visibility metrics and dimensions ](#waf-metrics-bot-free) + [ ## Account metrics and dimensions ](#waf-metrics-account) + [ ## Amazon WAF usage metrics ](#waf-metrics-usage) ## Amazon WAF core metrics and dimensions Amazon WAF core metrics and dimensions **Amazon WAF core metrics** | Metric | Description | | --- | --- | | `AllowedRequests` | The number of allowed web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `BlockedRequests` | The number of blocked web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CountedRequests` | The number of counted web requests. Reporting criteria: There is a nonzero value. A counted web request is one that matches at least one of the rules. Request counting is typically used for testing. Valid statistics: Sum | | `CaptchaRequests` | The number of web requests that had CAPTCHA controls applied. It represents a terminating rule and does not include `RequestsWithValidCaptchaToken`. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether the CAPTCHA token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum | | `RequestsWithValidCaptchaToken` | The number of web requests that had CAPTCHA controls applied and that had a valid CAPTCHA token. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchasAttempted` | The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchasSolved` | The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRequests` | The number of web requests that had challenge controls applied. It represents a terminating rule and does not include `RequestsWithValidChallengeToken`. Reporting criteria: There is a nonzero value. A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether the challenge token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum | | `ChallengesAttempted` | The number of attempts that were submitted by an end user in response to a silent challenge served by a Challenge rule. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengesSolved` | The number of silent challenge solutions submitted that successfully passed the silent challenge served by a Challenge rule. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `PassedRequests` | The number of passed requests. This is only used for requests that go through a rule group evaluation without matching any of the rule group rules. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `RequestsWithValidChallengeToken` | The number of web requests that had challenge controls applied and that had a valid challenge token. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `LowReputationPacketsDropped` | The number of packets dropped from known malicious sources. This metric is recorded when a request is blocked by resource-level DDoS protection. Reporting criteria: There is a nonzero value. Valid statistics: Sum This metric is published to the `Amazon/ApplicationELB` namespace. | | `LowReputationRequestsDenied` | The number of HTTP requests denied with HTTP 403 responses. This metric is recorded when a request is blocked by resource-level DDoS protection. Reporting criteria: There is a nonzero value. Valid statistics: Sum This metric is published to the `Amazon/ApplicationELB` namespace. | **Amazon WAF core dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | | `Rule` | One of the following: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/waf/latest/developerguide/waf-metrics.html) | | `RuleGroup` | The metric name of the `RuleGroup`. | | `WebACL` | The metric name of the `WebACL`. | | `WebACLArn` | The Amazon Resource Name (ARN) of the web ACL. This dimension is only available when Amazon WAF is enabled. | | `ResourceType` | The type of the protected resource, such as `CF`, `APIGW`, or `ALB`. | | `Resource` | The Amazon Resource Name (ARN) of the protected resource. This dimension does not include App Runner resource ARNs. | | `Country` | The country of origin of the request. This is the two-character designation from the International Organization for Standardization (ISO) 3166 standard. For example, US for the United States and UA for Ukraine. If a request has an `X-Forwarded-For` header, Amazon WAF uses that to determine this setting. Otherwise, Amazon WAF uses the country of the client IP. This determination is independent of any logic you use in your rules to determine country of origin. Amazon WAF determines the locations of the IPs using MaxMind GeoIP databases. | | `Attack` | The type of attack that Amazon WAF identified in the request, based on the rules and rule groups that you use in your web ACL. Your rules and the rules in the baseline Amazon managed rule groups can identify attack types. For example, cross-site scripting (XSS) rule matches identify XSS attack types, and rate-based rules identify volumetric attack types. The attack type usually indicates the type of rule that terminated the web request evaluation. | | `Device` | The device type of the client that sent the request, obtained from the web request’s `user-agent` header. | | `LoadBalancerArn` | The Amazon Resource Name (ARN) of the load balancer. | | `LoadBalancerArnAvailabilityZone` | The combination of the load balancer ARN and the Availability Zone. | | `ManagedRuleGroup` | The metric name of the `ManagedRuleGroup`. | | `ManagedRuleGroupRule` | The rule within the `ManagedRuleGroup` that was matched. | | `VulnerabilityCategory` | The vulnerability category that the request matches, based on Amazon managed rule IP sets. | ## Label metrics and dimensions Label metrics and dimensions Metrics for the labels added to requests during evaluation by your rules and by the managed rule groups that you use in your protection pack (web ACL). For information, see [Web request labeling](waf-labels.md). For any single web request, Amazon WAF stores metrics for at most 100 labels. Your protection pack (web ACL) evaluation can apply more than 100 labels and match against more than 100 labels, but only the first 100 are reflected in the metrics. **Label metrics** | Metric | Description | | --- | --- | | `AllowedRequests` | The number of labels on web requests that had the action setting Allow applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `BlockedRequests` | The number of labels on web requests that had the action setting Block applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CountedRequests` | The number of labels added to web requests by rule group rules that have a Count action setting. This metric is only available to the owner of a rule group, for rules inside the rule group. For other cases, the count label metrics are rolled up into the terminating action that was applied to the request, like Allow or Block. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchaRequests` | The number of labels on web requests that had a terminating CAPTCHA action applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRequests` | The number of labels on web requests that had a terminating Challenge action applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `AllowRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with an Allow action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `BlockRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with a Block action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CountRuleMatch` | The number of matched rules that both generated the associated label and applied a Count action. One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchaRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with a CAPTCHA action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with a Challenge action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchaRuleMatchWithValidToken` | The number of matched rules that both generated the associated label and applied a non-terminating CAPTCHA action. One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRuleMatchWithValidToken` | The number of matched rules that both generated the associated label and applied a non-terminating Challenge action. One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | **Label dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | | `RuleGroup` | The metric name of the `RuleGroup`. Used for the metric `CountedRequests`. | | `WebACL` | The metric name of the `WebACL`. | | `ResourceType` | The type of the protected resource, such as `CF`, `APIGW`, or `ALB`. | | `Resource` | The Amazon Resource Name (ARN) of the protected resource. | | `LabelNamespace` | The namespace prefix of the label that was added to the request. | | `Label` | The name of the label that was added to the request. | | `Context` | The managed rule group that served as the context of the label addition. For example, the context for token management labels such as awswaf:managed:token:accepted is the Amazon WAF managed rule group that uses token management on the request, such as the Bot Control or ATP managed rule group. This dimension doesn't apply to all labels. | ## Free bot visibility metrics and dimensions Free bot visibility metrics and dimensions When you don't use Bot Control in your protection pack (web ACL), Amazon WAF applies the Bot Control managed rule group to a sampling of your web requests, at no additional cost. This can provide an idea of the bot traffic that is coming to your protected resources. For information about Bot Control, see [Amazon WAF Bot Control rule group](aws-managed-rule-groups-bot.md). **Free bot visibility metrics** | Metric | Description | | --- | --- | | `SampleAllowedRequest` | The number of sampled requests that have Allow action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleBlockedRequest` | The number of sampled requests that have Block action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleCaptchaRequest` | The number of sampled requests that have CAPTCHA action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleChallengeRequest` | The number of sampled requests that have Challenge action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleCountRequest` | The number of sampled requests that have Count action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | **Free bot visibility dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | | `WebACL` | The metric name of the `WebACL`. | | `BotCategory` | The name of the of the detected bot category, based on the web request labels. | | `VerificationStatus` | The name of the of the detected bot verification status, based on the web request labels. | | `Signal` | The name of the of the detected bot signals, based on the web request labels. | ## Account metrics and dimensions Account metrics and dimensions Account metrics provide account-wide information about CAPTCHA puzzles and silent Challenge rule actions that were serviced through the JavaScript API. **Account metrics** | Metric | Description | | --- | --- | | `CaptchasAttemptedSdk` | The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge, for puzzles that were served via the CAPTCHA JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchasSolvedSdk` | The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle, for puzzles that were served via the CAPTCHA JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengesAttemptedSdk` | The number of attempts that were submitted by an end user in response to a silent challenge served by the Challenge JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengesSolvedSdk` | The number of silent challenge solutions submitted that successfully passed the silent challenge served by the Challenge JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | **Account dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | ## Amazon WAF usage metrics Amazon WAF usage metrics You can use CloudWatch usage metrics to provide visibility into your account's usage of resources. Use these metrics to visualize your current service usage on CloudWatch graphs and dashboards. Amazon WAF usage metrics correspond to Amazon service quotas. You can configure alarms that alert you when your usage approaches a service quota. For more information about CloudWatch integration with service quotas, see [Amazon usage metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Service-Quota-Integration.html) in the *Amazon CloudWatch User Guide.* Amazon WAF publishes the following metrics in the `AWS/Usage` namespace. **Usage metrics** | Metric | Description | | --- | --- | | `ResourceCount` | The number of the specified resources in your account. The resources are defined by the dimensions associated with the metric. The most useful statistic for this metric is `MAXIMUM`, which represents the maximum number of resources used during the 1-minute period. | The following dimension is used to refine the usage metrics that are published by Amazon WAF. **Usage dimensions** | Dimension | Description | | --- | --- | | `Resource` | The type of resource for which the usage is being reported. | The following are the supported values for the `Resource` dimension. **`Resource` values** | Value | Description | | --- | --- | | `WebAclsPerAccountCloudFront` | The number of protection packs (web ACLs) the customer has in CloudFront per account. This metric is only available when there is at least one protection pack (web ACL) in CloudFront. | | `WebAclsPerAccountRegional` | The number of protection packs (web ACLs) the customer has in a region per account. This metric is only available when there is at least one protection pack (web ACL) in that region. | | `RuleGroupsPerAccountCloudFront` | The number of rule groups the customer has in CloudFront per account. This metric is only available when there is at least one rule group in CloudFront. | | `RuleGroupsPerAccountRegional` | The number of rule groups the customer has in a region per account. This metric is only available when there is at least one rule group in that region. | | `IpSetsPerAccountCloudFront` | The number of IP sets the customer has in CloudFront per account. This metric is only available when there is at least one IP set in CloudFront. | | `IpSetsPerAccountRegional` | The number of IP sets the customer has in a region per account. This metric is only available when there is at least one IP set in that region. | | `RegexPatternSetsPerAccountCloudFront` | The number of regex pattern sets the customer has in CloudFront per account. This metric is only available when there is at least one regex pattern set in CloudFront. | | `RegexPatternSetsPerAccountRegional` | The number of regex pattern sets the customer has in a region per account. This metric is only available when there is at least one regex pattern set in that region. | # Amazon Shield Advanced metrics Amazon Shield Advanced metrics Shield Advanced publishes Amazon CloudWatch detection, mitigation, and top contributor metrics for all resources that it protects. These metrics improve your ability to monitor your resources by making it possible to create and configure CloudWatch dashboards and alarms for them. The Shield Advanced console presents summaries of many of the metrics that it records. For information, see [Visibility into DDoS events with Shield Advanced](ddos-viewing-events.md). If you enable automatic application layer DDoS mitigation for an application layer protection, Shield Advanced adds a rule group to your protection pack (web ACL) that it uses to manage automated protections. This rule group generates Amazon WAF metrics, but they are not available to view. This is the same as for any other rule groups that you use in your protection pack (web ACL) but do not own, such as Amazon Managed Rules rule groups. For more information about Amazon WAF metrics, see [Amazon WAF metrics and dimensions](waf-metrics.md). For information about this Shield Advanced protection option, see [Automating application layer DDoS mitigation with Shield Advanced](ddos-automatic-app-layer-response.md). **Metric reporting locations** Shield Advanced reports metrics in the US East (N. Virginia) Region, `us-east-1` for the following: + The global services Amazon CloudFront and Amazon Route 53. + Protection groups. For information about protection groups, see [Grouping your Amazon Shield Advanced protections](ddos-protection-groups.md). For other resource types, Shield Advanced reports metrics in the resource's Region. **Timing of metric reporting** Shield Advanced reports metrics to Amazon CloudWatch on an Amazon resource more frequently during DDoS events than while no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends. While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms and dashboards. **Alarm recommendations** We recommend that you create alarms to notify you of circumstances that require attention. As a starting point, you could create an alarm for each protected resource that reports when the `DDoSDetected` detection metric is non zero. A non-zero value in this metric doesn't necessarily imply that a DDoS attack is underway, but we recommend looking closer at the resource status when the metric is in this state. For request floods, we recommend that you create alarms for composite checks that also consider factors such as application health and web request volume. You may choose to alarm on the other three metrics that report on the volume of traffic for various attack vector dimensions. By considering the capacity of your application and alarming when traffic is approaching your application limitations, you can create a set of rules that notify you as needed, without too much unwanted noise. **Topics** + [ ## Detection metrics ](#ddos-metrics-detection) + [ ## Mitigation metrics ](#ddos-metrics-mitigation) + [ ## Top contributors metrics ](#ddos-metrics-top-contributors) ## Detection metrics Detection metrics Shield Advanced provides the metrics and dimensions in the `AWS/DDoSProtection` namespace. **Detection metrics** | Metric | Description | | --- | --- | | DDoSDetected | Indicates whether a DDoS event is underway for a particular Amazon Resource Name (ARN). This metric has a non-zero value during an event. | | DDoSAttackBitsPerSecond | The number of bits observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for network and transport layer (layer 3 and layer 4) DDoS events. This metric has a non-zero value during an event.Units: Bits | | DDoSAttackPacketsPerSecond | The number of packets observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for network and transport layer (layer 3 and layer 4) DDoS events. This metric has a non-zero value during an event.Units: Packets | | DDoSAttackRequestsPerSecond | The number of requests observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for layer 7 DDoS events. The metric is reported only for the most significant layer 7 events. This metric has a non-zero value during an event.Units: Requests | | DDoSAttackRequests | The number of requests observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for Anti-DDoS Managed Rules (AMR) DDoS events. This metic is in the AWS/WAFV2 namespace and has a non-zero value during an event.Units: Requests | Shield Advanced posts the `DDoSDetected` metric with no other dimensions. The remaining detection metrics include the `AttackVector` dimensions that correspond to the type of attack, from the following list: + `ACKFlood` + `ChargenReflection` + `DNSReflection` + AWS/WAFV2 + `GenericUDPReflection` + `MemcachedReflection` + `MSSQLReflection` + `NetBIOSReflection` + `NTPReflection` + `PortMapper` + `RequestFlood` + `RIPReflection` + `SNMPReflection` + `SSDPReflection` + `SYNFlood` + `UDPFragment` + `UDPTraffic` + `UDPReflection` ## Mitigation metrics Mitigation metrics Shield Advanced provides metrics and dimensions in the `AWS/DDoSProtection` namespace. **Mitigation metrics** | Metric | Description | | --- | --- | | VolumePacketsPerSecond | The number of packets per second that were dropped or passed by a mitigation that was deployed in response to a detected event.Units: packets | **Mitigation dimensions** | Dimension | Description | | --- | --- | | `ResourceArn` | Amazon Resource Name (ARN) | | `MitigationAction` | The outcome of an applied mitigation. Possible values are `Pass` or `Drop`. | ## Top contributors metrics Top contributors metrics Shield Advanced provides metrics in the `AWS/DDoSProtection` namespace. **Top contributors metrics** | Metric | Description | | --- | --- | | VolumePacketsPerSecond | The number of packets per second for a top contributor.Units: packets | | VolumeBitsPerSecond | The number of bits per second for a top contributor. Units: bits | Shield Advanced posts top contributors metrics by dimension combinations that characterize the event contributors. You can use any of the following combinations of dimensions for any of the top contributors metrics: + `ResourceArn`, `Protocol` + `ResourceArn`, `Protocol`, `SourcePort` + `ResourceArn`, `Protocol`, `DestinationPort` + `ResourceArn`, `Protocol`, `SourceIp` + `ResourceArn`, `Protocol`, `SourceAsn` + `ResourceArn`, `TcpFlags` **Top contributors dimensions** | Dimension | Description | | --- | --- | | `ResourceArn` | Amazon Resource Name (ARN). | | `Protocol` | IP protocol name, either `TCP` or `UDP`. | | `SourcePort` | Source TCP or UDP port. | | `DestinationPort` | Destination TCP or UDP port. | | `SourceIp` | Source IP address. | | `SourceAsn` | Source autonomous system number (ASN). | | `TcpFlags ` | A combination of flags present in a TCP packet, separated by a dash (`-`). Monitored flags are `ACK`, `FIN`, `RST`, `SYN`. This dimension value always appears sorted alphabetically. For example, `ACK-FIN-RST-SYN`, `ACK-SYN`, and `FIN-RST`. | # Amazon Firewall Manager notifications Amazon Firewall Manager notifications Amazon Firewall Manager doesn't record metrics, so you can't create Amazon CloudWatch alarms specifically for Firewall Manager. However, you can configure Amazon SNS notifications to alert you to potential attacks. To create Amazon SNS notifications in Firewall Manager, see [Step 4: Configuring Amazon SNS notifications and Amazon CloudWatch alarms](getting-started-fms-shield.md#get-started-fms-shield-cloudwatch).