EC2 on Watch: Real-Time CPU Alerts with CloudWatch + SNS in 4 Simple Steps
Salome Githinji
Introduction
Imagine your EC2 instance suddenly hits more than 80% CPU usage. Is it a hacker? A bug? Without monitoring, you’d never know. As a cloud engineer, I recently set up real-time alerts for CPU spikes using AWS CloudWatch and SNS. Here’s how you can do it too!
🔍 Why Monitor EC2 Instances?
Security: Detect malware or unauthorized crypto-mining.
Performance: Prevent app crashes from resource exhaustion.
Cost Control: Avoid over-provisioning (or under-provisioning) resources.
Tools We’ll Use:
Amazon CloudWatch: Tracks CPU/memory/network metrics.
Amazon SNS: Sends email/SMS alerts when thresholds are breached.
Stress Testing: Simulates attacks to validate your alarms.
🚀 Step-by-Step: Build Your Monitoring System
1️⃣ Task 1: Create an SNS Alert Topic
Amazon Simple Notification Service (SNS) is a fully managed messaging service provided by Amazon Web Services (AWS). It facilitates the delivery of messages from publishers to subscribers, utilizing a publish/subscribe model. SNS supports various messaging protocols, including HTTP/S, email, SMS, and mobile push notifications.
Go to SNS > Topics > Create Topic.
Type: Standard
Name:
MyCwAlarm
Create a subscription:
Topic ARN: Leave the default option selected.
Protocol: From the dropdown list, choose Email.
Endpoint: Enter a valid email address that you can access.
In the Details section, the Status should be Pending confirmation. You should have received an AWS Notification - Subscription Confirmation email message at the email address that you provided in the previous step
- Confirm the subscription in your email inbox.
2️⃣ Task 2: Create a CloudWatch Alarm
Why? To trigger alerts when CPU > 60% for 1 minute.
Go to CloudWatch > Alarms > Create Alarm.
In the left navigation pane, choose the Metrics dropdown list, and then choose All metrics.
CloudWatch usually takes 5-10 minutes after the creation of an EC2 instance to start fetching metric details.
On the Metrics page, choose EC2, and choose Per-Instance Metrics.
From this page, you can view all the metrics being logged and the specific EC2 instance for the metrics.
Select the check box with CPUUtilization as the Metric name for the Stress Test EC2 instance.
Choose Select metric.On the Specify metric and conditions page, configure the following options:
Metric name: Enter
CPUUtilizationInstanceId: Leave the default option selected.
Statistic: Enter
AveragePeriod: From the dropdown list, choose 1 minute.
Link to your SNS topic:
Action: “In alarm” → Select
MyCwAlarm
Choose Next, and then configure the following options:
Name and description
Alarm name: Enter
LabCPUUtilizationAlarmAlarm description - optional: Enter
CloudWatch alarm for Stress Test EC2 instance CPUUtilization
⚠️ Wait 5-10 mins after creating an EC2 instance for metrics to appear!
3️⃣ Task 3: Simulate an Attack (Stress Test)
SSH into your EC2 instance (using Session Manager or SSH).
Run a CPU stress test:
sudo stress --cpu 10 -v --timeout 400s # Spikes CPU to 100% for 400sMonitor CPU in real-time:
top # Shows live CPU usage
4️⃣ Task 4: Build a CloudWatch Dashboard
Why? Single-pane visibility for all EC2 metrics.
Go to CloudWatch > Dashboards > Create Dashboard.
Name:
LabEC2DashboardAdd a Line Widget → Select:
EC2 Metrics → Per-Instance Metrics
Choose Stress Test instance +
CPUUtilization
Save → Now track CPU 24/7!
🔐Security Insights from the Simulation
Malware Behavior: The stress test mimicked a crypto-mining attack (100% CPU).
Alert Time: Took < 2 mins to detect the breach.
Response Plan:
Get alert → Investigate via CloudWatch.
Isolate instance → Terminate malicious processes.
Patch vulnerabilities.
Happy Coding !!!
Subscribe to my newsletter
Read articles from Salome Githinji directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by