CloudWatch Alarm Actions Enabled
Overview
This check verifies that your CloudWatch alarms have actions enabled (ActionsEnabled: true). When alarm actions are enabled, CloudWatch can automatically notify you or trigger automated responses when a monitored metric crosses its threshold. Without enabled actions, your alarms are essentially silent monitors that will not alert anyone when issues occur.
Risk
When CloudWatch alarm actions are disabled:
- Missed alerts: You will not receive notifications when alarms trigger, potentially missing critical security or operational issues
- Delayed incident response: Without automated alerts, problems may go undetected for hours or days, increasing recovery time and impact
- Compliance gaps: Many frameworks (CIS, PCI-DSS) require active monitoring and alerting for security-relevant events
- Wasted monitoring investment: Alarms without actions provide no value beyond historical data; the monitoring effort is effectively wasted
Remediation Steps
Prerequisites
- AWS account access with permissions to modify CloudWatch alarms
- Ideally, an SNS topic configured to receive alarm notifications
Required IAM permissions
To enable alarm actions, you need:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:EnableAlarmActions",
"cloudwatch:DescribeAlarms"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the CloudWatch Console at https://console.aws.amazon.com/cloudwatch
- Ensure you are in the us-east-1 region (or the region where your alarm exists)
- In the left sidebar, click Alarms then All alarms
- Select the checkbox next to the alarm with disabled actions
- Click the Actions dropdown button
- Select Enable alarm actions
- Confirm when prompted
The alarm will now trigger its configured actions when the alarm state changes.
Important: If your alarm has no actions configured, you should also add at least one action (such as an SNS notification). See the "Adding alarm actions" section below.
Adding alarm actions (if none exist)
If your alarm has actions enabled but no actual actions configured, you need to add them:
- Select your alarm and click Edit
- Scroll to the Notification section
- Click Add notification
- For Alarm state trigger, select In alarm
- Choose an existing SNS topic or create a new one
- Optionally add notifications for OK and Insufficient data states
- Click Update alarm
AWS CLI (optional)
Enable actions for a single alarm
aws cloudwatch enable-alarm-actions \
--alarm-names <YOUR_ALARM_NAME> \
--region us-east-1
Replace <YOUR_ALARM_NAME> with your alarm's name.
Enable actions for multiple alarms
aws cloudwatch enable-alarm-actions \
--alarm-names "Alarm1" "Alarm2" "Alarm3" \
--region us-east-1
Find all alarms with disabled actions
aws cloudwatch describe-alarms \
--region us-east-1 \
--query 'MetricAlarms[?ActionsEnabled==`false`].AlarmName' \
--output table
Enable actions for all disabled alarms
# Get list of alarms with disabled actions
DISABLED_ALARMS=$(aws cloudwatch describe-alarms \
--region us-east-1 \
--query 'MetricAlarms[?ActionsEnabled==`false`].AlarmName' \
--output text)
# Enable actions if any were found
if [ -n "$DISABLED_ALARMS" ]; then
aws cloudwatch enable-alarm-actions \
--alarm-names $DISABLED_ALARMS \
--region us-east-1
echo "Enabled actions for: $DISABLED_ALARMS"
else
echo "No alarms with disabled actions found"
fi
CloudFormation (optional)
When creating alarms with CloudFormation, always set ActionsEnabled: true and configure at least one action.
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudWatch Alarm with Actions Enabled
Parameters:
AlarmName:
Type: String
Description: Name for the CloudWatch alarm
MetricName:
Type: String
Description: The metric to monitor
MetricNamespace:
Type: String
Description: The namespace for the metric
SNSTopicArn:
Type: String
Description: ARN of the SNS topic for notifications
Resources:
CloudWatchAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Ref AlarmName
AlarmDescription: CloudWatch alarm with actions enabled
ActionsEnabled: true
AlarmActions:
- !Ref SNSTopicArn
OKActions:
- !Ref SNSTopicArn
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
MetricName: !Ref MetricName
Namespace: !Ref MetricNamespace
Period: 300
Statistic: Average
Threshold: 80
TreatMissingData: notBreaching
Outputs:
AlarmArn:
Description: ARN of the CloudWatch Alarm
Value: !GetAtt CloudWatchAlarm.Arn
Deploy with:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name my-cloudwatch-alarm \
--parameter-overrides \
AlarmName=my-app-cpu-alarm \
MetricName=CPUUtilization \
MetricNamespace=AWS/EC2 \
SNSTopicArn=arn:aws:sns:us-east-1:123456789012:my-alerts \
--region us-east-1
Terraform (optional)
variable "alarm_name" {
description = "Name for the CloudWatch alarm"
type = string
}
variable "metric_name" {
description = "The metric to monitor"
type = string
}
variable "metric_namespace" {
description = "The namespace for the metric"
type = string
}
variable "sns_topic_arn" {
description = "ARN of the SNS topic for notifications"
type = string
}
resource "aws_cloudwatch_metric_alarm" "example" {
alarm_name = var.alarm_name
alarm_description = "CloudWatch alarm with actions enabled"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
metric_name = var.metric_name
namespace = var.metric_namespace
period = 300
statistic = "Average"
threshold = 80
treat_missing_data = "notBreaching"
# This is the key setting - must be true
actions_enabled = true
alarm_actions = [var.sns_topic_arn]
ok_actions = [var.sns_topic_arn]
}
Deploy with:
terraform init
terraform plan -var="alarm_name=my-cpu-alarm" \
-var="metric_name=CPUUtilization" \
-var="metric_namespace=AWS/EC2" \
-var="sns_topic_arn=arn:aws:sns:us-east-1:123456789012:my-alerts"
terraform apply
Verification
After enabling alarm actions, verify the change took effect:
- Open the CloudWatch Console at https://console.aws.amazon.com/cloudwatch
- Navigate to Alarms > All alarms
- Click on your alarm name to view its details
- In the Actions section, confirm actions are listed and the alarm shows Actions enabled
Verify with AWS CLI
aws cloudwatch describe-alarms \
--alarm-names <YOUR_ALARM_NAME> \
--region us-east-1 \
--query 'MetricAlarms[*].{Name:AlarmName,ActionsEnabled:ActionsEnabled,AlarmActions:AlarmActions}'
A properly configured alarm will show:
[
{
"Name": "my-cpu-alarm",
"ActionsEnabled": true,
"AlarmActions": [
"arn:aws:sns:us-east-1:123456789012:my-alerts"
]
}
]
If ActionsEnabled is false or AlarmActions is empty, the alarm needs further configuration.
Check all alarms in your account
aws cloudwatch describe-alarms \
--region us-east-1 \
--query 'MetricAlarms[*].{Name:AlarmName,ActionsEnabled:ActionsEnabled,HasActions:length(AlarmActions)>`0`}' \
--output table
Additional Resources
- AWS Documentation: Using Amazon CloudWatch Alarms
- AWS CLI Reference: enable-alarm-actions
- AWS CLI Reference: describe-alarms
- Terraform: aws_cloudwatch_metric_alarm
- AWS CloudWatch Alarm Actions
Notes
- Actions vs. ActionsEnabled: An alarm can have
ActionsEnabled: truebut still have no actions configured. Both conditions must be met for the alarm to actually notify you. - Action types: CloudWatch alarms can trigger SNS notifications, Auto Scaling policies, EC2 actions (stop, terminate, reboot, recover), and Systems Manager OpsItems.
- State-specific actions: Configure actions for both ALARM and OK states to get notified when issues occur and when they resolve.
- Testing alarms: Use
aws cloudwatch set-alarm-stateto test that your alarm actions work correctly before waiting for a real incident. - Composite alarms: This check also applies to composite alarms, which combine multiple metric alarms.
- Cost considerations: SNS notifications are low-cost, but Lambda functions or other triggered actions may incur additional charges.