perfware.cloud - Getting Started Guide - AI Monitor 26h1

ML-powered anomaly detection for CloudWatch metrics

Contents

·         What This Product Does

·         Prerequisites

·         Deploy

·         Post-Deployment Setup

·         Subscription Editor

·         Discovery Wizard

·         Monitoring

·         Cross-Account Setup

·         Updating the Stack

·         Teardown

·         Troubleshooting

·         Appendix A: Certificates

·         Appendix B: Subscription Fields Reference

·         Appendix C: Enabling AWS/Billing in Remote Accounts

·         Support

 

What This Product Does

AI Monitor ingests CloudWatch metrics via Metric Streams, learns normal behavior per metric using statistical baselines, and alerts on deviations automatically. It includes:

·         Real-time metric ingestion via CloudWatch Metric Streams → Firehose → S3 → OpenSearch

·         Per-metric anomaly detection with day-of-week baselines and Z-score scoring

·         AI-powered anomaly explanations via Amazon Bedrock (advanced+)

·         AI Discovery Wizard with natural language metric suggestions

·         Maintenance windows to suppress alerts during deployments

·         Log correlation — links anomalies to errors in Log Processor (compact+)

·         Automated anomaly reports with cost analysis (advanced+)

·         Cross-account metric monitoring (advanced+)

·         SNS alerts with message attributes for filter-based routing

·         Web-based subscription editor with RBAC (Cognito authentication)

·         CloudWatch dashboard with alarm status, EMF metrics, and AI health

·         DynamoDB Point-in-Time Recovery for state protection (advanced+)

Deploys as a CloudFormation stack. Requires a deployed Log Processor stack (provides VPC, OpenSearch domain, and networking).

 

Prerequisites

·         A deployed Log Processor stack (any tier) — provides the shared VPC and OpenSearch domain

·         An AWS account with permissions to create CloudFormation stacks, Lambda, DynamoDB, S3, SNS, Firehose, CloudWatch

·         An ACM certificate for HTTPS on the editor ALB (see Appendix A)

·         AWS CLI configured (for operational scripts)

·         For AI features (advanced+): Enable Bedrock model access for Anthropic Claude in the AWS console (Bedrock → Model access → enable Anthropic → submit form, ~15 min activation)

 

Deploy

Step 1: Subscribe and Launch

1.      Find AI Monitor in AWS Marketplace, select your tier

2.      Click Continue to Subscribe and accept terms

3.      Click Set up your account → redirected to CloudFormation

4.      Fill in parameters (below) → check IAM acknowledgment → Submit

Step 2: Configure Parameters

Parameter

Required

Description

ConfirmStackName

Yes

Copy your stack name here (3-18 chars, alphanumeric, start with letter)

LogProcessorStackName

Yes

Name of your deployed Log Processor stack

AlertEmail

Yes

Email(s) for anomaly alerts and reports (comma-separated, up to 5)

EditorCertificateArn

Yes

ACM certificate ARN for HTTPS on the editor ALB

EditorDomain

Recommended

Custom domain for the editor (e.g. monitor.example.com). Provides stable URL.

CrossAccountIds

No

Comma-separated remote account IDs for cross-account monitoring (advanced+)

The stack takes approximately 5-10 minutes to create.

Post-Deployment Setup

Create Users

Use the provided helper scripts to manage Cognito users:

users.cmd <stack-name> create admin@example.com

The first user must have admin in the email prefix (e.g. admin@company.com) for root access. Additional users can be any email.

 

Create Groups (advanced+ tiers)

For RBAC, create admin and viewer groups and assign users:

groups.cmd <stack-name> create-group admin "Full access"

groups.cmd <stack-name> create-group viewer "Read-only"

groups.cmd <stack-name> add-to-group user@example.com admin

DNS Setup

If using a custom domain, create a DNS CNAME/alias to the ALB after deployment:

setup-domain.cmd <stack-name> <domain> <hosted-zone-id> <region>

 

Confirm SNS Subscription

Check your email for the AWS Notification - Subscription Confirmation email and confirm it.

 

Subscription Editor

Access the editor at: https://<editor-domain>/editor

Features:

·         Add/edit/delete metric subscriptions with validation

·         Preview metric data (click Preview; Shift+click = 24h; Ctrl+click = query OpenSearch)

·         Maintenance windows to suppress alerts during known events

·         Anomaly viewer with detail panel, CloudWatch deep links, and AI explanations

·         Baseline display showing learned per-day patterns

·         Version history with diff and one-click rollback

·         On-demand report generation

·         Scheduled report auto-email

 

Discovery Wizard

Click the button in the header to open the Discovery panel.

·         Shows all active CloudWatch metrics in your account (refreshed every 6h)

·         Quick-start chips for common monitoring patterns

·         AI Suggest (advanced+): describe what you want to monitor in natural language

·         One-click Subscribe button pre-fills the subscription form

 

Monitoring

The stack creates a CloudWatch dashboard: <stack-name>-monitoring

Includes widgets for:

·         Alarm status (all alarms at a glance)

·         Collector: invocations, errors, throttles, duration

·         Detector: anomalies detected, subscriptions scored, AI cache hits/misses

·         AI Explain: processed, failed, circuit breaker status

·         Discovery: namespaces and metrics found

·         Editor: requests and latency

·         SQS queue depth, DLQ, Firehose freshness

·         OpenSearch cluster health, CPU, JVM, storage

·         Lambda error/warning log queries

 

Cross-Account Setup

Run setup-cross-account-metrics.cmd (or .sh) in the remote account:

setup-cross-account-metrics.cmd <central-account-id> <central-stack-name> <central-region>

This creates a Metric Stream → local Firehose → central S3 bucket pipeline. The central stack's CrossAccountIds parameter must include the remote account ID.

See Appendix C for enabling billing metrics in remote accounts.

 

Updating the Stack

1.      Go to AWS Marketplace → Manage subscriptions

2.      Select AI Monitor, choose the new version/tier

3.      Follow prompts to update the CloudFormation stack

4.      Configuration and data are preserved across updates

 

Teardown

1.      Disable all subscriptions in the editor (stops the Metric Stream)

2.      Delete the CloudFormation stack

3.      If unsubscribing: AWS Marketplace → Manage subscriptions → Cancel

Note: The stack uses the Log Processor's VPC and OpenSearch domain. Deleting AI Monitor does not affect Log Processor. Delete AI Monitor first if removing both.

Troubleshooting

No anomalies detected

•  Verify subscriptions are enabled in the editor

•  Check baseline training % (needs ~50% before alerting)

•  Verify Metric Stream is active (editor syncs this automatically on save)

•  Check the <stack>-monitoring dashboard for Lambda errors

 

Cannot access editor

•  Verify user exists in Cognito (users.cmd <stack> list)

•  For advanced+ tiers: verify user is in admin or viewer group

•  Verify ACM certificate is in Issued state

•  Verify DNS points to the ALB

 

AI features not working

•  Verify Bedrock model access is enabled (Console → Bedrock → Model access)

•  Check AI circuit breaker state: support-bundle.cmd <stack>

•  Circuit breaker auto-resets after 30 minutes

Support bundle

Collect diagnostics: support-bundle.cmd <stack-name>

 

Appendix A: Certificates

Same process as Log Processor. Use the provided setup-domain.cmd/.sh script:

Step 1: Generate cert (before deploy):

setup-domain.cmd cert-only monitor.example.com Z013AAAA... us-east-1

Step 2: Deploy stack with the cert ARN and domain

Step 3: After deploy, create DNS alias:

setup-domain.cmd <stack-name> monitor.example.com Z013AAAA... us-east-1

Appendix B: Subscription Fields Reference

Field

Description

namespace

CloudWatch namespace (e.g. AWS/Lambda, AWS/EC2)

metricName

Metric name within the namespace

dimensions

JSON object. {} = all resources. Use ".*" for wildcard per-resource monitoring.

stat

Average, Sum, Maximum, Minimum, SampleCount, p99, p95, p90

period

Aggregation period: 60, 300, 900, 3600 seconds

anomalyThreshold

Z-score sensitivity (1.0-10.0). Lower = more sensitive. Default: 3.0

direction

high (spikes only), low (drops only), both

baselineDays

Training period override (0 = tier default)

accountId

Blank = local only. * = all accounts. Or comma-separated IDs.

notifyEmail

true/false. Set false for silent recording only.

notifyThreshold

Only email when score exceeds this (0 = use anomalyThreshold)

runbookUrl

Optional URL included in alert emails

description

Human-readable name (required, must be unique)

 

Appendix C: Enabling AWS/Billing in Remote Accounts

AWS/Billing metrics (EstimatedCharges) are not enabled by default. Each account that needs billing monitoring must enable this separately:

1.      Log in to the AWS Management Console as the root user or an IAM identity with billing permissions.

2.      Navigate to the AWS Billing and Cost Management console.

3.      In the left navigation pane, choose Billing preferences.

4.      Find the Alert preferences section and choose Edit.

5.      Select the checkbox for Receive CloudWatch Billing Alerts.

6.      Choose Save preferences (or Update) to apply the changes.

Note: Billing metrics are only published in us-east-1 regardless of where your resources are. If your Metric Stream is in another region, create a separate stream in us-east-1 for AWS/Billing. After enabling, metrics begin publishing within a few hours.

Support

Link: User Guide (PDF)

Email: support@perfware.cloud

Include the output of support-bundle.cmd <stack-name> when reporting issues.

Scripts download: scripts.zip (users, groups, support-bundle, cross-account setup, readme)