Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.scaling.cloud/llms.txt

Use this file to discover all available pages before exploring further.

The AWS CloudWatch integration turns CloudWatch alarms into Scaling incidents. When an alarm transitions to ALARM, Scaling opens a new incident on the mapped component. When it returns to OK, the matching open incident is resolved.
AWS CloudWatch integration

How it works

  1. You create an AWS integration in Scaling and pick a component it maps to. Scaling issues a unique webhook URL.
  2. In AWS, you create an SNS topic, subscribe the webhook URL to it, and route your CloudWatch alarms to that topic.
  3. Scaling verifies every incoming SNS notification’s signature, pins the topic ARN on first delivery, and ingests the alarm.
  4. OK → ALARM opens a new incident on the mapped component. ALARM → OK resolves the matching open incident. INSUFFICIENT_DATA is ignored.
CloudWatch Alarm → SNS Topic → Scaling webhook → Incident created/resolved

State handling

Alarm transitionWhat Scaling does
OK → ALARMOpens a new incident on the mapped component.
ALARM → OKResolves the open incident matched by the alarm ARN.
ALARM → ALARMNo-op (deduplicated by the alarm’s resource identifier).
OK → INSUFFICIENT_DATANo-op.
INSUFFICIENT_DATA → OKNo-op.
Replays / re-deliveriesIdempotent — the same SNS message is processed at most once.
The opened incident flows through the same pipeline as any other incident: it can have an escalation policy attached, page on-call responders, post to Slack, and appear on a published status page.

Security model

  • HMAC signature verification — every SNS notification is verified against AWS’s published signing certificate. Notifications with invalid signatures are rejected. Scaling requires SignatureVersion=2 (RSA-SHA256); RSA-SHA1 (the SNS default) is no longer accepted.
  • Topic ARN pinning — the first valid SubscriptionConfirmation pins the topic ARN on the integration. Subsequent notifications with a different TopicArn are rejected.
  • Webhook tokens are revealed once — when you create the integration, the webhook URL is shown one time only. Scaling stores only a SHA-256 hash; if you lose the URL you must delete and recreate the integration.
  • No payload logging — Scaling does not log raw SNS payloads at info level. Structured logs reference only orgId and integrationId.
Keep your webhook URL secret. Anyone with the URL who can publish a valid signed SNS notification can open incidents in your organization. Rotate the integration if you suspect the URL has been exposed.

Setup

For a step-by-step walkthrough, see Ingest CloudWatch alarms. If your alarms are defined in AWS CDK, see Ingest CloudWatch alarms with AWS CDK for the TypeScript patterns that wire both ALARM and OK transitions. In short:
1

Create the integration in Scaling

Go to Settings → Integrations → AWS and click Add integration. Choose a name and the component you want alarms to open incidents on. Copy the webhook URL on the one-time reveal screen.
2

Create an SNS topic in AWS

In the AWS console, create a new SNS topic (Standard, not FIFO) in the region where your alarms live.
3

Subscribe the webhook URL

Add an HTTPS subscription to the topic, pasting the webhook URL you copied from Scaling. Set the subscription’s SignatureVersion to 2 (RSA-SHA256) — the SNS default of 1 (RSA-SHA1) is no longer accepted. Scaling will auto-confirm the subscription on first delivery.
4

Route alarms to the topic

On each CloudWatch alarm you want forwarded, set the topic as a notification target for In alarm and OK state changes.

One integration per topic

Each AWS integration is bound to one mapped component. If you want different alarms to open incidents on different components, create one integration (and one SNS topic) per component.
A common pattern is one SNS topic per service in AWS, with the service’s most important alarms routed there, and one matching Scaling integration mapping that topic to the service’s component. This keeps the open-incident signal tight and easy to reason about.

Removing an integration

Deleting an integration in Scaling stops ingestion immediately — any further deliveries to the webhook URL return 404. To stop AWS from retrying, remove the HTTPS subscription from the SNS topic on the AWS side.