View a markdown version of this page

Using resource tags for telemetry - Amazon CloudWatch

Using resource tags for telemetry

Once you have enabled resource tags for telemetry, you can leverage this enriched data to create powerful monitoring solutions that scale with your infrastructure. Use tag-based queries to group and filter metrics across multiple resources, create dynamic alarms that automatically adapt to resource changes, and gain insights into your AWS environment organized by meaningful business or operational categories. This approach enables you to monitor resources by team, environment, application, or any other tagging strategy you use in your organization.

  • Creating tag-based Metrics Insights queries – After you enable resource tags for telemetry in your account, you can create tag-based Metrics Insights queries to discover and visualize your AWS infrastructure metrics by tag. Example queries using tags can be seen in the CloudWatch Metrics Insights query builder documentation. Monitoring accounts can also make tag-based queries for metrics in source accounts which have enabled resource tags on their telemetry.

  • Creating tag-based CloudWatch alarms – After you enable resource tags for telemetry in your account, you can create CloudWatch alarms on tag-based Metrics Insights queries to alert on your AWS infrastructure metrics by tag. Example alarms using tag-based queries can be seen in the CloudWatch Metric Insights alarms documentation.

  • Querying AWS metrics with PromQL using resource tags – After you enable resource tags for telemetry in your account, you can enable OTel enrichment to query your AWS infrastructure metrics using PromQL with resource tags as labels. This lets you filter, aggregate, and alert on metrics by any tag you've applied to your AWS resources. For more information, see Enabling vended metrics in PromQL. For example queries using tags, see Querying vended AWS metrics with PromQL.

  • Creating tag-based CloudWatch Logs Insights queries – After you enable resource tags for telemetry in your account, log events from supported resources are enriched with the associated resource tags. You can create tag-based Logs Insights queries to discover your log events by tag using facets such as @aws.tag.env or @aws.tag.team. For example: filter @aws.tag.env = 'production'. For more information, see the CloudWatch Logs Insights query syntax documentation.

Supported AWS resources

The following table lists the AWS resources that support resource tags for telemetry enrichment. When you enable resource tags for telemetry, CloudWatch can enrich metrics and log events from these resources with their associated resource tags.

For the specific metrics that CloudWatch enriches for each resource type, see Supported metrics for resource tags for telemetry.

Resource type Metrics Logs
AWS::APS::RuleGroupsNamespaceYesNo
AWS::APS::WorkspaceYesYes
AWS::ApiGatewayV2::ApiYesNo
AWS::AppFlow::FlowYesNo
AWS::AppSync::GraphQLApiYesYes
AWS::Athena::CapacityReservationYesNo
AWS::Athena::WorkGroupYesNo
AWS::AutoScaling::AutoScalingGroupYesNo
AWS::Backup::BackupVaultYesNo
AWS::CloudFront::DistributionYesYes
AWS::CloudFront::FunctionNoYes
AWS::CloudWatch::MetricStreamYesNo
AWS::CodeGuruProfiler::ProfilingGroupYesNo
AWS::Cognito::UserPoolYesYes
AWS::Connect::InstanceYesYes
AWS::DAX::ClusterYesNo
AWS::DataSync::AgentYesNo
AWS::DataSync::TaskYesNo
AWS::DocDB::DBClusterYesNo
AWS::DocDB::DBInstanceYesNo
AWS::DocDBElastic::ClusterYesNo
AWS::DynamoDB::GlobalTableYesNo
AWS::DynamoDB::TableYesNo
AWS::EC2::CapacityReservationYesNo
AWS::EC2::ClientVpnEndpointYesNo
AWS::EC2::HostYesNo
AWS::EC2::InstanceYesYes
AWS::EC2::NatGatewayYesNo
AWS::EC2::TransitGatewayYesYes
AWS::EC2::VPCYesYes
AWS::EC2::VPNConnectionYesYes
AWS::EC2::VolumeYesNo
AWS::ECS::ClusterYesYes
AWS::ECS::ServiceYesNo
AWS::EFS::FileSystemYesNo
AWS::EKS::ClusterYesYes
AWS::EMR::ClusterYesNo
AWS::EMRServerless::ApplicationYesNo
AWS::ElastiCache::CacheClusterYesYes
AWS::ElastiCache::ReplicationGroupYesNo
AWS::ElasticBeanstalk::EnvironmentYesNo
AWS::ElasticLoadBalancing::LoadBalancerYesNo
AWS::ElasticLoadBalancingV2::LoadBalancerYesYes
AWS::ElasticLoadBalancingV2::TargetGroupYesNo
AWS::Events::RuleYesNo
AWS::FSx::FileSystemYesNo
AWS::FraudDetector::DetectorYesNo
AWS::GameLift::GameSessionQueueYesNo
AWS::GameLift::MatchmakingConfigurationYesNo
AWS::Glue::JobYesNo
AWS::IVSChat::LoggingConfigurationYesNo
AWS::IoT::CACertificateYesNo
AWS::IoT::ScheduledAuditYesNo
AWS::IoT::SecurityProfileYesNo
AWS::IoT::TopicRuleYesNo
AWS::KMS::KeyYesNo
AWS::Kendra::DataSourceYesNo
AWS::Kendra::IndexYesNo
AWS::Kinesis::StreamYesNo
AWS::KinesisAnalyticsV2::ApplicationYesNo
AWS::KinesisFirehose::DeliveryStreamYesNo
AWS::Lambda::FunctionYesYes
AWS::M2::ApplicationYesNo
AWS::MediaTailor::ChannelYesNo
AWS::MemoryDB::ClusterYesNo
AWS::Neptune::DBClusterYesNo
AWS::Neptune::DBInstanceYesNo
AWS::NetworkFirewall::FirewallYesYes
AWS::OpenSearchServerless::CollectionYesNo
AWS::OpenSearchService::DomainYesNo
AWS::Pinpoint::AppYesNo
AWS::Pipes::PipeYesYes
AWS::RDS::DBClusterYesYes
AWS::RDS::DBInstanceYesNo
AWS::RUM::AppMonitorYesYes
AWS::Redshift::ClusterYesNo
AWS::RedshiftServerless::NamespaceYesNo
AWS::RedshiftServerless::WorkgroupYesNo
AWS::Route53::HealthCheckYesNo
AWS::Route53Resolver::FirewallRuleGroupYesNo
AWS::Route53Resolver::ResolverEndpointYesNo
AWS::S3::BucketYesNo
AWS::SNS::TopicYesNo
AWS::SQS::QueueYesNo
AWS::SageMaker::EndpointYesNo
AWS::SageMaker::InferenceComponentYesNo
AWS::Scheduler::ScheduleGroupYesNo
AWS::Synthetics::CanaryYesNo
AWS::Transfer::ConnectorYesYes
AWS::Transfer::ServerYesYes
AWS::VpcLattice::ServiceYesYes
AWS::WorkSpaces::WorkspaceYesNo
AWS::WorkSpaces::WorkspacesPoolYesNo