# Updating DevOps Guru settings
You can update the following Amazon DevOps Guru settings:
+ Your DevOps Guru coverage. This determines which resources in your account are analyzed.
+ Your notifications. This determines which Amazon Simple Notification Service topics are used to notify you of important DevOps Guru events.
+ Features for enhanced insights. This includes log anomaly detection, encryption, and your AWS Systems Manager integration settings. This determines whether DevOps Guru displays log data, whether you use additional security keys, and whether an OpsItem is created in Systems Manager OpsCenter for each new insight.
**Topics**
+ [Updating your management account settings](#update-management-account)
+ [Updating your AWS analysis coverage in DevOps Guru](#update-coverage)
+ [Updating your notifications in DevOps Guru](update-notifications.md)
+ [Filtering your DevOps Guru notifications](update-notifications-filter.md)
+ [Updating AWS Systems Manager integration in DevOps Guru](#update-systems-manager-integration)
+ [Updating log anomaly detection in DevOps Guru](#update-log-analysis)
+ [Updating encryption settings in DevOps Guru](#update-encryption)
## Updating your management account settings
You can configure DevOps Guru for accounts in your organization. If you haven't registered a delegated administrator, you can do so by choosing **Register delegated administrator**. For more information on registering a delegated administrator, see [Enable DevOps Guru](https://docs.aws.amazon.com/devops-guru/latest/userguide/getting-started-enable-service.html).
## Updating your AWS analysis coverage in DevOps Guru
You can update which AWS resources in your account DevOps Guru analyzes. To do this, navigate to the **Analyzed resources** page in the console and then choose **Edit**. For more information, see [Viewing resources analyzed by DevOps Guru](view-analyzed-resources.md).
# Updating your notifications in DevOps Guru
Set up Amazon Simple Notification Service topics that are used to notify you about important Amazon DevOps Guru events. You can choose from a list of topic names that already exist in your AWS account, enter the name for a new topic that DevOps Guru creates in your account, or enter the Amazon Resource Name (ARN) of an existing topic in any AWS account in your Region. If you specify the ARN of a topic that is not in your account, you must grant permission for DevOps Guru to access that topic by adding an IAM policy to it. For more information, see [Permissions for Amazon SNS topics](sns-required-permissions.md). You can specify up to two topics.
DevOps Guru sends notifications for the following updates:
+ A new insight is created.
+ A new anomaly is added to an insight.
+ The severity of an insight is upgraded from `Low` or `Medium` to `High`.
+ The status of an insight changes from ongoing to resolved.
+ A recommendation for an insight is identified.
DevOps Guru also sends notifications if a selected CloudFormation stack or tag key is invalid when you are attempting to add resources to your DevOps Guru account.
You can choose to receive Amazon SNS notifications for all kinds of updates to an issue or to receive Amazon SNS notifications only when the issue is opened, closed, or has a change in severity. By default, you receive notifications for all updates.
To update your notifications, first navigate to the notifications page and then choose whether to add, remove, or update configurations for Amazon SNS notification topics.
**Topics**
+ [Navigate to notification settings in the DevOps Guru console](#navigate-to-notification-settings)
+ [Adding Amazon SNS notification topics in the DevOps Guru console](#add-notification-topics)
+ [Removing Amazon SNS notification topics in the DevOps Guru console](#remove-notification-topics)
+ [Updating Amazon SNS notification configurations](#update-notification-configurations)
+ [Permissions added to your Amazon SNS topic](#permissions-added-to-sns-topic-on-update)
## Navigate to notification settings in the DevOps Guru console
To update notifications, you must first navigate to the notification settings section.
**To navigate to the notification settings section**
1. Open the Amazon DevOps Guru console at [https://console.aws.amazon.com/devops-guru/](https://console.aws.amazon.com/devops-guru/).
1. Choose **Settings** in the navigation pane.
The Settings page includes the **Notifications** section, with information about configured Amazon SNS topics.
## Adding Amazon SNS notification topics in the DevOps Guru console
**To add an Amazon SNS notification topic in the DevOps Guru console**
1. [Navigate to notification settings in the DevOps Guru console](#navigate-to-notification-settings).
1. Choose **Add notification**.
1. To add an Amazon SNS topic, do one of the following.
+ Choose **Generate a new SNS topic using email**. Then, from **Specify the email address**, enter the email address you want to receive notifications. To enter in additional email addresses, choose **Add new email**.
+ Choose **Use an existing SNS topic**. Then, from **Choose a topic in your AWS account**, choose the topic you want to use.
+ Choose **Use an existing SNS topic ARN to specify an existing topic from another account**. Then, in **Enter an ARN for a topic**, enter the topic ARN. The ARN is the topic's Amazon Resource Name. You can specify a topic in a different account. If you use a topic in another account, you must add a resource policy to the topic. For more information, see [Permissions for Amazon SNS topics](sns-required-permissions.md).
1. Choose **Save**.
## Removing Amazon SNS notification topics in the DevOps Guru console
**To remove Amazon SNS topics in the DevOps Guru console**
1. [Navigate to notification settings in the DevOps Guru console](#navigate-to-notification-settings).
1. Choose **Select existing topic**.
1. From the drop-down menu, select the topic you want to remove.
1. Choose **Remove**.
1. Choose **Save**.
## Updating Amazon SNS notification configurations
There are two types of notification configurations for Amazon SNS notification topics in DevOps Guru. You can choose to receive notifications of all severity levels or only notifications with **High** and **Medium** severity levels. You can also choose to receive notifications for all kinds of updates or only some kinds of updates.
When you choose to receive Amazon SNS notifications for all kinds of updates to the issue, DevOps Guru sends notifications for the following updates:
+ A new insight is created.
+ A new anomaly is added to an insight.
+ The severity of an insight is upgraded from `Low` or `Medium` to `High`.
+ The status of an insight changes from ongoing to resolved.
+ A recommendation for an insight is identified.
By default, you receive only **High** and **Medium** severity level notifications, and you receive notifications for all kinds of updates.
**To update notification configurations for Amazon SNS notification topics**
1. [Navigate to notification settings in the DevOps Guru console](#navigate-to-notification-settings).
1. Choose **Select existing topic**.
1. From the drop-down menu, select the topic you want to make updates to.
1. Choose **All severity levels** to receive notifications with High, Medium, and Low severity levels, or choose **Only High and Medium** to receive notifications with High and Medium severity levels.
1. Choose **Notify me on all updates to the insight**, or choose **Notify me when an insight is opened or closed, or the severity level changes from Low or Medium to High**.
1. Choose **Save**.
## Permissions added to your Amazon SNS topic
An Amazon SNS topic is a resource that contains an AWS Identity and Access Management (IAM) resource policy. When you specify a topic here, DevOps Guru appends the following permissions to its resource policy.
```
{
"Sid": "DevOpsGuru-added-SNS-topic-permissions",
"Effect": "Allow",
"Principal": {
"Service": "region-id.devops-guru.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:region-id:topic-owner-account-id:my-topic-name",
"Condition" : {
"StringEquals" : {
"AWS:SourceArn": "arn:aws:devops-guru:region-id:topic-owner-account-id:channel/devops-guru-channel-id",
"AWS:SourceAccount": "topic-owner-account-id"
}
}
}
```
These permissions are required for DevOps Guru to publish notifications using a topic. If you prefer to not have these permissions on the topic, you can safely remove them and the topic will continue to work as it did before you chose it. However, if these appended permissions are removed, DevOps Guru cannot use the topic to generate notifications.
# Filtering your DevOps Guru notifications
You can filter your DevOps Guru notifications by [Updating Amazon SNS notification configurations](update-notifications.md#update-notification-configurations) or by using a Amazon SNS subscription filter policy.
**Topics**
+ [Filtering notifications with a Amazon SNS subscription filter policy](#use-subscription-filter-policy)
+ [Example filtered Amazon SNS notification for Amazon DevOps Guru](#sample-filtered-notification)
## Filtering notifications with a Amazon SNS subscription filter policy
You can create an Amazon Simple Notification Service (Amazon SNS) subscription filter policy to reduce the number of notifications you receive from Amazon DevOps Guru.
Use a filter policy to specify the types of notifications you receive. You can filter your Amazon SNS messages using the following keywords.
+ `NEW_INSIGHT` — Receive a notification when a new insight is created.
+ `CLOSED_INSIGHT` — Receive a notification when an existing insight is closed.
+ `NEW_RECOMMENDATION` — Receive a notification when a new recommendation is created from an insight.
+ `NEW_ASSOCIATION` — Receive a notification when a new anomaly is detected from an insight.
+ `CLOSED_ASSOCIATION` — Receive a notification when an existing anomaly is closed.
+ `SEVERITY_UPGRADED` — Receive a notification when the severity of an insight is upgraded
For information about how to create an Amazon SNS subscription filter policy, see [Amazon SNS subscription filter policies](https://docs.aws.amazon.com/sns/latest/dg/sns-subscription-filter-policies.html) in the *Amazon Simple Notification Service Developer Guide*. In your filter policy, you specify one of the keywords with the policy's `MessageType`. For example, the following would appear in a filter that specifies the Amazon SNS topic only deliver notifications when a new anomaly is detected from an insight.
```
{
"MessageType":["NEW_ ASSOCIATION"]
}
```
## Example filtered Amazon SNS notification for Amazon DevOps Guru
The following is an example of an Amazon Simple Notification Service (Amazon SNS) notification from an Amazon SNS topic with a filter policy. Its `MessageType` is set to `NEW_ASSOCIATION`, so it sends notifications only when a new anomaly is detected from an insight.
```
{
"accountId": "123456789012",
"region": "us-east-1",
"messageType": "NEW_ASSOCIATION",
"insightId": "ADyf4FvaVNDzu9MA2-IgFDkAAAAAAAAAEGpJd5sjicgauU2wmAlnWUyyI2hiO5it",
"insightName": "Repeated Insight: Anomalous increase in Lambda ApigwLambdaDdbStack-22-Function duration due to increased number of invocations",
"insightUrl": "https://us-east-1.console.aws.amazon.com/devops-guru/insight/reactive/ADyf4FvaVNDzu9MA2-IgFDkAAAAAAAAAEGpJd5sjicgauU2wmAlnWUyyI2hiO5it",
"insightType": "REACTIVE",
"insightDescription": "At March 29, 2023 22:02 GMT, Lambda function ApigwLambdaDdbStack-22-Function had\n an increased duration anomaly possibly caused by the Lambda function invocation increase. DevOps Guru has detected this is a repeated insight. DevOps Guru treats repeated insights as 'Low Severity'.",
"startTime": 1628767500000,
"startTimeISO": "2023-03-29T22:00:00Z",
"anomalies": [
{
"id": "AG2n8ljW74BoI1CHu-m_oAgAAAF7Ohu24N4Yro69ZSdUtn_alzPH7VTpaL30JXiF",
"startTime": 1628767500000,
"startTimeISO": "2023-03-29T22:00:00Z",
"openTime": 1680127740000,
"openTimeISO": "2023-03-29T22:09:00Z",
"sourceDetails": [
{
"dataSource": "CW_METRICS",
"dataIdentifiers": {
"namespace": "AWS/SQS",
"name": "ApproximateAgeOfOldestMessage",
"stat": "Maximum",
"unit": "None",
"period": "60",
"dimensions": "{\"QueueName\":\"FindingNotificationsDLQ\"}"
}
}
],
"associatedResourceArns":[
"arn:aws:sns:us-east-1:123456789012:DevOpsGuru-insights-sns"
]
}
],
"resourceCollection":{
"cloudFormation":{
"stackNames":[
"CapstoneNotificationPublisherEcsApplicationInfrastructure"
]
}
}
}
```
## Updating AWS Systems Manager integration in DevOps Guru
You can enable the creation of an OpsItem for each new insight in AWS Systems Manager OpsCenter. OpsCenter is a centralized system where you can view, investigate, and review operational work items (OpsItems). The OpsItems for your insights can help you manage work that addresses the anomalous behavior that triggered the creation of each insight. For more information, see [AWS Systems Manager OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) and [Working with OpsItem](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-working-with-OpsItems.html) in the *AWS Systems Manager User Guide*.
**Note**
If you change the key or value of the tag field of an OpsItem, then DevOps Guru is not able to update that OpsItem. For example, if you change a tag of an OpsItem from `"aws:RequestTag/DevOps-GuruInsightSsmOpsItemRelated": "true"` to something else, then DevOps Guru cannot update that OpsItem.
**To manage your Systems Manager integration**
1. Open the Amazon DevOps Guru console at [https://console.aws.amazon.com/devops-guru/](https://console.aws.amazon.com/devops-guru/).
1. Choose **Settings** in the navigation pane.
1. In **AWS Systems Manager integration**, select **Enable DevOps Guru to create an AWS OpstItem in OpsCenter for each insight** to have an OpsItem created for each new insight. Deselect it to stop having an OpsItem created for each new insight.
You are charged for OpsItems created in your account. For more information, see [AWS Systems Manager pricing](https://aws.amazon.com/systems-manager/pricing/).
## Updating log anomaly detection in DevOps Guru
**To manage your log anomaly detection settings**
1. Open the Amazon DevOps Guru console at [https://console.aws.amazon.com/devops-guru/](https://console.aws.amazon.com/devops-guru/).
1. Choose **Settings** in the navigation pane.
1. In **Log anomaly detection**, select **Enable log anomaly detection by granting DevOps Guru permissions to display log data associated with an insight.** to have DevOps Guru display log data related to insights.
## Updating encryption settings in DevOps Guru
You can update encryption settings to use AWS owned keys or AWS KMS customer managed keys. When switching to a new customer managed AWS KMS key from an existing customer managed AWS KMS key, DevOps Guru automatically starts encrypting newly ingested metadata using the new key. The historical data will remain encrypted with the previous configured customer managed AWS KMS key.
**Note**
If you revoke the grant, or disable or delete the previous AWS KMS key, DevOps Guru won't be able to access any of the data encrypted by this key and you might see the `AccessDeniedException` when performing a read operation.
**To manage your encryption settings**
1. Open the Amazon DevOps Guru console at [https://console.aws.amazon.com/devops-guru/](https://console.aws.amazon.com/devops-guru/).
1. Choose **Settings** in the navigation pane.
1. In the **Encryption** section, choose **Edit encryption**.
1. Select the encrpytion type you would like to use to protect your data. You can use a default AWS owned key, choose an existing customer managed key, or create a new customer managed AWS KMS key.
1. Choose **Save**.
Encryption is an important part of DevOps Guru security. For more information, see [Data protection in Amazon DevOps Guru](data-protection.md).