Configure CSM to Add Incidents for AWS Product Events

Prepare your CSM instance for creating new Incidents when your AWS resources go into Alarm state, based on SNS messages.

Before you begin, complete the global steps outlined in Configure CSM for AWS. To support this use case, you will also need to complete Configure AWS CloudWatch Alarms for CSM.

You can connect CloudWatch alarms so that when they go into alarm state, an Incident is created in CSM and tied to the appropriate AWS Configuration Item in your CMDB. Depending on your usage of AWS, you may already have configured AWS CloudWatch Alarms for your AWS resources. You can connect these existing alarms, or you can create new ones.

Note: For our example, we will create a CloudWatch Alarm for CPU Usage on a specific EC2 instance. However, the principles are the same and the setup is similar for alarms of other types. You may need to modify some of the JSON parsing in the workflow of One-Step™ Actions connected to the Create AWS Event webhook.

The overall workflow for the automatic creation of Incidents for your AWS Product configuration items is shown below:

Workflow for automatic creation of indicent records

A webhook triggers the Create AWS Event One-Step Action. This webhook was designed as a sample to demonstrate how you might automatically create Incidents for your AWS resources when they go into alarm state or violate an established rule. This sample expects a CloudWatch Alarm notification from Amazon SNS, such as an EC2 instance which has exceeded its CPU utilization threshold, and stores the JSON from that alarm notification in an AWS Event object record. Then, an automation process (AWS Event) creates an Incident linked to the associated CI in your CMDB. You may wish to configure additional, similar event types using either AWS CloudWatch or AWS Config. To facilitate this process, we have included sample JSON for these event types, as well as configured the (None) Create AWS Event One-Step Action with a decision tree that covers two possible paths: a notification from AWS Config that a CloudWatch Alarm has changed from OK to ALARM state, and a CloudWatch alarm which sends the SNS notification directly with details about the affected resource. There is a sample of what kind of JSON is expected for the event. It's very particular, so we provide relevant sample code.

To configure AWS CloudWatch Alarms for CSM:

  1. In CSM Administrator, go to Managers > One-Step Action Managers, and then to Global > Integrations > AWS.
  2. Import the supplemental Create AWS Event from EventBridge mApp Solution from the mApp Exchange.
  3. In CSM Administrator, go to Managers > Webhook Managers, and then to Global > Integrations > AWS. Update the Create AWS Event webhook to use the new One-Step Action imported in the prior step.
  4. Note: Webhook passwords should not correspond to any CSM logins. Instead, they are arbitrary and used for the webhook only to enhance security.
    If you have not already done so, in CSM Administrator, go to Managers > Webhook Manager and set a custom webhook username and password for the AWS webhooks that were provided with the mApp® Solution.
    1. Copy the Full Endpoint from the General page of the Webhook Manager. Using the new username and password you just set for the webhook, modify the copied URL to the fit the following format; replace the sample information for webhook username and password, as well as the external URL of your CSM server. https://webhookUsername:[email protected]/CherwellAPI/api/Webhooks/createawsevent

Configure any One-Step Action that parse incoming messages from AWS specific to your CloudWatch Alarms. Specifically, check these:

  1. Note: If you are not using AWS CloudWatch or AWS Config for your event source, you may need to modify this One-Step Action to accommodate additional decision tree branches.
    (None) Create AWS Event: Creates an AWS Event record from an incoming SNS notification. Parses the incoming JSON based on whether stored values are set to enable AWS Config, AWS CloudWatch, and the event source, as described above.
  2. (AWS Event) Create Incident from Event: This creates the Incident and links it to the affected CI.