elastic · gpop63 · Sep 16, 2025 · Sep 16, 2025 · Sep 17, 2025 · Sep 22, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "4.5.0"
+  changes:
+    - description: Add ec2_metrics, lambda, sqs and sns alert rule templates.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15346
 - version: "4.4.0"
   changes:
     - description: Prefer set with copy_from.

@@ -0,0 +1,28 @@
+{
+  "id": "ec2-high-cpu-utilization",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS EC2] CPU Usage High",
+    "tags": ["AWS EC2"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for CPU usage is >= 80, and the alerting rule is grouped by cloud account id, cloud region and instance id. You can adjust the threshold value by modifying the cpuutilization value in the WHERE clause.\nFROM metrics-aws.ec2_metrics-default\n| STATS cpuutilization=avg(host.cpu.usage*100) by cloud.account.id, cloud.region, aws.dimensions.InstanceId\n| WHERE cpuutilization >= 80"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "ec2-status-check-failed",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS EC2] Status Check Failed",
+    "tags": ["AWS EC2"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for status check failed is > 0, and the alerting rule is grouped by cloud account id, cloud region and instance id. You can adjust the threshold value by modifying the statusfailed value in the WHERE clause.\nFROM metrics-aws.ec2_metrics-default\n| STATS statusfailed=max(aws.ec2.metrics.StatusCheckFailed.avg) by cloud.account.id, cloud.region, aws.dimensions.InstanceId\n| WHERE statusfailed > 0"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "lambda-errors",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS Lambda] Errors High",
+    "tags": ["AWS Lambda"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for errors is > 0, and the alerting rule is grouped by cloud account id, cloud region and function name. You can adjust the threshold value by modifying the statusfailed value in the WHERE clause.\nFROM metrics-aws.lambda-default\n| STATS errors=sum(aws.lambda.Errors.avg) by cloud.account.id, cloud.region, aws.dimensions.FunctionName\n| WHERE errors > 0"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "lambda-throttles",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS Lambda] Throttles high",
+    "tags": ["AWS Lambda"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for throttles is > 0, and the alerting rule is grouped by cloud account id, cloud region and function name. You can adjust the threshold value by modifying the throttles value in the WHERE clause.\nFROM metrics-aws.lambda-default\n| STATS throttles=sum(aws.lambda.Throttles.avg) by cloud.account.id, cloud.region, aws.dimensions.FunctionName\n| WHERE throttles > 0"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "sns-notifications-failed",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS SNS] Notifications Failed",
+    "tags": ["AWS SNS"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for notifications failed is > 0, and the alerting rule is grouped by cloud account id, cloud region and topic name. You can adjust the threshold value by modifying the notificationsfailed value in the WHERE clause.\nFROM metrics-aws.sns-default\n| STATS notificationsfailed=avg(aws.sns.NumberOfNotificationsFailed.sum) by cloud.account.id, cloud.region, aws.dimensions.TopicName\n| WHERE notificationsfailed > 0"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "sns-notifications-filtered-out",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS SNS] Notifications Filtered Out High",
+    "tags": ["AWS SNS"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for notifications filtered out is > 0, and the alerting rule is grouped by cloud account id, cloud region and topic name. You can adjust the threshold value by modifying the notificationsfilteredout value in the WHERE clause.\nFROM metrics-aws.sns-default\n| STATS notificationsfilteredout=avg(aws.sns.NumberOfNotificationsFilteredOut-InvalidAttributes.sum) by cloud.account.id, cloud.region, aws.dimensions.TopicName\n| WHERE notificationsfilteredout > 0"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "sqs-messages-visible",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS SQS] Messages Visible High",
+    "tags": ["AWS SQS"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for messages visible is >= 1000, and the alerting rule is grouped by cloud account id, cloud region and queue name. You can adjust the threshold value by modifying the msgsvisible value in the WHERE clause.\nFROM metrics-aws.sqs-default\n| STATS msgsvisible=max(aws.sqs.messages.visible) by cloud.account.id, cloud.region, aws.dimensions.QueueName\n| WHERE msgsvisible >= 1000"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+  "id": "sqs-oldest-message",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[AWS SQS] Oldest Message Age High",
+    "tags": ["AWS SQS"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "5m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// The recommended threshold value for oldest message age is >= 300, and the alerting rule is grouped by cloud account id, cloud region and queue name. You can adjust the threshold value by modifying the oldestmsgage value in the WHERE clause.\nFROM metrics-aws.sqs-default\n| STATS oldestmsgage=max(aws.sqs.oldest_message_age.sec) by cloud.account.id, cloud.region, aws.dimensions.QueueName\n| WHERE oldestmsgage >= 300"
+      },
+      "groupBy": "row",
+      "timeField": "event.ingested"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
@@ -1,7 +1,7 @@
-format_version: 3.3.2
+format_version: 3.5.0
 name: aws
 title: AWS
-version: "4.4.0"
+version: 4.5.0
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories:
@@ -15,7 +15,7 @@ conditions:
   elastic:
     subscription: basic
   kibana:
-    version: "^8.19.0 || ^9.1.0"
+    version: "^9.2.1"
 screenshots:
   - src: /img/metricbeat-aws-overview.png
     title: metricbeat aws overview