AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-10-16 · Documentation low

File: AmazonCloudWatch/latest/monitoring/Investigations-Investigate.md

Summary

Restructured investigation documentation by splitting detailed procedures into separate linked pages, simplified table of contents, and added overview section

Security assessment

The changes primarily reorganize content architecture without introducing new security-related content or addressing specific vulnerabilities. While the documentation mentions security-adjacent concepts like Automation runbooks and IAM permissions, these were already present in previous versions and are not newly added or modified in a security context.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/Investigations-Investigate.md b/AmazonCloudWatch/latest/monitoring/Investigations-Investigate.md
index d4715f269..f03207634 100644
--- a//AmazonCloudWatch/latest/monitoring/Investigations-Investigate.md
+++ b//AmazonCloudWatch/latest/monitoring/Investigations-Investigate.md
@@ -5 +5 @@
-Create an investigation from an AWS console pageCreate an investigation from a CloudWatch Application Signals Service Level Objective (SLO)Create an investigation from Amazon Q chatCreate an investigation from a CloudWatch alarm actionView and continue an open investigationReviewing and executing suggested runbook remediations
+# Investigate operational issues in your environment
@@ -7 +7 @@ Create an investigation from an AWS console pageCreate an investigation from a C
-# Use your investigation group to investigate operational issues in your environment
+You can create investigations in several ways depending on your workflow and the source of the issue you're investigating. Once an investigation is active, you can review AI-generated suggestions, accept or discard findings, and take remediation actions through automated runbooks.
@@ -9,128 +9 @@ Create an investigation from an AWS console pageCreate an investigation from a C
-###### Contents
-
-  * [Create an investigation from an AWS console page](./Investigations-Investigate.html#Investigations-CreateInvestigation-Panel)
-
-  * [Create an investigation from a CloudWatch Application Signals Service Level Objective (SLO)](./Investigations-Investigate.html#Investigations-CreateInvestigation-SLO)
-
-  * [Create an investigation from Amazon Q chat](./Investigations-Investigate.html#Investigations-CreateInvestigation-QChat)
-
-  * [Create an investigation from a CloudWatch alarm action](./Investigations-Investigate.html#Investigations-CreateInvestigation-AlarmAction)
-
-  * [View and continue an open investigation](./Investigations-Investigate.html#Investigations-Continue)
-
-  * [Reviewing and executing suggested runbook remediations for CloudWatch investigations](./Investigations-Investigate.html#suggested-investigation-actions)
-
-
-
-
-## Create an investigation from an AWS console page
-
-You can start an investigation from several AWS consoles, including (but not limited to) CloudWatch alarm pages, CloudWatch metric pages, and Lambda monitoring pages. 
-
-###### To start an investigation from an AWS console page
-
-  1. In the console page, select the graph of the metric or alarm that you want to investigate.
-
-  2. If the top of the page has an **Investigate** button, choose it and then choose **Start new investigation**.
-
-Otherwise, choose the vertical ellipsis menu icon  ![Depicts the appearance of the vertical ellipsis icon on the console](/images/AmazonCloudWatch/latest/monitoring/images/vmore.png) for the metric, and choose **Investigate** , **Start a new investigation**.
-
-  3. In the **Investigation** pane, enter a name for the investigation in **New investigation title** , and optionally enter notes about the selected metric or alarm. 
-
-  4. Under **Approximate impact start time** CloudWatch investigations recommends a timestamp to investigate based on the selected telemetry. To change the timestamp of the investigation, update the date and time. 
-
-  5. Then choose **Start investigation**.
-
-The investigation starts. CloudWatch investigations scans your telemetry data to find data that might be associated with this situation.
-
-  6. To move the investigation data to the larger pane, choose **Open in full page**.
-
-  7. For detailed instructions about steps that you can take while continuing the investigation, see View and continue an open investigation.
-
-
-
-
-## Create an investigation from a CloudWatch Application Signals Service Level Objective (SLO)
-
-You can start an investigation from a CloudWatch Application Signals Service Level Objective (SLO) metric.
-
-###### To start an investigation from a CloudWatch Application Signals Service Level Objective (SLO)
-
-  1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
-
-  2. Navigate to the **Applications Signals (APM)** , **Service Level Objectives (SLO)** console page.
-
-  3. Select an entry from the **Service Level Objectives (SLO)** list to display the metrics available for that SLO.
-
-  4. Select a metric, then choose **Investigate** from the **Action** menu.
-
-Alternatively, in the visualization of the metric you want to investigate, next to the more  ![Vertical ellipsis used to display more options.](/images/AmazonCloudWatch/latest/monitoring/images/vmore.png) menu, select the AI  ![Icon used to represent a feature that uses artificial intelligence .](/images/AmazonCloudWatch/latest/monitoring/images/cw-ai-icon.png) icon to start an investigation.
-
-###### Note
-
-If you have not configured operational investigations in your account, the AI icon opens the **Operation troubleshooting** pane. Select **Get started** to configure an investigation group and then continue.
-
-  5. In the **Operational troubleshooting** pane on the **Investigate** , under **Investigation title** enter a name for the investigation and optionally enter notes about the selected metric. 
-
-  6. Under **Approximate impact start time** CloudWatch investigations recommends a timestamp to investigate based on the selected telemetry. To change the timestamp of the investigation, update the date and time. 
-
-  7. Then choose **Start investigation**.
-
-The investigation starts. CloudWatch investigations scans your telemetry data to find data that might be associated with this situation.
-
-  8. To move the investigation data to the larger pane, choose **Open in full page**.
-
-  9. For detailed instructions about steps that you can take while continuing the investigation, see View and continue an open investigation.
-
-
-
-
-## Create an investigation from Amazon Q chat
-
-You can ask questions about issues in your deployment in Amazon Q chat. The question could be something like "Why is my Lambda function slow today?"
-
-When you do so, Amazon Q might ask follow up questions and run a health check regarding the issue. After the health check, the chat will prompt you about whether you want to start an investigation.
-
-For more information and more sample questions, see [Chatting with Amazon Q about AWS](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/chat-with-q.html#example-questions-investigations). 
-
-For detailed instructions about steps that you can take while continuing the investigation after it has been started, see View and continue an open investigation.
-
-## Create an investigation from a CloudWatch alarm action
-
-When you create a CloudWatch alarm, you can specify for it to automatically start an investigation when it goes into ALARM state. You can do this for both metric alarms and composite alarms. For more information, see [Start a CloudWatch investigations from an alarm](./Start-Investigation-Alarm.html), [Create a CloudWatch alarm based on a static threshold](./ConsoleAlarms.html) and [Create a composite alarm](./Create_Composite_Alarm_How_To.html).
-
-## View and continue an open investigation
-
-Use the steps in this section to view and continue and existing investigation
-
-###### To view and continue an investigation
-
-  1. If you aren't already on the page for the investigation, do the following:
-
-    1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
-
-    2. In the left navigation pane, choose **AI Operations** , **Investigations**.
-
-    3. Choose the name of the investigation.
-
-  2. The **Feed** section displays the items that have been added to the investigation findings, including the metric or alarm that was originally selected to start the investigation with.
-
-The pane on the right includes tabs. Choose the **Suggestions** tab.
-
-  3. The **Suggestions** tab displays _observations_ of other telemetry that CloudWatch investigations has found that might be related to the investigation. It might also include _hypotheses_ , which are possible reasons or root causes that CloudWatch investigations has found for the situation.
-
-Both observations and hypotheses are written in natural language by CloudWatch investigations.
-
-You have several options:
-
-     * For each suggestion, you can choose **Accept** or **Discard**.
-
-When you choose **Accept** , the suggestion is added to the **Feed** section, and CloudWatch investigations uses this information to direct further scanning and suggestions.
-
-If you choose **Discard** , the suggestion is moved to the **Discarded** tab.
-
-     * For each observation-type suggestion, you can choose to expand the graph in the **Suggestions** tab, or open it in the CloudWatch console to see more details about it.
-
-     * Some of the observations might be results of CloudWatch Logs Insights queries that CloudWatch investigations ran as part of the investigation. When an observation is a CloudWatch Logs Insights query result, the query itself is displayed as part of the observation. You can edit the query and re-run it. To do so, choose the vertical ellipsis menu icon  ![An example of a CloudWatch overview home page, showing alarms and their current state, and examples of other metrics graph widgets that might appear on the overview home page.](/images/AmazonCloudWatch/latest/monitoring/images/vmore.png) by the results, and then choose **Open in Logs Insights**. For more information, see [Analyzing log data with CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html).
-
-     * If you know of telemetry in an AWS service that might apply to this investigation, you can go to that service's console and add the telemetry to the investigation. For example, to add a Lambda metric to the investigation, you can do the following:
+The following procedures show you how to start investigations from different entry points and how to work with active investigations:
@@ -138,131 +11 @@ If you choose **Discard** , the suggestion is moved to the **Discarded** tab.
-       1. Open the Lambda console.
-
-       2. In the **Monitor** section, find the metric.
-
-       3. Open the vertical ellipsis context menu  ![An example of a CloudWatch overview home page, showing alarms and their current state, and examples of other metrics graph widgets that might appear on the overview home page.](/images/AmazonCloudWatch/latest/monitoring/images/vmore.png) for the metric, choose **Investigate** , **Add to investigation** Then, in the **Investigate** pane, select the name of the investigation.
-
-     * When you view a hypothesis in the **Suggestions** tab, you can choose **Show reasoning** to display the data that CloudWatch investigations used to generate the hypothesis. For hypotheses involving multiple resources, you may also see a visual representation showing the causal relationships between the resources as connected nodes.
-
-     * You can choose the **Discarded** tab and view the suggestions that have been previously discarded. To add one of them to the findings, choose **Restore to findings**.
-
-     * To add notes to the findings, choose **New note** in the **Feed** pane. Then enter your notes and choose **Add**.
-
-  4. When you add a hypothesis to the **Feed** area, it might display **Show suggested actions**. If so, choosing this displays possible actions that you can take, assuming that hypothesis is correct about the issue. Possible actions include the following:
-
-     * **Documentation suggestions** are links to AWS documentation that can help you understand the issue that you are working on, and how to solve it. To view suggested documentation, choose its **Review** link
-
-     * **Runbook suggestions** are suggestions that leverage the pre-defined _runbooks_ in Systems Manager Automation. Each runbook defines a number of steps for performing a task on an AWS resource.
-
-###### Important
-
-There is a charge for executing an Automation runbook. However, CloudWatch investigations provides you with a preview of actions that a suggested runbook takes, giving you an opportunity to better evaluate whether to execute the runbook. For information about Automation pricing, see [AWS Systems Manager pricing for Automation](https://aws.amazon.com/systems-manager/pricing/#Automation).
-
-For information about continuing with a runbook action, see Reviewing and executing suggested runbook remediations for CloudWatch investigations before continuing with the following step in this procedure.
-
-  5. To end an investigation, choose **End investigation** and then optionally add final notes. Then choose **Save**. 
-
-The investigation status changes to **Archived**. You can restart archived investigations by opening the investigation page and choosing **Restart investigation**.
-
-We recommend that you don't leave investigations open indefinitely, because alarm state transitions related to the investigation will keep being added to the investigation as long as it is open.
-
-
-
-
-###### Note
-
-At some point, you might see **Completed the analysis. Finished with the investigation.** displayed above the **Feed** area. If you then add more telemetry to the findings, this message changes and CloudWatch investigations begins scanning your telemetry again, based on the new data that you added to the findings.
-
-## Reviewing and executing suggested runbook remediations for CloudWatch investigations
-
-When you add a hypothesis to the **Feed** area of an active investigation, CloudWatch investigations might display **Show suggested actions**. One suggested action might be to view documentation with information to help you remediate a problem manually.
-
-Another suggestion might be to use an _Automation runbook_ to attempt to automatically resolve the issue. Automation is a capability in Systems Manager, another AWS service. Automation runbooks define a series of steps, or actions, to be run on the resources that you select. Each runbook is designed to address a specific issue. Runbooks can address a variety of operational needs: Creating, repairing, reconfiguring, installing, troubleshooting, remediating, duplicating, and more. For more information about Automation, see [Integration with AWS Systems Manager Automation](./Investigations-Integrations.html#Investigations-Integrations-SSM).
-
-###### Before you begin
-
-Before working with Automation runbooks in an investigation, be aware of the following important considerations:
-
-  * Choosing to execute a runbook incurs charges. For information, see [AWS Systems Manager pricing](https://aws.amazon.com/systems-manager/pricing/#Automation). 
-
-  * Root causes and runbook suggestions are powered by automated reasoning and generative artificial intelligence services.
-
-###### Important
-
-You are responsible for actions that result from executing runbook steps and the choice of parameter values entered during runbook execution. You might need to edit the suggested runbook to make sure the runbook performs as expected. For more information, see [**AWS responsible AI policy**](https://aws.amazon.com/ai/responsible-ai/policy/).
-
-  * Depending on the runbook, you might need to enter values for the runbook's **Input parameters** before the execution can run.
-
-  * The runbook executes using the IAM permissions assigned to the operator. If necessary, sign in with different IAM permissions to execute the runbook. In addition to permissions for the actions being taken, you'll need additional Systems Manager permissions to execute runbook steps. For more information, see [Setting up Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html) in the _AWS Systems Manager User Guide_.
-