# Using Internet Monitor
<a name="CloudWatch-InternetMonitor"></a>

Internet Monitor provides visibility into how internet issues impact the performance and availability between your applications hosted on AWS and your end users. It can reduce the time it takes for you to diagnose internet issues from days to minutes. Internet Monitor uses the connectivity data that AWS captures from its global networking footprint to calculate a baseline of performance and availability for internet-facing traffic. This is the same data that AWS uses to monitor internet uptime and availability. With those measurements as a baseline, Internet Monitor raises awareness for you when there are significant problems for your end users (clients) in the different geographic locations where your application runs.

In the Amazon CloudWatch console, you can see a global view of traffic patterns and health events, and easily drill down into information about events, at different geographic granularities (locations). You can clearly visualize impact, and pinpoint the client locations and networks (ASNs, typically internet service providers or ISPs) that are affected. If Internet Monitor determines that an internet availability or performance issue is caused by a specific ASN or by the AWS network, it provides that information.

To get started, create a monitor that includes one or more resources, so Internet Monitor can create a traffic profile for your AWS application. Then, view information in the Internet Monitor dashboard to visualize data and get insights and suggestions about your application's internet traffic.

For information about Regional support, pricing, how Internet Monitor works, and other overview content, see [What is Internet Monitor?](CloudWatch-InternetMonitor.what-is-cwim.md). To begin working with Internet Monitor, see [Getting started with Internet Monitor using the console](CloudWatch-IM-get-started.md).

# What is Internet Monitor?
<a name="CloudWatch-InternetMonitor.what-is-cwim"></a>

With Internet Monitor, you can monitor your application's internet performance and availability, so that you can visualize data and get insights and suggestions about your AWS application's internet traffic. You can also get suggestions for ways to reduce latency for your application, by using different Regions or AWS services, like Amazon CloudFront.

**Key features of Internet Monitor**
+ Internet Monitor suggests insights and recommendations that can help you improve your end users' experience. You can explore, in near real-time, how to improve the projected latency of your application by switching to use other services, or by rerouting traffic to your workload through different AWS Regions.
+ Internet Monitor stores internet measurements for pairs of your client locations and ASNs, or *city-networks*. Internet Monitor also creates aggregated CloudWatch metrics for traffic to your application, and to each AWS Region and edge location. With the Internet Monitor dashboard, you can quickly identify what's impacting your application's performance and availability, so that you can track down and address issues.
+ Internet Monitor also publishes internet measurements to CloudWatch Logs and CloudWatch Metrics, to support using CloudWatch tools to explore data for city-networks that are specific to your monitored application traffic. Optionally, you can also publish internet measurements to Amazon S3.
+ Internet Monitor sends overall (global) health events to Amazon EventBridge so that you can set up notifications. (Local health events are not published to EventBridge.) If an issue is caused by the AWS network, you also automatically receive an AWS Health Dashboard notification with the steps that AWS is taking to mitigate the problem.

**How to use Internet Monitor**

To use Internet Monitor, you create a *monitor* and associate your application's resources with it—VPCs, Network Load Balancers, CloudFront distributions, or WorkSpaces directories—to enable Internet Monitor to know where your application's internet-facing traffic is. Internet Monitor then publishes internet measurements from AWS that are specific to the *city-networks*, that is, the client locations and ASNs (typically internet service providers or ISPs), where clients access your application. For more information, see [How Internet Monitor works](CloudWatch-IM-inside-internet-monitor.md). To begin working with Internet Monitor, see [Getting started with Internet Monitor using the console](CloudWatch-IM-get-started.md).

**Topics**
+ [Supported Regions](CloudWatch-InternetMonitor.Regions.md)
+ [Components](CloudWatch-IM-components.md)
+ [How it works](CloudWatch-IM-inside-internet-monitor.md)
+ [Use cases](CloudWatch-IM-use-cases.md)
+ [Internet weather map](CloudWatch-InternetMonitor.outage-map.md)
+ [Cross-account observability](cwim-cross-account.md)
+ [Pricing](CloudWatch-InternetMonitor.pricing.md)

# Supported AWS Regions for Internet Monitor
<a name="CloudWatch-InternetMonitor.Regions"></a>

The AWS Regions and AWS Local Zones where Amazon CloudWatch Internet Monitor is supported are listed in this section. For more information about Regions that Internet Monitor is supported in, including opt-in Regions, see [Amazon CloudWatch Internet Monitor endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/cwim_region.html) in the *Amazon Web Services General Reference*.

Note that Internet Monitor stores data for a monitor in only the AWS Region in which you create the monitor, although a monitor can include resources in multiple Regions.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.Regions.html)

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.Regions.html)

For Local Zones support, you must enable the Local Zone and attach it to the VPC that you want to monitor internet traffic for. Internet Monitor does not support Local Zones for other resources types. The Local Zones that are supported are listed in the following table.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.Regions.html)

# Components and terms for Internet Monitor
<a name="CloudWatch-IM-components"></a>

Internet Monitor uses or references the following concepts.

**Monitor**  
A monitor includes the resources for a single application that you want to view internet performance and availability measurements for, and that you want to get health event alerts about. When you create a monitor for an application, you add resources for the application to define the cities (locations) for Internet Monitor to monitor. Internet Monitor uses the traffic patterns from the application resources that you add so that it can publish internet performance and availability measurements specific to just the locations and ASNs (typically, internet service providers or ISPs) that communicate with your application. In other words, the resources that you add create a scope of the *city-networks* that you want Internet Monitor to monitor and that you want it to publish measurements for.

**Resource added to monitor ("monitored resource")**  
A resource that you add to a monitor is a "monitored resource" in Internet Monitor. That is:  
+ Each VPC that you add in a Region is a monitored resource. When you add a VPC, Internet Monitor monitors the traffic for any internet-facing application in the VPC, for example, an application hosted on an Amazon EC2 instance, behind a Network Load Balancer, or an AWS Fargate container.
+ Each Network Load Balancer that you add in a Region is a monitored resource.
+ Each WorkSpaces directory that you add in a Region is a monitored resource.
+ Each CloudFront distribution that you add is a monitored resource.

**Autonomous System Number (ASN)**  
In Internet Monitor, an ASN typically refers to an internet service provider (ISP), such as Verizon or Comcast. An ASN is a network provider that a client uses to access your internet application. An Autonomous System (AS) is a set of internet routable internet protocol (IP) prefixes that belong to a network or a collection of networks that are all managed, controlled, and supervised by one organization. 

**City-network (location and ASN)**  
A city-network is the location (such as a city) that clients access your application resources from and the ASN, typically an internet service provider (ISP), that clients access the resources through. To help control your bill, you can set a limit for the maximum number of city-networks for Internet Monitor to monitor for each monitor. You pay only for the actual number of city-networks that you monitor, up to the maximum number. For more information, see [Choosing a city-network maximum limit](IMCityNetworksMaximum.md). 

**Internet measurements**  
Internet Monitor also publishes internet measurements to log files in CloudWatch Logs every five minutes for the top 500 city-networks for your monitored application traffic.  
These measurements quantify the performance score, availability score, bytes transferred (bytes in and bytes out), and round-trip time for your application's city-networks. These are measurements for the city-networks specific to your VPCs, Network Load Balancers, CloudFront distributions, or WorkSpaces directories. Optionally, you can choose to publish internet measurements and events for all monitored city-networks (up to the 500,000 city-networks service limit) to an Amazon S3 bucket.

**Metrics**  
Internet Monitor generates aggregated metrics for CloudWatch metrics, for global traffic to your application and global traffic to each AWS Region. For more information, see [View Internet Monitor metrics or set alarms in CloudWatch Metrics](CloudWatch-IM-view-cw-tools-metrics-dashboard.md).

**Health event**  
Internet Monitor creates a health event to alert you to a specific problem that affects your application. Internet Monitor detects internet issues, such as increased network latency, across the world. It then uses its historical internet measurements from across the AWS global infrastructure footprint to calculate the impact of current issues on your application, and creates health events. Internet Monitor, by default, creates health events based on both overall impact and local impact thresholds. To learn more about health events, see [ When Internet Monitor creates and resolves health events](CloudWatch-IM-inside-internet-monitor.md#IMHealthEventStartStop).  
The default health event threshold, for both performance scores and availability scores, is 95%. If you like, you can specify your own custom thresholds for when Internet Monitor creates health events. For more information about configuring thresholds, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview).   
Each health event includes information about the impacted city-networks. You can view health events in the CloudWatch console, or by using an AWS SDK or AWS CLI with Internet Monitor API actions. Internet Monitor also sends Amazon EventBridge notifications for health events. For more information, see [When Internet Monitor creates and resolves health events](CloudWatch-IM-inside-internet-monitor.md#IMHealthEventStartStop).

**Internet event**  
Internet Monitor displays information about recent global health events, called internet events, on an internet weather map that is available to all AWS customers. You don't need to create a monitor in Internet Monitor to view the internet weather map. Unlike health events, internet events are not specific to individual customers or their application traffic. For more information, see [Global internet weather map in Internet Monitor](CloudWatch-InternetMonitor.outage-map.md).

**Thresholds**  
Internet Monitor creates health events based on both overall thresholds and local thresholds. You can change the default thresholds and configure other options, such as turning off local thresholds. For more information about configuring thresholds, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview). 

**Performance and availability scores**  
By analyzing the data that AWS collects, Internet Monitor can detect when the performance and availability for your application has dropped, compared to estimated baselines that Internet Monitor calculates. To make it easier to see those drops, Internet Monitor reports the information to you as scores. A performance score represents the estimated percentage of traffic that is **not** seeing a performance drop. Similarly, an availability score represents the estimated percentage of traffic that is **not** seeing a availability drop. For more information, see [How AWS calculates performance and availability scores](CloudWatch-IM-inside-internet-monitor.md#IMExperienceScores).

**Bytes transferred and monitored bytes transferred**  
Bytes transferred is the total number of bytes of ingress and egress traffic between an application in AWS and the city-network (that is, the location and the ASN, typically the internet service provider) where clients access an application. Monitored bytes transferred is a similar metric, but includes only bytes for monitored traffic.

**Round-trip time**  
Round-trip time (RTT) is how long it takes for a request from a client user to return a response to the user. When RTT is aggregated across client locations (cities or other geographies), the value is weighted by how much of your application traffic is driven by each client location.

# How Internet Monitor works
<a name="CloudWatch-IM-inside-internet-monitor"></a>

This section provides information about how Internet Monitor works. This includes descriptions of how AWS collects the data that it uses to help detect connectivity issues across the internet, and how performance and availability scores are calculated. 

**Contents**
+ [How Internet Monitor focuses on just your application traffic footprint](#IMTheAWSAdvantage)
+ [How AWS measures connectivity issues and calculates measurements](#IMHowAWSMeasuresConnectivityIssues)
+ [Geolocation accuracy in Internet Monitor](#IMGeolocationSourceAccuracy)
+ [When Internet Monitor creates and resolves health events](#IMHealthEventStartStop)
+ [Health event report timing](#IMEventDelay)
+ [How Internet Monitor works with IPv4 and IPv6 traffic](#IMIPv4IPv6)
+ [How Internet Monitor selects the subset of city-networks to include](#IM100citynetworks)
+ [How the global internet weather map is created (Frequently Asked Questions)](#IMGlobalOutagesFAQ)

**How Internet Monitor focuses on just your application traffic footprint**  
Internet Monitor focuses monitoring on just the subset of the internet that's accessed by the users of your AWS resources, instead of broadly monitoring your website from every Region in the world as other tools do. It’s also a cost effective solution, affordable for large and small companies.  
Internet Monitor uses the same powerful probes and issue-detection algorithms that AWS takes advantage of internally and alerts you to connectivity issues that affect your application by creating health events in Internet Monitor. Internet Monitor then gives you access to the resulting performance and availability map, by overlaying the traffic profile that it creates from your active viewers, based on your application resources.   
Using this information, Internet Monitor shows you just relevant events (that is, the events from places where you have active viewers), and just the impact those events have on your overall viewer volume. So, how much impact an event has, percentage-wise, is based on your total traffic worldwide.  
Internet Monitor stores internet measurements for pairs of your client locations and ASNs, or *city-networks*. Internet Monitor also creates aggregated CloudWatch metrics for traffic to your application, and to each AWS Region and edge location.  
In addition, Internet Monitor publishes internet measurements to CloudWatch Logs internet every five minutes for the top 500 city-networks that send traffic to each monitor, to support using CloudWatch tools and other methods with your data. Optionally, you can choose to publish internet measurements for all monitored city-networks (up to the 500,000 city-networks service limit) to an Amazon S3 bucket. For more information, see [Publish internet measurements to Amazon S3 in Internet Monitor](CloudWatch-IM-get-started.Publish-to-S3.md).  
The benefits of Internet Monitor include the following:  
+ Using Internet Monitor doesn't place additional load or cost on your application that's hosted on AWS.
+ You don't need to include performance measurement code in your client-side resources, or in your application.
+ You can get visibility into performance and availability across the internet that your application is connected to, including "last mile" information.
Note that because Internet Monitor creates measurements based on your AWS resources, Internet Monitor only creates events that are specific to your application traffic. Global internet issues in general are not reported. In addition, when the service location is an AWS Region, the measurements and events emitted are designed to represent connectivity at a Regional level and don’t accurately represent connectivity between an end user location and an Availability Zone. 

**How AWS measures connectivity issues and calculates measurements**  
Internet Monitor uses internet connectivity data between different AWS Regions and Amazon CloudFront points of presence (POPs) to different client locations through Autonomous System Numbers (ASNs), typically internet service providers (ISPs). This is the connectivity data that is used internally by AWS operators, on a daily basis, to proactively detect connectivity issues across the global internet.   
For every AWS Region, we know which portions of the internet communicate with the Region and do the following:  
+ We actively monitor those portions of the internet, with a rolling 30-day window.
+ We use both network and higher-level protocol probes, including both inbound and outbound probing.
AWS has active and passive probes that measure the latency (performance) at the 90th percentile and reachability (availability) from every AWS Region and from the CloudFront service to the entire internet. Abnormal patterns in connectivity between a service and a customer location are monitored, and then reported as alerts to the customer.  
See the following sections for details:  
+ [Calculating availability and RTT](#IMCalculateLatency)
+ [Calculating performance and availability scores](#IMExperienceScores)
+ [Calculating TTFB and RTT (latency)](#IMCalculateTTFB)
+ [Regional and Availability Zone measurements and aggregation](#IMRegionalAZaggregation)  
**Calculating availability and RTT**  
Round-trip time (RTT) is how long it takes for a request from the user to return a response to the user. When round-trip time is aggregated across end user locations, the value is weighted by the amount of your traffic that is driven by each end user location.   
As an example, with two end user locations, one serving 90% of traffic with a 5 ms RTT, and the other serving 10% of traffic with a 10 ms RTT, the result is an aggregated RTT of 5.5 ms (which comes from 5 ms \$1 0.9 \$1 10 ms \$1 0.1).  
Note that there are differences for resources about measuring last-mile latency. For Internet Monitor latency measurements, VPCs, Network Load Balancers, and WorkSpaces directories do not include last-mile latency.  
**Calculating performance and availability scores**  
AWS has substantial historical data about internet performance and availability between AWS services and different city-networks (locations and ASNs). By applying statistical analysis to the data, Internet Monitor can detect when the performance and availability for your application has dropped, compared to an estimated baseline that it has calculated. To make it easier to see those drops, that information is reported to you in the form of health scores: a performance score and an availability score.  
Health scores are calculated at different granularities. At the finest granularity, we compute the health score for a geographic region, such as a city or a metro area, and an ASN (a *city-network*). We also roll up the individual health scores to overall health score numbers for an application in a monitor. If you view performance or availability scores without filtering for any specific geography or service provider, Internet Monitor provides overall health scores.  
Overall health scores span your whole application for the specified time period. When the performance or availability score for your application's city-network pairs across your application reaches or drops below the corresponding health event threshold for performance or availability Internet Monitor triggers a health event. By default, the threshold is 95% for both overall performance and availability. Internet Monitor also creates health events based on local thresholds—if the option is enabled, as it is by default—based on values that you configure. To learn more about configuring health event thresholds, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview).  
When you explore information in the monitor and log files to investigate issues and learn more, you can filter by specific cities (locations), networks (ASNs or internet service providers), or both. So, you can use filters to see health scores for different cities, ASNs, or city-network pairs, depending on the filters that you choose.  
+ An *availability score* represents the estimated percentage of traffic that is **not** seeing an availability drop. Internet Monitor estimates the percentage of traffic experiencing a drop from the total traffic seen and availability metrics measurements. For example, an availability score of 99% for an end user and service location pair is equivalent to 1% of the traffic experiencing an availability drop for that pair.
+ A *performance score* represents the percentage of traffic that is **not** seeing a performance drop. For example, a performance score of 99% for an end user and service location pair is equivalent to 1% of the traffic experiencing a performance drop for that pair.  
**Calculating TTFB and RTT (latency)**  
Time to first byte (TTFB) refers to the time between when a client makes a request and when it receives the first byte of information from the server. AWS calculations for TTFB measure the time elapsed from Amazon EC2 or Amazon CloudFront to the Internet Monitor measurement node (including the last mile of the node). That is, Internet Monitor measures time from the user to the Amazon EC2 Region for TTFB for EC2, and from the user to CloudFront for TTFB for CloudFront.  
For round-trip time (RTT), Internet Monitor includes the time from the city-network (that is, the client location and ASN, typically an internet service provider), as mapped by the public IP address, to the AWS Region. This means that Internet Monitor does not have last mile visibility for users who access the internet from behind a gateway or VPN.  
Note that there are differences for resources about measuring last-mile latency. For Internet Monitor latency measurements, VPCs, Network Load Balancers, and WorkSpaces directories do not include last-mile latency.  
Internet Monitor includes average TTFB information in the **Traffic optimization suggestions** section of the **Traffic insights** tab on the CloudWatch dashboard, to help you evaluate options for different setups for your application that can improve performance.  
**Regional and Availability Zone measurements and aggregation**  
Although Internet Monitor aggregates measurements and shares impact at a Regional level, it calculates impact at an Availability Zone (AZ) level. This means that, if, for an event, only one AZ is impacted and most of your traffic flows through that AZ, you do see impact for your traffic. However, for the same event, if your application traffic does not flow through an impacted AZ, you do not see impact.  
Note that this applies only to resources that aren't WorkSpaces directories. WorkSpaces directories are measured only on a Regional level.

**Geolocation accuracy in Internet Monitor**  
For location information, Internet Monitor uses IP-geolocation data supplied by [MaxMind](https://dev.maxmind.com/geoip). The accuracy of the location information in Internet Monitor measurements depends on the accuracy of MaxMind's data.   
Be aware that `Metro` level measurements might not be accurate for locations outside of the United States.

**When Internet Monitor creates and resolves health events**  
Internet Monitor creates and closes health events for the application traffic that you monitor based on the current thresholds that are set. Internet Monitor has a default threshold configuration, and you can also set your own configuration for thresholds. Internet Monitor determines the overall impact that connectivity issues are having on your application, and the impact on local areas where your application has clients, and creates health events when the thresholds are crossed.  
Internet Monitor calculates the impact of connectivity issues on a client location based on the historical data about internet performance and availability for network traffic that's available to the service through AWS. It applies the information relevant to your application, based on the geographic locations for ASNs and services where clients use your application: the city-network pairs that are affected. The locations are determined from the resources that you add to your monitor. Then Internet Monitor uses statistical analysis to detect when performance and availability has dropped, affecting the client experience for your application.  
The performance and availability scores that Internet Monitor calculates are represented as the percentage of traffic that is **not** seeing a drop. Impact is the opposite of this: it's a representation of how much an issue is problematic for a customer's end users. So if there is a global availability drop of 93%, for example, the corresponding impact would be 7%.  
When the performance or availability score for your application's city-network pairs globally reaches or drops below the corresponding health event threshold for performance or availability, this triggers Internet Monitor to generate a health event. By default, the threshold is 95% for both performance and availability. The values to meet, or drop below, the threshold are cumulative, so it could mean several smaller events combine to meet the threshold percentage, or that a single event meets or falls below the threshold level.  
As long as performance or availability scores that triggered the event are at or below the corresponding health event threshold percentage for overall impact, the health event stays active. When the score or combined scores that triggered the event rise above the threshold, Internet Monitor resolves the health event.  
Internet Monitor also creates health events based on local thresholds and the percentage of overall traffic that an issue has an impact on. You can configure options for local thresholds, or turn off local thresholds altogether.  
The default health event threshold, for both performance scores and availability scores, is 95%. If you like, you can specify your own custom thresholds for when Internet Monitor creates health events. For more information about configuring thresholds, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview). 

**Health event report timing**  
Internet Monitor uses an aggregator to gather all signals about internet issues, to create health events in monitors within minutes.  
When possible, Internet Monitor analyzes the origin of a health event, to determine whether it was caused by AWS or an ASN. Health event analysis continues after an event is resolved. Internet Monitor can update events with new information for up to an hour.

**How Internet Monitor works with IPv4 and IPv6 traffic**  
Internet Monitor measures health toward a network over only IPv4, and shows you health events, and availability and performance metrics, if you serve traffic to that network over any IP family (IPv4 or IPv6). If you serve traffic from a dual-stack resource, such as a dual-stack CloudFront distribution, Internet Monitor raises a health event and shows a drop in a performance score or availability score only if IPv4 traffic has the same issues for the resource as IPv6 traffic does.  
Note that the Internet Monitor metrics for overall bytes in and bytes out accurately reflect all internet traffic (IPv4 and IPv6).

**How Internet Monitor selects the subset of city-networks to include**  
When you set a maximum limit for the number of city-networks monitored by your monitor or choose a percentage of traffic to monitor, Internet Monitor chooses the city-networks to include (monitor) based on highest recent traffic volume.  
For example, if you set a maximum city-networks limit of 100, Internet Monitor monitors (up to) 100 city-networks based on your application traffic during a recent one hour period. Specifically, Internet Monitor monitors the top 100 city-networks that have had the most traffic in the most recent one hour window *before* the latest one hour window.  
To illustrate this, say that the current time is 2:30 PM. In this scenario, the traffic that you see in your monitor was captured between 1:00 PM and 2:00 PM, and the traffic volume measurement that Internet Monitor uses to determine the top 100 city-networks was captured between 12:00 PM and 1:00 PM.

**How the global internet weather map is created (Frequently Asked Questions)**  
The Internet Monitor internet weather map is available on the Internet Monitor console to all authenticated AWS customers. This section includes details about how the internet weather map is created and how to use it.    
**What is the Internet Monitor internet weather map?**  
The internet weather map provides a visual representation of internet issues across the world. It highlights impacted client locations, that is, cities plus ASN (typically internet service providers). The map shows a combination of availability and performance issues that have recently impacted clients' internet experience for top client locations and AWS services globally.  
**Where does data for the map come from?**  
The data is based on a combination of active and passive probing of the internet. To learn more about how Internet Monitor measures data you can read the section [How AWS measures connectivity issues](#IMHowAWSMeasuresConnectivityIssues).  
**How often is the map updated?**  
The internet weather map is updated every 15 minutes.  
**Which networks are tracked for outages?**  
AWS tracks networks all around the world that represent important IP prefixes used by customers for making internet connections to AWS. We scope outages to client locations that are top talkers for volume of traffic sent to and received from the AWS network.  
**What determines whether an internet event is included on the map?**  
Here are some high level criteria that we use to determine whether an internet event is included on the internet weather map:  
+ AWS detects that there is an availability or performance event.
+ If the event is short lived, for example, it lasts less than 5 minutes, we ignore it.
+ Then, if the event is in a client location that is classified as a top talker, it's considered an outage.  
**What thresholds are used for the internet weather map?**  
Thresholds for determining outages are not static for the internet weather map. Internet Monitor determines what constitutes an event based on detecting a deviation from expected values. You can learn more about how this works by reviewing [how Internet Monitor determines when to create health events](#IMHealthEventStartStop) for monitors that you create with the service. When you create a monitor, Internet Monitor generates internet traffic health measurements that are specific to your own application traffic. Internet Monitor also alerts you to health events for issues that affect your application's internet traffic.  
**What can I do with this data?**  
The internet weather map provides a quick summary of key internet events that happened around the world in the last 24 hours. It helps you to get a sense of the internet monitoring experience, without needing to onboard your own internet traffic to Internet Monitor. To leverage the full potential of the internet monitoring capabilities of AWS and to personalize it for your applications and services hosted on AWS, you can create a monitor in Internet Monitor.   
When you create a monitor, you enable Internet Monitor to identify the specific internet paths that affect your application clients, and you get access to features and capabilities that can help you improve your client experience. You'll also be proactively notified of new internet issues that specifically impact your application traffic and clients.  
**How can I get more details about events?**  
Click an outage on the map to see details that include when an event started and ended, the impacted city and ASN, and what type of issue it was (that is, a performance issue or an availability issue).  
To get more detailed information about events, and to get custom measurements for your application traffic, [create a monitor in Internet Monitor](CloudWatch-IM-get-started.md).

# Internet Monitor example use cases
<a name="CloudWatch-IM-use-cases"></a>

This section describes several specific examples of use cases for Internet Monitor, with links to blog posts with more details. These examples illustrate how you can use the capabilities of Internet Monitor to monitor your application health and improve latency to enhance your users' experience. 

**Set up alerts and decide on actions to take**  
You can use Internet Monitor to get insights about average internet performance metrics over time, and about health events by city-network (client location and ASN, typically an internet service provider). Using Internet Monitor, you can identify the events that are impacting end user experience for applications hosted on Amazon Virtual Private Clouds (VPCs), Network Load Balancers, Amazon WorkSpaces, or Amazon CloudFront.  
After you create a monitor, you have several options for how to be alerted about Internet Monitor health events. These include notifications based on CloudWatch Alarms using event metrics or Amazon EventBridge rules to filter for health events. You can choose different options for notifications or actions based on alarms, including, for example, AWS SMS notifications or updates to a CloudWatch log group.  
To see an example with detailed guidance, see the following blog post: [Introducing Internet Monitor](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-amazon-cloudwatch-internet-monitor/).

**Identify latency issues and improve TTFB to improve multiplayer gameplay experience**  
Use Internet Monitor to help you to quickly identify where game players in global cloud gaming apps are experiencing latency issues globally, and provide insights into improving performance. By identifying where the most players currently have the slowest time to first byte (TTFB), you know how to improve latency to make your biggest player base happier.  
Now, when you're ready to deploy the next EC2 server for your game, choose the AWS Region that Internet Monitor suggests will lower TTFB in the area with the high latency and large group of players.   
For details about setting up and using Internet Monitor for this use case, see the following blog post: [Using Internet Monitor for a Better Gaming Experience](https://aws.amazon.com/blogs/gametech/using-cloudwatch-internet-monitor-for-a-better-gaming-experience/).

**Identify potential performance and internet connection issues for users on Amazon WorkSpaces**  
Internet Monitor provides you with the IP prefixes and ASN (typically, the internet service provider or ISP) for your users, which can be helpful to diagnose performance and internet connection issues for users to their WorkSpaces. You can also use this data to view your fleet as a whole and monitor your WorkSpaces user connections.   
For more information about how to use Internet Monitor for this use case, see the following blog post: [Using Internet Monitor with Amazon WorkSpaces Personal](https://aws.amazon.com/blogs/desktop-and-application-streaming/utilizing-cloudwatch-internet-monitor-with-amazon-workspaces-personal/).

# Global internet weather map in Internet Monitor
<a name="CloudWatch-InternetMonitor.outage-map"></a>

Internet Monitor displays a global internet weather map that is available to all AWS customers. To view the map, in the Amazon CloudWatch console, navigate to **Network Monitoring**, and then choose **Internet monitors**.

The internet weather map highlights internet events ("outages") all over the world that affect AWS customers, with the specific cities and networks (ASNs, typically internet service providers) where there are issues with performance or availability. The map includes internet events from the past 24 hours.

You don't need to create a monitor in Internet Monitor to view the internet weather map. Unlike health events in Internet Monitor, internet events are not specific to individual customers or their application traffic. 

On the internet weather map, you can choose an internet event to learn details about it. For an internet event, you can see the start time, end time (if the event is over), the current status (Active or Resolved), and the outage issue type (Availability or Performance). To learn more about how the internet weather map is created and what is included, see the [global internet weather map FAQ](CloudWatch-IM-inside-internet-monitor.md#IMGlobalOutagesFAQ).

To view and work with detailed information that is specific to your application traffic and client locations, you can create a monitor in Internet Monitor for your application. Then, you'll see performance and availability patterns and events, current and historical, as well as get health event alerts, tailored to just your application footprint and customers. The internet weather map gives you an overall view, while a specific monitor filters the information to just the measurements and details that are relevant to your application. With a monitor, you can also explore historical metrics and get recommendations for improving client experience for your application. To learn more, see [Getting started with Internet Monitor using the console](CloudWatch-IM-get-started.md).

# Internet Monitor cross-account observability
<a name="cwim-cross-account"></a>

With Internet Monitor cross-account observability, you can monitor your applications that span multiple AWS accounts within a single AWS Region.

You can use Amazon CloudWatch Observability Access Manager to set up one or more of your AWS accounts as a monitoring account. You’ll provide the monitoring account with the ability to view data in your source account by creating a *sink* in your monitoring account. A sink is a resource that represents an attachment point in a monitoring account. For Internet Monitor, the resource attachment point is a monitor. You use the sink to create a link from your source account to your monitoring account. For more information, see [CloudWatch cross-account observability](CloudWatch-Unified-Cross-Account.md).

**Required resources**  
For proper functionality of CloudWatch Application Insights cross-account observability, ensure that the following telemetry types are shared through the CloudWatch Observability Access Manager.
+ Monitors in Internet Monitor
+ Metrics in Amazon CloudWatch
+ Log groups in Amazon CloudWatch Logs

# Pricing for Internet Monitor
<a name="CloudWatch-InternetMonitor.pricing"></a>

With Internet Monitor, there are no upfront costs or long-term commitments. Pricing for Internet Monitor has two components: a per monitored resource fee and a per city-network fee. A *city-network* is the location where clients access your application resources from and the network (ASN, such as an internet service provider or ISP) that clients access the resources through. Note that you are also charged standard CloudWatch prices for logs and any additional metrics, dashboards, alarms, or insights that you create.

You choose a percentage of traffic to monitor when you create a monitor. To help control your bill, you can also set a limit for the maximum number of city-networks to monitor. You can update the percentage of traffic to monitor or the maximum city-networks limit at any time by editing your monitor. The first 100 city-networks (across all monitors per account) are included. After that, you only pay for the actual additional number of city-networks that you monitor, up to the maximum number.

You pay only the actual additional number of city-networks that you monitor, up to the maximum number, with no charge for the first 100 city-networks (across all monitors per account). A flat amount equivalent to the cost of 100 city-networks is deducted from your monthly bill.

For example, a large global company could choose to monitor 100% of its internet-facing traffic, and set a city-networks maximum of 50,000, for one monitor with one resource. Assuming the traffic reached 50,000 city-networks, that portion of its bill would be around 2,700 USD/month. For another company, in fewer geographic areas, with one monitor with one resource and 200 city-networks, this portion of the bill would be around 13 USD/month. For more information, see [Choose a city-networks maximum limit](IMCityNetworksMaximum.md).

You can try out different options with the pricing calculator. To explore pricing options, on the [Pricing calculator for CloudWatch page](https://calculator.aws/#/addService/CloudWatch), scroll down to Internet Monitor. 

For more information about Internet Monitor and CloudWatch pricing, see the [Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/) page. 

# Getting started with Internet Monitor using the console
<a name="CloudWatch-IM-get-started"></a>

To help you get started with Internet Monitor, this chapter provides the steps for creating and configuring a *monitor*. You create a monitor in Internet Monitor for your application by naming it, and then adding AWS resources that your application uses.

You create a monitor in Internet Monitor for your application by adding AWS resources that it uses, and then setting several configuration options. The resources that you add, Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), CloudFront distributions, or WorkSpaces directories, provide the information for Internet Monitor to map internet traffic information for your application. After you create your monitor, wait 15-30 minutes to generate the traffic profile specific to where your application is used.

Then, use the Internet Monitor dashboard, or other tools, to visualize and explore performance and availability about your client usage. These tools provide insights for you using your application traffic's measurements gathered for you by the monitor.

 The steps here walk you through setting up your monitor by using the console. To see examples of using the AWS Command Line Interface with the Internet Monitor API actions, to create a monitor, view events, and so on, see [Examples of using the CLI with Internet Monitor](CloudWatch-IM-get-started-CLI.md).

**Tasks**
+ [Step 1: Create a monitor](#CloudWatch-IM-get-started.create)
+ [Step 2: Configure the monitor](#CloudWatch-IM-get-started.configure)
+ [Step 3: View metrics and explore history](#CloudWatch-IM-get-started.explore)
+ [Step 4: Get suggestions to improve latency](#CloudWatch-IM-get-started.suggestions)
+ [Step 5 (Optional): Delete the monitor](#CloudWatch-IM-get-started.delete)

## Step 1: Create a monitor
<a name="CloudWatch-IM-get-started.create"></a>

**To create a monitor using the console**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose **Create monitor**.

1. For **Monitor name**, enter the name you want to use for this monitor in Internet Monitor.

1. Choose **Add resources**, and then select the resources to set the monitoring boundaries for Internet Monitor to use for this monitor.
**Note**  
Be aware of the following:  
To generate meaningful output with Internet Monitor, VPCs that you add must be connected to the internet by having an Internet Gateway configured.
You can add only one type of resource to a single monitor. For example, VPCs or CloudFront distributions or WorkSpaces directories, but not a combination of different types.

1. Leave the default percentage of traffic as 100%, or choose another percentage of your internet traffic to monitor. 

1. Choose **Create monitor**.

## Step 2: Configure the monitor
<a name="CloudWatch-IM-get-started.configure"></a>

After you create a monitor, you can edit the monitor at any time, for example, to change the application traffic percentage, update the maximum city-networks limit or add or remove resources. To make updates in the Internet Monitor console, follow the procedure in this section. Note that you can’t change the name of a monitor.

For more information about configuring a monitor, see [Edit a monitor in Internet Monitor](CloudWatch-IM-get-started.edit-monitor.md).

**To configure a monitor using the console**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Update monitor**.

1. Make the desired updates. For example, to change the percentage of traffic to monitor, under **Application traffic to monitor**, select or enter a percentage.

1. Choose **Update**.

## Step 3: View metrics and explore history
<a name="CloudWatch-IM-get-started.explore"></a>

Visualize data about your internet traffic, from an overview perspective or by drilling down into details.

**To visualize data and get insights for application traffic using the console**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose a monitor to work with.

1. Choose from the following tabs:
   + **Overview** — Review a general summary of your monitor and your application traffic performance.
   + **Health events** — View current and historical health events that currently impact, or previously impacted, locations where clients access your application.
   + **Analyze** — See information about top monitored traffic in client locations (by traffic volume), summarized in several customizable ways. Visualize metrics and historical trends for health scores and metrics.

In the next section, learn about how Internet Monitor provides suggestions for improving latency for your application traffic.

## Step 4: Get suggestions to improve latency
<a name="CloudWatch-IM-get-started.suggestions"></a>

Get suggestions for how to optimize latency, so that your clients experience the best internet performance for your application.

Internet Monitor evaluates your monitored application traffic, and then makes suggestion about whether you can reduce latency, for example, by changing the AWS Regions that you've configured for your application. 

For more information, see [Get suggestions to optimize application performance in Internet Monitor (Optimize page)](CloudWatch-IM-insights.md).

**To get suggestions for improving application latency using the console**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose a monitor to work with.

1. Choose **Optimize**, and then view the top suggestions.

## Step 5 (Optional): Delete the monitor
<a name="CloudWatch-IM-get-started.delete"></a>

If you created a monitor as a test or if you're no longer using a monitor, you can delete it. Before you can delete a monitor, you must disable it.

**To delete a monitor**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Disable**.

1. Choose the **Action** menu again, and then choose **Delete**.

1. Follow the guidance in the modal dialog to confirm deleting the monitor.

# Configure a monitor using the console
<a name="CloudWatch-IM-working-with"></a>

This chapter includes procedures and recommendations for creating and configuring monitors in Internet Monitor.

The steps provided in these sections primarily use the AWS Management Console. You can also use Internet Monitor API operations with the AWS Command Line Interface (AWS CLI) or AWS SDKs to create and configure a monitor. For detailed information about working with Internet Monitor API operations, see the following resources:
+ If you plan to work with Internet Monitor with the CLI, see [Examples of using the CLI with Internet Monitor](CloudWatch-IM-get-started-CLI.md).
+ For detailed information about working with Internet Monitor API operations, see the [ Internet Monitor API Reference](https://docs.aws.amazon.com/internet-monitor/latest/api/Welcome.html).

**Topics**
+ [Create a monitor](CloudWatch-IM-working-with.create.md)
+ [Add resources to your monitor](IMMonitorResources.md)
+ [Set your application traffic percentage](IMTrafficPercentage.md)
+ [Use a monitor](IMWhyCreateMonitor.md)
+ [Edit a monitor](CloudWatch-IM-get-started.edit-monitor.md)
+ [Delete a monitor](CloudWatch-IM-get-started.delete-monitor.md)
+ [Advanced options](CloudWatch-IM-get-started.advanced-options.md)

# Create a monitor in Internet Monitor using the console
<a name="CloudWatch-IM-working-with.create"></a>

You create a monitor in Internet Monitor to visualize and explore performance and availability data about your application's client traffic. You create a monitor by adding AWS resources that your application uses, and then setting several configuration options. The resources that you add to the monitor provide the information — for example, through resource flow logs — for Internet Monitor to learn which internet traffic is specific to your AWS application.

After you create your monitor, wait 15 to 30 minutes before reviewing the monitor dashboard. Internet Monitor needs a few minutes to generate a traffic profile for where your application is used by your end users, and then to begin publishing data for your traffic.

Typically, it's simplest to create one monitor in Internet Monitor for one application. Within the same monitor, you can search through and sort measurements and metrics by different locations and ASNs, or other information. You don't need to create separate monitors for applications in different areas. 

The steps provided here walk you through setting up your monitor by using the console. To work with Internet Monitor API actions using the AWS Command Line Interface, see [Examples of using the CLI with Internet Monitor](CloudWatch-IM-get-started-CLI.md).

**To create a monitor using the console**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose **Create monitor**.

1. For **Monitor name**, enter the name that you want to use for this monitor.

1. Choose **Add resources**, and then select the resources that will determine the internet traffic profile for this monitor.
**Note**  
Be aware of the following:  
To generate meaningful output with Internet Monitor, VPCs that you add must be connected to the internet by having an Internet Gateway configured.
You can specify only one type of resource for each monitor.

1. Choose a percentage of your application's internet traffic to monitor. 

1. Optionally, under **Advanced settings**, specify one or more of the following additional options.
   + **City-networks maximum** — The default city-networks maximum value is `500000`. If you like, you can lower this limit, to restrict the number of city-networks (locations and ASNs) that Internet Monitor will monitor traffic for. You can change the city-networks maximum at any time by editing your monitor. For more information, see [Choose a city-networks maximum limit](IMCityNetworksMaximum.md). 
   + **Amazon S3 bucket storage** — You can specify an Amazon S3 bucket name and custom prefix to publish internet measurements for your application's internet traffic to Amazon S3, for all monitored city-networks. 

     Internet Monitor stores internet measurements for pairs of your client locations and ASNs, or *city-networks*. Internet Monitor also creates aggregated CloudWatch metrics for traffic to your application, and to each AWS Region and edge location. In addition, Internet Monitor publishes internet measurements for your application traffic to CloudWatch Logs every five minutes, to support using CloudWatch tools and other methods with your data. If you choose to publish measurements to S3, measurements are still published to CloudWatch Logs. For more information, see [Publish internet measurements to Amazon S3 in Internet Monitor](CloudWatch-IM-get-started.Publish-to-S3.md).
   + **Tags** — Add one or more tags for your monitor.

1. Choose **Create monitor**.

After you create a monitor, wait about 15-30 minutes for Internet Monitor to create a traffic profile and begin publishing your data. Then, you can view information about your application's internet traffic performance by navigating to the monitor dashboard in the console.

**To view the Internet Monitor dashboard**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, choose **Network Monitoring**, then **Internet monitors**.

1. To see more information about a specific monitor, on the **Monitors** tab, choose a monitor. 

# Add resources to your monitor
<a name="IMMonitorResources"></a>

When you create a monitor, you must associate your application's resources with it: Amazon Virtual Private Clouds (VPCs), Network Load Balancers, Amazon CloudFront distributions, Network Load Balancers (NLBs), or Amazon WorkSpaces directories. Then, Internet Monitor knows where your application's internet-facing traffic and clients are located, and it can create and maintain a traffic profile that determines the relevant measurements to publish for your monitor.

You can add the following types of resources to a monitor in Internet Monitor as *monitored resources*.
+ **VPCs:** Each VPC that you add in a Region is a monitored resource. When you add a VPC, Internet Monitor monitors the traffic for any internet-facing application in the VPC, for example, an application hosted on an Amazon EC2 instance, behind a Network Load Balancer, or in an AWS Fargate container.
+ **Network Load Balancers:** Each NLB that you add is a monitored resource.
+ **CloudFront distributions:** Each CloudFront distribution that you add is a monitored resource.
+ **WorkSpaces directories:** Each WorkSpaces directory that you add in a Region is a monitored resource.

When you monitor traffic for VPCs, traffic for applications that are hosted on load balancers behind the VPC is monitored. You can choose to monitor traffic for individual Network Load Balancer load balancers instead of monitoring a VPC with multiple load balancers. This can be helpful, for example, if you need to understand and configure features for better performance or efficiencies at the load balancer level. Or, you might need compliance information at the Network Load Balancer level.

When you add resources to a monitor in Internet Monitor, be aware of the following:
+ Internet Monitor doesn't support adding different types of resources together in one monitor.
+ To generate meaningful output with Internet Monitor, VPCs that you add must be connected to the internet by having an Internet Gateway configured.
+ Internet Monitor doesn't support adding different types of resources together in one monitor.
+ There are Regional differences for opt-in Regions to keep in mind when you add VPCs or NLBs as resources. For more information, see [Supported AWS Regions for Internet Monitor](CloudWatch-InternetMonitor.Regions.md).
+ In addition, there are differences for resources about measuring last-mile latency. For Internet Monitor latency measurements, VPCs, NLBs, and WorkSpaces directories do not include last-mile latency. 

# Choose a percentage of traffic to monitor for your application
<a name="IMTrafficPercentage"></a>

The coverage that you choose for the percentage of application traffic to monitor determines how many city-networks (client locations and ASNs, typically internet service providers) for your application are monitored, up to an optional city-networks maximum limit that you can also set.

You can choose the percentage of traffic to monitor when you create a monitor, or, with an existing monitor, by choosing **Edit monitor** on any Internet Monitor dashboard page in the console.

If you choose to monitor less than 100% of your application traffic, you might have an observability gap in with your monitor. That's because if there are health events that Internet Monitor creates where you aren't monitoring traffic, you won't be aware of those issues. With a traffic percentage set to less than 100%, you might also have less coverage for the performance and availability score information about client access to your application.

The following sections describe options to explore traffic percentage settings and coverage, and to get an idea about the impact of increasing or decreasing coverage.
+  [Explore changing your application traffic percentage](#IMExploreTrafficPercentage)
+  [View the number of city-networks monitored at different traffic percentage settings](#IMExploreTrafficGraphs)

## Explore changing your application traffic percentage
<a name="ExploreAppTrafficPercentageOptions"></a>

You can explore values that you might want to change your application traffic percentage to, by viewing the number of city-networks monitored when you change the percentage. The procedure in this section provides step-by-step information.

In the Internet Monitor console, you can try increasing or decreasing the application traffic percentage for your monitor, and view the estimated number of your city-networks that would be covered as a result. With this option, you can quickly see how changing your traffic percentage affects the number of city-monitors are monitored. This can help you to get a feel for what a good application traffic percentage to choose might be, for your application. 

**To explore monitoring coverage and update percentage of traffic monitored**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. In your list of monitors, choose a monitor.

1. On the **Configure** tab, in the **View and evaluate traffic coverage** section, you can evaluate the impact on the total number of city-networks that are monitored, depending on a traffic percentage that you choose. You can also update the percentage of traffic that you monitor or change the city-networks limit for your monitor.
   + **Explore traffic percentage options:** Under **Compare options for traffic coverage**, in the drop-down menu, choose one or more traffic percentages to graph and compare. For each traffic percentage that you choose, you can see the number of city-networks that will be monitored when you set that traffic percentage coverage.

     To learn more, see [View number of city-networks monitored at different percentages](#IMExploreTrafficGraphs).
   + **Change monitoring coverage:** Under **Explore other traffic coverage options**, choose **Update monitoring coverage**.

     In the **Explore and set traffic monitoring coverage** dialog, click the arrows to increase or decrease the percentage of traffic to monitor. By choosing 100% traffic, you can see how many city-networks are monitored with full coverage for monitoring your application.

     Note: To learn more about how the number of city-networks monitored (estimated here) might affect your costs, choose the link to the [CloudWatch Pricing calculator](https://calculator.aws/#/addService/CloudWatch), and then scroll down to Internet Monitor.

     To set a new percentage of traffic to monitor, choose **Update monitor coverage**. Or, to keep the current coverage level, choose **Cancel**.

## View the number of city-networks monitored at different traffic percentage settings
<a name="ExploreAppTrafficPercentageGraphs"></a>

You can view the number of city-networks that would be monitored for your application at different application traffic percentages. The procedure in this section provides step-by-step information.

In the Internet Monitor console, you can view graphs that show how coverage for your city-networks would change at different of application traffic percentages, over a time interval that you specify. This is a quick way to visualize and compare the monitoring coverage for your application at specific traffic percentages, all on one graph.

**To view graphs of application traffic percentage and corresponding city-networks coverage**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. In your list of monitors, choose a monitor.

1. Choose the **Configure** page, and scroll down to **Traffic coverage**.

1. Under **Compare options for traffic coverage**, in the drop-down list, select one or more percentages. You can choose one or more application traffic percentages, and the graph of **Total monitored city-networks** is updated to display the monitoring coverage Internet Monitor provides for that traffic percentage. By choosing **City-networks at 100% traffic**, you can see how many city-networks are monitored with full coverage for monitoring your application. 

Keep in mind the following:
+ Traffic coverage is computed based on the number of city-networks in the previous hour of your application traffic. This means that, after you choose a specific percentage of traffic to monitor, fewer city-networks might be monitored for your application than is shown here in a traffic coverage comparison graph. 
+ To make sure that all your application traffic is monitored, set `TrafficPercentageToMonitor` to 100 and don’t set `MaxCityNetworksToMonitor`. Alternatively, you can set `MaxCityNetworksToMonitor` to 500,000, the upper limit in Internet Monitor.
+ If you set a city-networks maximum limit, the total number of monitored city-networks never exceeds that limit, regardless of the application traffic percentage option that you select.
+ You can learn more about how the number of city-networks monitored might affect your costs. On the [Pricing calculator for CloudWatch page](https://calculator.aws/#/addService/CloudWatch), scroll down to Internet Monitor.

To set a new percentage of traffic to monitor, under **Explore other traffic coverage options**, choose **Update monitoring coverage**. In the dialog, choose a percentage of traffic, and then choose **Update monitor coverage**.

# Use a monitor in Internet Monitor
<a name="IMWhyCreateMonitor"></a>

There are several ways to use an Internet Monitor monitor after you create it: for example, you can view information in the CloudWatch dashboard, get information by using the AWS Command Line Interface, and set health alerts.

Your monitor provides information about your application and configuration preferences so that Internet Monitor can customize measurements and metrics to publish in events for you. Internet Monitor collects measurements from the global infrastructure footprint for AWS. These measurements are a tremendous amount of network performance and availability information, from all over the world. By using information from the resources that you add for your application, Internet Monitor publishes performance and availability measurements for you that is scoped to the city-networks (that is, client locations and ASNs, typically internet service providers or ISPs) where your application is active. So, the measurements and metrics in the Internet Monitor dashboard and in CloudWatch Logs —about availability, performance, monitored bytes transferred, and round-trip time—are specific to your client locations and ASNs.

Internet Monitor also determines when there are anomalies in performance and availability. By default, Internet Monitor overlays your traffic with the availability and performance measurements that AWS has collected for each source-destination pair in your client locations, to determine when there are notable drops in performance or availability. When there's significant degradation for your application's locations and scope, Internet Monitor generates a *health event*, and publishes information about the issue to your monitor.

After you create a monitor, you can use it to access or be alerted to the information that Internet Monitor provides, in the following ways:
+ **Use the CloudWatch dashboard** to view and explore performance, availability, and health events; explore your application's historical data; and get insights into new ways to configure your application for better performance. To learn more, see the following:
  + [Track real-time performance and availability in Internet Monitor (Overview page)](CloudWatch-IM-overview.md)
  + [Analyze historical data in Internet Monitor (Analyze page)](CloudWatch-IM-historical-explorer.md)
  + [Get suggestions to optimize application performance in Internet Monitor (Optimize page)](CloudWatch-IM-insights.md)
+ **Configure health event thresholds** to change what triggers Internet Monitor to create a health event for your application. You can configure overall thresholds and local (city-network) thresholds. To learn more, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview).
+ **Use AWS CLI commands** with Internet Monitor API actions to view traffic profile information, view measurements, list health events, and so on. To learn more, see [Examples of using the CLI with Internet Monitor](CloudWatch-IM-get-started-CLI.md).
+ **Use standard CloudWatch tools,** such as CloudWatch Contributor Insights, CloudWatch Metrics explorer, and CloudWatch Logs Insights to visualize the data in CloudWatch. To learn more, see [Exploring your data with CloudWatch tools and the Internet Monitor query interface](CloudWatch-IM-view-cw-tools.md).
+ **Use Athena with S3 logs** to access and analyze Internet Monitor internet measurements for your application, if you turned on publishing measurements to S3.
+ **Create Amazon EventBridge notifications** to alert you when Internet Monitor determines there is a health event. To learn more, see [Using Internet Monitor with Amazon EventBridge](CloudWatch-IM-EventBridge-integration.md).
+ **Receive an AWS Health Dashboard notification** automatically, when Internet Monitor determines that an issue is caused by the AWS network. The notification includes the steps that AWS is taking to mitigate the problem. 

# Edit a monitor in Internet Monitor
<a name="CloudWatch-IM-get-started.edit-monitor"></a>

Using the **Action** menu, you can edit a monitor in Amazon CloudWatch Internet Monitor after you create it. For example, you can edit a monitor to do the following:
+ Change the percentage of application traffic to monitor
+ Set or update the city-networks maximum limit
+ Change health event thresholds for availability or performance scores
+ Add or remove resources
+ Enable or update publishing events to Amazon S3

Note that you can't change the name of a monitor after you create it.

To make changes to a monitor, use the following procedure.

**To edit a monitor**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Update monitor**.

1. Make the desired updates. For example, to change the percentage of traffic to monitor, under **Application traffic to monitor**, select or enter a percentage.

1. Choose **Update**.

For more information about the options that you can update, see the following:
+ To learn more about resources that you add in Internet Monitor, see [Add resources to your monitor](IMMonitorResources.md).
+ To learn more about the application traffic percentage, see [Choose a percentage of traffic to monitor for your application](IMTrafficPercentage.md).
+ To learn more about changing the threshold for health events, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview).
+ To learn more about the city-networks maximum limit, see [Choose a city-networks maximum limit](IMCityNetworksMaximum.md).
+ To learn more about opting to publish events to S3, see [Publish internet measurements to Amazon S3 in Internet Monitor](CloudWatch-IM-get-started.Publish-to-S3.md).

# Delete a monitor in Internet Monitor
<a name="CloudWatch-IM-get-started.delete-monitor"></a>

Using the **Action** menu, you can delete a monitor in Amazon CloudWatch Internet Monitor. You first disable the monitor, and then delete it.

**To delete a monitor**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network monitoring**, choose **Internet Monitor**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Disable**.

1. Choose the **Action** menu again, and then choose **Delete**.

# Advanced configuration options for a monitor
<a name="CloudWatch-IM-get-started.advanced-options"></a>

This section provides the steps for configuring advanced options for a monitor in Internet Monitor. These configuration options are optional but can be useful in some scenarios.

For example, you might choose to set a city-network maximum limit if traffic for the application that you monitor with Internet Monitor occasionally spikes, and you want to help make sure that your bill for Internet Monitor is predictable.

Or, you might want to set custom or local thresholds for health events, because you want to pay close attention to issues in specific geographies where you have a concentration of clients.

The topics in this section provide detailed descriptions of each feature, and list the steps to configure options for your needs.

**Topics**
+ [Choose a city-networks limit](IMCityNetworksMaximum.md)
+ [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md)
+ [Publish internet measurements to S3](CloudWatch-IM-get-started.Publish-to-S3.md)

# Choose a city-networks maximum limit
<a name="IMCityNetworksMaximum"></a>

In addition to setting a traffic percentage for your monitor in Internet Monitor, you can also set a maximum limit for the number of city-networks monitored. This section describes how the city-networks limit can help you manage billing costs, and provides information and an example to help you determine a limit to set, if you choose to set one.

Internet Monitor can monitor traffic for some or all of the locations where clients access your AWS application resources. You can set a monitoring limit for the number of *city-networks*, that is, the client locations and the ASNs (typically internet service providers) that clients access your application through.

You choose a [percentage of application traffic](IMTrafficPercentage.md) to monitor when you create your monitor. The default percentage is 100%. You can update the percentage at any time, by editing the monitor. 

The maximum limit that you set for the number of city-networks helps to make sure that your bill is predictable. For more information, see [Amazon CloudWatch Pricing](https://aws.amazon.com//cloudwatch/pricing/). You can also learn how different values for the number of city-networks actually monitored can affect your bill by using the CloudWatch price calculator. To explore options, on the [Pricing calculator for CloudWatch page](https://calculator.aws/#/addService/CloudWatch), scroll down to Internet Monitor.

To update your monitor and change the maximum city-networks limit, see [Edit a monitor in Internet Monitor](CloudWatch-IM-get-started.edit-monitor.md).

## How billing works with city-networks maximum limits
<a name="IMCityNetworksMaximum.billing_impact"></a>

Setting a maximum limit for the number of city-networks monitored can help prevent unexpected costs in your bill. This is useful, for example, if your traffic patterns vary widely. Billing costs increase for each city-network that is monitored after the first 100 city-networks, which are included (across all monitors per account). If you set a city-networks maximum limit, it caps the number of city-networks that Internet Monitor monitors for your application, regardless of the percentage of traffic that you choose to monitor.

You only pay for the number of city-networks that are actually monitored. The city-network maximum limit that you choose lets you set a cap on the total that can be included when Internet Monitor monitors traffic with your monitor. You can change the maximum limit at any time by editing your monitor. 

To explore options, on the [Pricing calculator for CloudWatch](https://calculator.aws/#/addService/CloudWatch) page, scroll down to Internet Monitor. For more information on Internet Monitor pricing, see the Internet Monitor section on the [Amazon CloudWatch Pricing](https://aws.amazon.com//cloudwatch/pricing/) page.

## How to choose a city-networks maximum limit
<a name="IMCityNetworksMaximum.how_do_choose"></a>

Optionally, you can set a city-networks maximum limit. To help you decide on a maximum limit that you might want to select, consider how much traffic you want to monitor for your application. Be aware that if you choose 100% for the *traffic percentage to monitor* for your monitor, and then specify a city-networks maximum limit, depending on the limit that you choose, you might not monitor 100% of your application traffic. The city-networks maximum that you set takes precedence over the traffic percentage to monitor that you set.

To view how the percentage of traffic to monitor that you choose affects the number of city-monitors that are included for your application monitoring, which can help you decide whether to set a city-networks maximum limit, follow the steps in [View the number of city-networks monitored at different traffic percentage settings](IMTrafficPercentage.md#IMExploreTrafficGraphs).

To explore your options in more detail, you can use Internet Monitor metrics, as described in the following examples. These examples show how to select a maximum city-networks limit that is best for you, depending on the breadth of application internet traffic coverage you want. Using the [queries for Internet Monitor metrics in CloudWatch Metrics](CloudWatch-IM-view-cw-tools-metrics-dashboard.md) can help you understand more about your application internet traffic coverage.

## Example of determining a city-networks maximum limit
<a name="IMCityNetworksMaximum.example"></a>

As an example, say that you've set a monitoring maximum limit of 100 city-networks and that your application is accessed by clients across 2637 city-networks. In CloudWatch Metrics, you'd see the following Internet Monitor metrics returned:

```
CityNetworksMonitored 100
TrafficMonitoredPercent  12.5
CityNetworksFor90PercentTraffic  2143
CityNetworksFor100PercentTraffic  2637
```

From this example, you can see that you're currently monitoring 12.5% of your internet traffic, with the maximum limit set to 100 city-networks. If you want to monitor 90% of your traffic, the next metric provides information about that: `CityNetworksFor90PercentTraffic` indicates that you would need to monitor 2,143 city-networks for 90% coverage. To do that, you would update your monitor and set the maximum city-networks limit to 2,143.

Similarly, say you'd like to have 100% internet traffic monitoring for your application. The next metric, `CityNetworksFor100PercentTraffic`, indicates that to do this, you should update your monitor to set the maximum city-networks limit to 2,637.

If you now set the maximum to 5,000 city-networks, since that's greater than 2,637, you see the following metrics returned:

```
CityNetworksMonitored 2637
TrafficMonitoredPercent  100
CityNetworksFor90PercentTraffic  2143
CityNetworksFor100PercentTraffic  2637
```

From these metrics, you can see that with the higher limit, you monitor all 2,637 city-networks, which is 100% of your internet traffic.

# Change health event thresholds for a monitor
<a name="CloudWatch-IM-get-started.change-threshold"></a>

Internet Monitor uses a default threshold to determine when to create a health event for your monitor. Optionally, you can change that default global threshold, to set another value. You can also set local threshold. This section describes how global and local thresholds work together, and provides steps for setting custom thresholds.

You can change the overall threshold that triggers Internet Monitor to create a health event. The default health event threshold, for both performance scores and availability scores, is 95%. That is, when the overall performance or availability score for your application falls to 95% or below, Internet Monitor creates a health event. For the overall threshold, the health event can be triggered by a single large issue, or by the combination of multiple smaller issues.

You can also change the local—that is, city-network—threshold, combined with a percentage of the overall level of impact, that—in combination—will trigger a health event. By setting a threshold that creates a health event when a score drops below the threshold for one or more city-networks (locations and ASNs, typically ISPs), you can get insights into when there are issues in locations with lower traffic, for example.

An additional local threshold option works together with the local threshold for availability or performance scores. The second factor is the percentage of your overall traffic that must be impacted before Internet Monitor creates a health event based on the local threshold.

By configuring the threshold options for overall traffic and local traffic, you can fine-tune how frequently health events are created, to align with your application usage and your needs. Be aware that when you set the local threshold to be lower, typically more health events are created, depending on your application and the other threshold configuration values that you set.

In summary, you can configure health event thresholds—for performance scores, availability scores, or both—in the following ways:
+ Choose different global thresholds for triggering a health event.
+ Choose different local thresholds for triggering a health event. With this option, you can also change the percentage of impact on your overall application that must be exceeded before Internet Monitor creates an event.
+ Choose to turn off triggering a health event based on local thresholds, or enable local threshold options.

To update health event thresholds for performance scores, availability scores, or both, follow these steps.

**To change threshold configuration options**

1. In the AWS Management Console, navigate to CloudWatch, and then, in the left navigation pane, choose Internet Monitor.

1. On the **Configure** page, in the **Health event thresholds** section, choose **Update thresholds**.

1. On the **Set health event threshold**page, choose the new values and options that you want for thresholds and other options that trigger Internet Monitor to create a health event. You can do any of the following:
   + Choose a new value for **Availability score threshold**, **Performance score threshold**, or both.

     The graphs in the sections for each setting display the current threshold setting and the actual recent health event scores, for availability or performance, for your application. By viewing the typical values, you can get an idea of values that you might want to change a threshold to.

     Tip: To view a larger graph and change the timeframe, choose the expander in the upper right corner of the graph.
   + Choose to turn on or off a local threshold for availability or performance, or both. When an option is enabled, you can set the threshold and impact level for when you want Internet Monitor to create a health event.

1. After you configure threshold options, save your updates by choosing **Update health event thresholds**.

To learn more about how health events work, see [When Internet Monitor creates and resolves health events](CloudWatch-IM-inside-internet-monitor.md#IMHealthEventStartStop).

# Publish internet measurements to Amazon S3 in Internet Monitor
<a name="CloudWatch-IM-get-started.Publish-to-S3"></a>

You can choose to have Internet Monitor publish internet measurements to Amazon S3 for your internet-facing traffic to the monitored city-networks (client locations and ASNs, typically internet service providers) in your monitor, up to the 500,000 city-networks service limit. Internet Monitor automatically publishes internet measurements to CloudWatch Logs every five minutes for the top 500 (by traffic volume) city-networks for each monitor. Measurements that it publishes to S3 include the top 500 that are published to CloudWatch Logs.

You can choose the option to publish to S3, and specify the bucket to publish the measurements, to when you create or update your monitor. The bucket must already be created in S3 before you can specify it in Internet Monitor. There's a service limit of 500,000 city-networks for internet measurements published to S3. Internet Monitor publishes internet measurements to S3 as events, a series of compressed log file objects that are stored in the bucket.

When you create the S3 bucket for Internet Monitor to publish measurements to, make sure that you follow the permissions guidance provided by CloudWatch Logs. Doing so ensures that Internet Monitor can publish logs directly to S3, and that AWS can, if needed, create and change the resource policies associated with the log group receiving the logs. For more information, see [ Logs sent to CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL) in the Amazon CloudWatch Logs User Guide.

The published log files are compressed. If you open the log files using the Amazon S3 console, they are decompressed and the internet measurement events are displayed. If you download the files, you must decompress them to view the events.

You can also query the internet measurements in the log files using Amazon Athena. Amazon Athena is an interactive query service that makes it easier to analyze data in Amazon S3, by using standard SQL. For more information, see [Use Amazon Athena to query internet measurements in Amazon S3 log files](CloudWatch-IM-view-cw-tools.S3_athena.md).

# Examples of using the CLI with Internet Monitor
<a name="CloudWatch-IM-get-started-CLI"></a>

This section includes examples for using the AWS Command Line Interface with Internet Monitor operations. 

Before you begin, make sure that you log in to use the AWS CLI with the same AWS account that has the Amazon VPC VPCs, Network Load Balancers, Amazon CloudFront distributions, or Amazon WorkSpaces directories that you want to monitor. Internet Monitor doesn't support accessing resources across accounts. For more information about using the AWS CLI, see the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/index.html). For more information about using API actions with Internet Monitor, see the [Internet Monitor API Reference Guide](https://docs.aws.amazon.com/internet-monitor/latest/api/Welcome.html).

**Topics**
+ [Create a monitor](#CloudWatch-IM-get-started-CLI-create-mon)
+ [View monitor details](#CloudWatch-IM-get-started-CLI-mon-details)
+ [List health events](#CloudWatch-IM-get-started-CLI-list-events)
+ [View specific health event](#CloudWatch-IM-get-started-CLI-view-event-specific)
+ [View monitor list](#CloudWatch-IM-get-started-CLI-monitor-list)
+ [Edit monitor](#CloudWatch-IM-get-started-CLI-edit-monitor)
+ [Delete monitor](#CloudWatch-IM-get-started-CLI-delete-monitor)

## Create a monitor
<a name="CloudWatch-IM-get-started-CLI-create-mon"></a>

When you create a monitor in Internet Monitor, you provide a name and associate resources with the monitor to show where your application's internet traffic is. You specify a traffic percentage that defines how much of your application traffic is monitored. That also determines the number of city-networks, that is, client locations and ASNs, typically internet service providers or ISPs, that are monitored. You can also opt to set a limit for the maximum number of city-networks to monitor for your application resources, to help control your bill. For more information, see [Choose a city-networks maximum limit](IMCityNetworksMaximum.md).

Finally, you can choose if you want to publish all internet measurements for your application to Amazon S3. Internet measurements for the top 500 city-networks (by traffic volume) are automatically published to CloudWatch Logs by Internet Monitor, but you can choose to publish all measurements to S3 as well.

To create a monitor with the AWS CLI, you use the `create-monitor` command. The following command creates a monitor that monitors 100% of traffic but sets a maximum city-networks limit of 10,000, adds a VPC resource, and opts to publish internet measurements to Amazon S3.

**Note**  
Internet Monitor publishes to CloudWatch Logs internet measurements every five minutes for the top 500 city-networks (client locations and ASNs, typically internet service providers or ISPs) that send traffic to each monitor. Optionally, you can choose to publish internet measurements for all monitored city-networks (up to the 500,000 city-networks service limit) to an Amazon S3 bucket. For more information, see [Publish internet measurements to Amazon S3 in Internet Monitor](CloudWatch-IM-get-started.Publish-to-S3.md).

```
aws internetmonitor create-monitor --monitor-name "TestMonitor" \
				--traffic-percentage-to-monitor 100 \
				--max-city-networks-to-monitor 10000 \
				--resources "arn:aws:ec2:us-east-1:111122223333:vpc/vpc-11223344556677889" \
				--internet-measurements-log-delivery S3Config="{BucketName=amzn-s3-demo-bucket,LogDeliveryStatus=ENABLED}"
```

```
{
    "Arn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor",
    "Status": "ACTIVE"
}
```

**Note**  
You can't change the name of a monitor.

## View monitor details
<a name="CloudWatch-IM-get-started-CLI-mon-details"></a>

To view information about a monitor with the AWS CLI, you use the `get-monitor` command.

```
aws internetmonitor get-monitor --monitor-name "TestMonitor"
```

```
{
    "ClientLocationType": "city",
    "CreatedAt": "2022-09-22T19:27:47Z",
    "ModifiedAt": "2022-09-22T19:28:30Z",
    "MonitorArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor",
    "MonitorName": "TestMonitor",
    "ProcessingStatus": "OK",
    "ProcessingStatusInfo": "The monitor is actively processing data",
    "Resources": [
        "arn:aws:ec2:us-east-1:111122223333:vpc/vpc-11223344556677889"
    ],
    "MaxCityNetworksToMonitor": 10000,
    "Status": "ACTIVE"
}
```

## List health events
<a name="CloudWatch-IM-get-started-CLI-list-events"></a>

When performance degrades for your application's internet traffic, Internet Monitor creates health events in your monitor. To see a list of current health events with the AWS CLI, use the `list-health-events` command.

```
aws internetmonitor list-health-events --monitor-name "TestMonitor"
```

```
{
    "HealthEvents": [
        {
            "EventId": "2022-06-20T01-05-05Z/latency", 
            "Status": "RESOLVED", 
            "EndedAt": "2022-06-20T01:15:14Z", 
            "ServiceLocations": [
                {
                    "Name": "us-east-1"
                }
            ], 
            "PercentOfTotalTrafficImpacted": 1.21, 
            "ClientLocations": [
                {
                    "City": "Lockport", 
                    "PercentOfClientLocationImpacted": 60.370000000000005, 
                    "PercentOfTotalTraffic": 2.01, 
                    "Country": "United States", 
                    "Longitude": -78.6913, 
                    "AutonomousSystemNumber": 26101, 
                    "Latitude": 43.1721, 
                    "Subdivision": "New York", 
                    "NetworkName": "YAHOO-BF1"
                }
            ], 
            "StartedAt": "2022-06-20T01:05:05Z", 
            "ImpactType": "PERFORMANCE", 
            "EventArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor/health-event/2022-06-20T01-05-05Z/latency"
        }, 
        {
            "EventId": "2022-06-20T01-17-56Z/latency", 
            "Status": "RESOLVED", 
            "EndedAt": "2022-06-20T01:30:23Z", 
            "ServiceLocations": [
                {
                    "Name": "us-east-1"
                }
            ], 
            "PercentOfTotalTrafficImpacted": 1.29, 
            "ClientLocations": [
                {
                    "City": "Toronto", 
                    "PercentOfClientLocationImpacted": 75.32, 
                    "PercentOfTotalTraffic": 1.05, 
                    "Country": "Canada", 
                    "Longitude": -79.3623, 
                    "AutonomousSystemNumber": 14061, 
                    "Latitude": 43.6547, 
                    "Subdivision": "Ontario", 
                    "CausedBy": {
                        "Status": "ACTIVE", 
                        "Networks": [
                            {
                                "AutonomousSystemNumber": 16509, 
                                "NetworkName": "Amazon.com"
                            }
                        ], 
                        "NetworkEventType": "AWS"
                    }, 
                    "NetworkName": "DIGITALOCEAN-ASN"
                }, 
                {
                    "City": "Lockport", 
                    "PercentOfClientLocationImpacted": 22.91, 
                    "PercentOfTotalTraffic": 2.01, 
                    "Country": "United States", 
                    "Longitude": -78.6913, 
                    "AutonomousSystemNumber": 26101, 
                    "Latitude": 43.1721, 
                    "Subdivision": "New York", 
                    "NetworkName": "YAHOO-BF1"
                }, 
                {
                    "City": "Hangzhou", 
                    "PercentOfClientLocationImpacted": 2.88, 
                    "PercentOfTotalTraffic": 0.7799999999999999, 
                    "Country": "China", 
                    "Longitude": 120.1612, 
                    "AutonomousSystemNumber": 37963, 
                    "Latitude": 30.2994, 
                    "Subdivision": "Zhejiang", 
                    "NetworkName": "Hangzhou Alibaba Advertising Co.,Ltd."
                }
            ], 
            "StartedAt": "2022-06-20T01:17:56Z", 
            "ImpactType": "PERFORMANCE", 
            "EventArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor/health-event/2022-06-20T01-17-56Z/latency"
        }, 
        {
            "EventId": "2022-06-20T01-34-20Z/latency", 
            "Status": "RESOLVED", 
            "EndedAt": "2022-06-20T01:35:04Z", 
            "ServiceLocations": [
                {
                    "Name": "us-east-1"
                }
            ], 
            "PercentOfTotalTrafficImpacted": 1.15, 
            "ClientLocations": [
                {
                    "City": "Lockport", 
                    "PercentOfClientLocationImpacted": 39.45, 
                    "PercentOfTotalTraffic": 2.01, 
                    "Country": "United States", 
                    "Longitude": -78.6913, 
                    "AutonomousSystemNumber": 26101, 
                    "Latitude": 43.1721, 
                    "Subdivision": "New York", 
                    "NetworkName": "YAHOO-BF1"
                }, 
                {
                    "City": "Toronto", 
                    "PercentOfClientLocationImpacted": 29.770000000000003, 
                    "PercentOfTotalTraffic": 1.05, 
                    "Country": "Canada", 
                    "Longitude": -79.3623, 
                    "AutonomousSystemNumber": 14061, 
                    "Latitude": 43.6547, 
                    "Subdivision": "Ontario", 
                    "CausedBy": {
                        "Status": "ACTIVE", 
                        "Networks": [
                            {
                                "AutonomousSystemNumber": 16509, 
                                "NetworkName": "Amazon.com"
                            }
                        ], 
                        "NetworkEventType": "AWS"
                    }, 
                    "NetworkName": "DIGITALOCEAN-ASN"
                },
                {
                    "City": "Hangzhou", 
                    "PercentOfClientLocationImpacted": 2.88, 
                    "PercentOfTotalTraffic": 0.7799999999999999, 
                    "Country": "China", 
                    "Longitude": 120.1612, 
                    "AutonomousSystemNumber": 37963, 
                    "Latitude": 30.2994, 
                    "Subdivision": "Zhejiang", 
                    "NetworkName": "Hangzhou Alibaba Advertising Co.,Ltd."
                }
            ], 
            "StartedAt": "2022-06-20T01:34:20Z", 
            "ImpactType": "PERFORMANCE", 
            "EventArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor/health-event/2022-06-20T01-34-20Z/latency"
        }
    ]
}
```

## View specific health event
<a name="CloudWatch-IM-get-started-CLI-view-event-specific"></a>

To see a more detailed information about a specific health event with the CLI, run the `get-health-event` command with your monitor name and a health event ID.

```
aws internetmonitor get-monitor --monitor-name "TestMonitor" --event-id "health-event/TestMonitor/2021-06-03T01:02:03Z/latency" 
```

```
{
    "EventId": "2022-06-20T01-34-20Z/latency", 
    "Status": "RESOLVED", 
    "EndedAt": "2022-06-20T01:35:04Z", 
    "ServiceLocations": [
        {
            "Name": "us-east-1"
        }
    ], 
    "EventArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor/health-event/2022-06-20T01-34-20Z/latency", 
    "LastUpdatedAt": "2022-06-20T01:35:04Z", 
    "ClientLocations": [
        {
            "City": "Lockport", 
            "PercentOfClientLocationImpacted": 39.45, 
            "PercentOfTotalTraffic": 2.01, 
            "Country": "United States", 
            "Longitude": -78.6913, 
            "AutonomousSystemNumber": 26101, 
            "Latitude": 43.1721, 
            "Subdivision": "New York", 
            "NetworkName": "YAHOO-BF1"
        }, 
        {
            "City": "Toronto", 
            "PercentOfClientLocationImpacted": 29.770000000000003, 
            "PercentOfTotalTraffic": 1.05, 
            "Country": "Canada", 
            "Longitude": -79.3623, 
            "AutonomousSystemNumber": 14061, 
            "Latitude": 43.6547, 
            "Subdivision": "Ontario", 
            "CausedBy": {
                "Status": "ACTIVE", 
                "Networks": [
                    {
                        "AutonomousSystemNumber": 16509, 
                        "NetworkName": "Amazon.com"
                    }
                ], 
                "NetworkEventType": "AWS"
            }, 
            "NetworkName": "DIGITALOCEAN-ASN"
        }, 
        {
            "City": "Shenzhen", 
            "PercentOfClientLocationImpacted": 4.07, 
            "PercentOfTotalTraffic": 0.61, 
            "Country": "China", 
            "Longitude": 114.0683, 
            "AutonomousSystemNumber": 37963, 
            "Latitude": 22.5455, 
            "Subdivision": "Guangdong", 
            "NetworkName": "Hangzhou Alibaba Advertising Co.,Ltd."
        }, 
        {
            "City": "Hangzhou", 
            "PercentOfClientLocationImpacted": 2.88, 
            "PercentOfTotalTraffic": 0.7799999999999999, 
            "Country": "China", 
            "Longitude": 120.1612, 
            "AutonomousSystemNumber": 37963, 
            "Latitude": 30.2994, 
            "Subdivision": "Zhejiang", 
            "NetworkName": "Hangzhou Alibaba Advertising Co.,Ltd."
        }
    ], 
    "StartedAt": "2022-06-20T01:34:20Z", 
    "ImpactType": "PERFORMANCE", 
    "PercentOfTotalTrafficImpacted": 1.15
}
```

## View monitor list
<a name="CloudWatch-IM-get-started-CLI-monitor-list"></a>

To see a list of all monitors in your account with the CLI, run the `list-monitors` command.

```
aws internetmonitor list-monitors
```

```
{
    "Monitors": [
        {
            "MonitorName": "TestMonitor",
            "ProcessingStatus": "OK",
            "Status": "ACTIVE"
        }
    ],
    "NextToken": " zase12"
}
```

## Edit monitor
<a name="CloudWatch-IM-get-started-CLI-edit-monitor"></a>

To update information about your monitor by using the CLI, use the `update-monitor` command and specify the name of the monitor to update. For example, you can update the percentage of traffic to monitor, the limit of the maximum number of city-networks to monitor, add or remove the resources that Internet Monitor uses to monitor traffic, and change the monitor status from `ACTIVE` to `INACTIVE`, or vice versa. Note that you can't change the name of the monitor.

The response for an `update-monitor` call returns just the `MonitorArn` and the `Status`.

The following example shows how to use the `update-monitor` command to change the maximum number of city-networks to monitor to `50000`:

```
aws internetmonitor update-monitor --monitor-name "TestMonitor" --max-city-networks-to-monitor 50000
```

```
{
    "MonitorArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor",
    "Status": " ACTIVE "
}
```

The following example shows how to add and remove resources:

```
aws internetmonitor update-monitor --monitor-name "TestMonitor" \
				--resources-to-add "arn:aws:ec2:us-east-1:111122223333:vpc/vpc-11223344556677889" \
				--resources-to-remove "arn:aws:ec2:us-east-1:111122223333:vpc/vpc-2222444455556666"
```

```
{
    "MonitorArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor",
    "Status": "ACTIVE"
}
```

The following example shows how to use the `update-monitor` command to change the monitor status to `INACTIVE`:

```
aws internetmonitor update-monitor --monitor-name "TestMonitor" --status "INACTIVE"
```

```
{
    "MonitorArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/TestMonitor",
    "Status": "INACTIVE"
}
```

## Delete monitor
<a name="CloudWatch-IM-get-started-CLI-delete-monitor"></a>

You can delete a monitor with the CLI by using the `delete-monitor` command. First, you must set the monitor to be inactive. To do that, use the `update-monitor` command to change the status to `INACTIVE`. Confirm that the monitor is inactive by using the `get-monitor` command and checking the status.

When the monitor status is `INACTIVE`, then you can use the CLI to run the `delete-monitor` command to delete the monitor. The response for a successful `delete-monitor` call is empty.

```
aws internetmonitor delete-monitor --monitor-name "TestMonitor"
```

```
{}
```

# Monitor and optimize with the Internet Monitor dashboard
<a name="CloudWatch-IM-monitor-and-optimize"></a>

Using the Internet Monitor dashboard in the AWS Management Console, you can visualize data and get insights and suggestions about your AWS application's internet traffic, and configure options for your monitor.

After you create a monitor to monitor your application's internet performance and availability, Internet Monitor stores internet measurements for pairs of your client locations and ASNs, or *city-networks*. Internet Monitor also creates aggregated CloudWatch metrics for traffic to your application, and to each AWS Region and edge location. You can filter, explore, and get action-oriented suggestions from your monitor's information in several different ways. The Internet Monitor dashboard guides you through viewing and getting insights about the data for your monitored traffic.

To get started, on the CloudWatch console, under **Network Monitoring**, choose **Internet monitors**. Then, select a monitor to work with.

**Note**  
This section primarily describes how to filter and view Internet Monitor metrics using the AWS Management Console. Alternatively, you can use Internet Monitor API operations with the AWS CLI or an SDK to work directly with Internet Monitor events stored in CloudWatch Logs files. For more information, see [Using your monitor and measurements information](IMWhyCreateMonitor.md#IMAccessIMInformation). For more information about using API operations, see [Examples of using the CLI with Internet Monitor](CloudWatch-IM-get-started-CLI.md) and the [Internet Monitor API Reference](https://docs.aws.amazon.com/internet-monitor/latest/api/Welcome.html).

There are five pages (tabs) in the Internet Monitor dashboard:
+ On the **Overview** page, you can get an overall view of your monitored traffic, including current performance and availability information, a summary of recent and current health events, and the top suggestion for potentially improving performance for your clients.
+ On the **Health events** page, you can see current and historical health events that currently impact, or previously impacted, locations where clients access your application.
+ On the **Analyze** page, you can view information about top monitored traffic in client locations (by traffic volume), summarized in several customizable ways. You can also see historical trends for health scores and metrics. You can filter by location, ASN, date, and so on, and visualize metrics for your internet traffic over time.
+ On the **Optimize** page, Internet Monitor predicts your application's performance improvement for top AWS Regions (or Amazon CloudFront), based on your traffic patterns and past performance. For each top configuration, associated tables provide a breakdown of reduced latency by client location. On a second page, you can select multiple Regions (and, if you like, include CloudFront configurations) to compare latency reductions. For each configuration (Region) that you selected, the page displays an associated table of latency details, listed by city location.
+ On the **Configure** page, you can see monitor details and configure options, such as the percentage of traffic to monitor.

In addition to these dashboard options, you can use tools for deeper dives into details of the metrics that Internet Monitor collects with your monitor. Internet Monitor generates and publishes log files with the measurements about your traffic, so you can use other CloudWatch tools in the console to further visualize the data published by Internet Monitor, including CloudWatch Contributor Insights, CloudWatch Metrics, and CloudWatch Logs Insights. For more information, see [Exploring your data with CloudWatch tools and the Internet Monitor query interface](CloudWatch-IM-view-cw-tools.md).

Learn about using Internet Monitor to explore your performance and availability measurements in the following sections.

**Topics**
+ [Track real-time performance and availability in Internet Monitor (Overview page)](CloudWatch-IM-overview.md)
+ [View health events and metrics in Internet Monitor (Health events page)](CloudWatch-IM-Health-events.md)
+ [Analyze historical data in Internet Monitor (Analyze page)](CloudWatch-IM-historical-explorer.md)
+ [Get suggestions to optimize application performance in Internet Monitor (Optimize page)](CloudWatch-IM-insights.md)
+ [Monitoring details in Internet Monitor (Configure page)](CloudWatch-IM-configure.md)

# Track real-time performance and availability in Internet Monitor (Overview page)
<a name="CloudWatch-IM-overview"></a>

The **Overview** page in the Internet Monitor console shows you a high-level view of performance and availability for the traffic that your monitor tracks, and a timeline of when health events have impacted your monitored traffic. The page also provides the top suggestion for a configuration change that could reduce latency for clients who use your application in your top client location (by traffic volume).

**Traffic overview and Status**  
The **Traffic overview** section provides an overall look at your application's availability and performance. Note that this section shows *aggregated* overall performance and availability scores that consider all of the traffic for applications towards all end users and service locations. You can see health scores for specific client locations and service locations by searching and filtering measurements information on the **Analyze** tab.  
Under **Status**, you can see if your monitor is actively creating data for your monitor or is waiting for data to be available. You can also see the percentage of your application's traffic that you're monitoring. If you want to change the percentage, see the **Configure** page.  
Internet Monitor uses a statistical process to create availability and performance scores for your monitored traffic. AWS has substantial historical data about internet performance and availability for network traffic between geographic locations for different ASNs and AWS services. Internet Monitor uses the connectivity data that AWS has captured from its global networking footprint to calculate a baseline of availability and performance for internet traffic. This is the same data that we use at AWS to monitor our own internet uptime and availability.  
With those measurements as a baseline, Internet Monitor can detect when the performance and availability for your application has dropped, compared to the baseline. To make it easier to see those drops, we report that information to you as a performance score and an availability score.  
For more information, see [How AWS calculates performance and availability scores](CloudWatch-IM-inside-internet-monitor.md#IMExperienceScores).

**Health events timeline**  
The **Health events timeline** graph displays health events that have occurred during the past 24 hours. A summary below the graph shows your application's current and recent impact. For details, you can choose **See more health events**.  
To change the thresholds for health events, go to the **Configure** page.

**Reduce latency for your top Region**  
Internet Monitor automatically evaluates the AWS Region that your current application configuration uses most (that is, the Region with the highest client volume), and determines if another Region could provide a better aggregate time to first byte (TTFB) for your clients.   
Note that because this is the aggregate TTFB, if you move traffic from one Region to another, TTFB for most locations is expected to improve but clients in some Regions could see no change or reduced performance..  
To explore more latency improvement suggestions, including details at more granular levels (such as by client location), see the **Optimize** page.

# View health events and metrics in Internet Monitor (Health events page)
<a name="CloudWatch-IM-Health-events"></a>

The **Health events** page in the Internet Monitor console provides a map of health events that impact the client locations and ASNs for your application. You can click circles on the map for more details about an event. The **Health events** tables lists locations that have been impacted by an event, and specifics about the impact.

**Internet traffic overview**  
The **Internet traffic overview** map shows you the internet traffic and health events that are specific to the locations and ASNs that your clients access your application from. The countries that are gray on the map are those that include traffic for your application.   
Each circle on the map indicates a health event in an area, for a time period that you select. Internet Monitor creates health events when it detects a problem, at a specific (but customizable) threshold, with connectivity between one of your resources hosted in AWS and a city-network where a client is accessing your application.  
Choose a circle on the map to display more details about the health event for that location. In addition, for clusters that have health events, you can see detailed information in the **Health events** table below the map.  
Note that Internet Monitor creates health events in a monitor when it determines that an event has significant impact on your application. The map is blank if there aren't any health events that exceed the threshold for impact on traffic for your client locations in the time period that you've selected. For more information, see [When Internet Monitor creates and resolves health events](CloudWatch-IM-inside-internet-monitor.md#IMHealthEventStartStop).

**Health events**  
The **Health events** table lists client locations that have been affected by health events, along with information about the events. The following columns are included in the table.      
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-Health-events.html)
If you choose one of the client locations in the **Health events** table, you can see more details about the health event at that location. For example, you can see when the event started, when it ended, and the local traffic impact.

**Network path visualization**  
If Internet Monitor has finished impairment analysis for an event, you can view **Network path visualization** to see the full network path for traffic to a client location. The full path shows you each node along the network path for your application for the health event, between the AWS location and the client, for a client-location pair.  
When Internet Monitor has determined the cause of an impairment, Internet Monitor adds a dashed red circle around the node. Impairments can be caused by ASNs, typically internet service providers (ISPs), or the cause can be AWS. If there were multiple causes for an impairment, multiple nodes are circled.

# Analyze historical data in Internet Monitor (Analyze page)
<a name="CloudWatch-IM-historical-explorer"></a>

On the **Analyze** page in the Internet Monitor console, you can view your application's the top client locations for the traffic that you monitor, by traffic volume. You can also view graphs showing performance and availability scores for your traffic over time, as well as graphs of other internet traffic metrics for your application's monitored traffic.

To start exploring Internet Monitor data for your application traffic, select a time period. Then, choose a specific geographical location, such a city, and (optionally) other filters. Internet Monitor applies the filters to your data, and then you can see graphs of the data that show measurements for your application. The graphs included on the **Analyze** page include your application's performance score, availability score, monitored bytes transferred (for VPCs, Network Load Balancers, and CloudFront distributions) or client connection counts (for WorkSpaces directories), and round-trip time (RTT) for your application over time.

The options at the top of the **Analyze** page determine the timeframe and types of traffic shown in the graphs on the page. You can filter by client locations or ASN, or choose to show traffic graphs at a specific granularity (the default is city level).

**Top client locations**  
The **Top client locations** graph displays your top monitored traffic locations, by default. You can choose another field to sort the graph by, or you can sort the graph in other ways, for example, by lowest traffic locations.   
The filters that you choose for the page determine the Regions, timeframe, and so on for the locations.

**Traffic health scores**  
This section shows you graphs of traffic health scores and metrics for your monitored traffic. These graphs reflect data for the filters that you choose at the top of the page.  
The **Traffic health scores** graph shows you performance and availability information for your local and overall traffic by calling out health events that have impacted your monitored client traffic. AWS has substantial historical data about internet performance and availability for network traffic between geographic locations for different ASNs and AWS services. Internet Monitor uses the connectivity data that AWS has captured from its global networking footprint to calculate a baseline of performance and availability for internet traffic. This is the same data that we use at AWS to monitor our own internet uptime and availability.  
With those measurements as a baseline, Internet Monitor can detect when the performance and availability for your application has dropped, compared to the baseline. To make it easier to see those drops, we report that information to you as a performance score and an availability score. For more information, see [How AWS calculates performance and availability scores](CloudWatch-IM-inside-internet-monitor.md#IMExperienceScores).  
Additional graphs show the monitored bytes transferred (for VPCs, Network Load Balancers, and CloudFront distributions) or client connection counts (for WorkSpaces directories), and round-trip time (RTT) for your application traffic.   
Note that when round-trip time (RTT) is aggregated across end-user locations, the value is weighted by the amount of your traffic that is driven by each client location. For example, with two client locations, one serving 90% of traffic with a 5 ms RTT, and the other serving 10% of traffic with a 10 ms RTT, the result is an aggregated RTT of 5.5 ms (which comes from 5 ms \$1 0.9 \$1 10 ms \$1 0.1).

You can also explore the internet measurements that Internet Monitor stores for your monitored traffic by using CloudWatch tools or other methods. For more information, see [Exploring your data with CloudWatch tools and the Internet Monitor query interface](CloudWatch-IM-view-cw-tools.md). In addition, you can create CloudWatch alarms based on Internet Monitor data, for example, to notify you of health events. For more information, see [Create alarms with Internet Monitor](CloudWatch-IM-create-alarm.md).

# Get suggestions to optimize application performance in Internet Monitor (Optimize page)
<a name="CloudWatch-IM-insights"></a>

Use the **Optimize** page in the Internet Monitor console to get suggestions for how to optimize application performance for your clients. Internet Monitor evaluates your monitored application traffic, and determines if you can reduce latency by changing the AWS Regions that you've configured for your application. Optionally, you can also view latency changes if you choose to include Amazon CloudFront in the suggestions. 

You can review suggestions for your application's top Regions by traffic volume, or for top client locations, also by traffic volume.

****Suggestions to reduce latency for top Regions****  
To help you quickly understand your best options for reducing latency for your clients, Internet Monitor automatically provides suggestions for improving latency in your application for your top Regions (by traffic volume).   
You can also explore configuration changes for all the Regions where your application serves clients. This includes getting details about each suggested change at deeper levels of granularity, for example, by specific client location. To explore all Regional configurations and expected latency changes for your application, choose **Optimization suggestions for all Regions**.

****Suggestions to reduce latency for all Regions****  
To explore suggestions for reducing latency for all Regions where clients access your application, choose **Optimization suggestions for all Regions** to open a new dashboard page. On this page, you can select different Regions to configure, with the option of including CloudFront as a configuration comparison, and then compare the times to first byte (TTFBs) for each selected configuration.  
Then, for each comparison, you can also see a table with at a more granular level (by client location), with the average expected TTFB for each one. 

****Suggestions to reduce latency for top locations****  
Internet Monitor also provides suggestions for reducing application latency for your clients by specific location. When the table lists multiple suggestions for the same location, expand the city location for that row to see details.  
Be aware that if you change a configuration to use a different Region or to use CloudFront, latency improvements can vary by client location. For example, latency might improve for some locations, but stay the same or worsen for others.

****Suggestions to reduce latency by updating routing configurations****  
Note: These suggestions are only relevant for application traffic to Regional load balancers. The table is not shown for monitors that you create for CloudFront distributions or WorkSpaces resources.  
With Internet Monitor, you can view information about latency toward AWS locations for IPv4 IP prefixes that access your application using different DNS resolvers (typically ISPs). Using this information, you can take steps to reduce latency for specific groups of users by routing a set of IP address prefixes, specified by a CIDR collection, to your endpoints in a Region that results in lower latency for your users. If you don't already have a CIDR collection for the prefixes, you can go to Amazon Route 53 to create one. Then, you can update your routing in Route 53 to route IP addresses in the collection to a specific Region.  
If you want to create a CIDR collection for a set of IP address prefixes, you can easily do so by selecting a row or rows that includes the IP prefixes that you want, and then choosing **Add to CIDR collection**. Then, in the Route 53 console, you can configure a routing policy that routes IP addresses in the collection to the Region with lower latency for your application.  
To learn more about IP-based routing in Route 53, see [IP-based routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-ipbased.html).

By viewing the suggestions on this page, you can start planning configurations and deployments that can improve performance for your clients. Note that you might see a dash (-) instead of a value in a column, when data is not available to display.

For more information about TTFB calculations, see [AWS calculations for TTFB and latency](CloudWatch-IM-inside-internet-monitor.md#IMCalculateTTFB). To review a specific example of how to improve performance, see [ Using Internet Monitor for a Better Gaming Experience](https://aws.amazon.com/blogs/gametech/using-cloudwatch-internet-monitor-for-a-better-gaming-experience/).

# Monitoring details in Internet Monitor (Configure page)
<a name="CloudWatch-IM-configure"></a>

On the **Configure** page, you can see details about your monitor, including a list of resources that you monitor traffic for and the thresholds for when health events are triggered. You can also explore and compare values for the traffic percentage for your monitor, and its impact on how many city-networks are included for (monitored by) your monitor. Finally, you can view information about measurements that are published to an Amazon S3 bucket.

You can configure a monitor to change most options, such as the percentage of traffic to monitor. For more information, see [Configure your monitor](#IMUpdateMonitorConfig).

## Monitor details
<a name="CloudWatch-IM-configure-details"></a>

The **Monitor details** section includes basic information about your monitor, including the name, the percentage of traffic currently being monitored for your application, a city-networks maximum limit (if you've set one), and status information about the monitor.

The following explains the values that you might see for **Status** and **Status info** (data processing status).


| Status | Description | 
| --- | --- | 
|  Active  |  Monitor is created and active.  | 
|  Pending  |  Monitor is currently being created and is not yet active.  | 
|  Inactive  |  Monitor is created but has been set to inactive.  | 
|  Error  |  Monitor is in an error state.  | 


| Status details (Data processing status) | Description | 
| --- | --- | 
|  OK  |  Monitor is actively processing data.  | 
|  Inactive  |  Monitor is inactive and is not processing data.  | 
|  Collecting data  |  Monitor is actively collecting data.  | 
|  Insufficient data  |  Monitor is actively processing data, but there aren't enough datapoints to produce insights.  | 
|  Fault access CloudWatch  |  Monitor has encountered a problem delivering CloudWatch metrics data and log events.  | 

## Health event thresholds
<a name="CloudWatch-IM-configure-health-event-thresholds"></a>

In this section, you can see the current thresholds for health events that are configured for this monitor. If you haven't configured any custom thresholds, the values shown here are the default values. 

By default, health events are not triggered based on local thresholds. If local health event thresholds would be useful for your Internet Monitor scenario, you can enable the option and specify the thresholds to use.

You can learn more about how health event thresholds work, and review the potential impact of adding local thresholds or changing existing thresholds. For more information, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview).

## Traffic coverage
<a name="CloudWatch-IM-configure-traffic-coverage"></a>

In this section, you can explore options for the traffic coverage for your monitor. When you change the traffic percentage for a monitor, Internet Monitor monitors different amounts of application traffic. If you set a traffic percentage to less than 100% (100% is the default value), some portion of the city-networks that your clients use to access your application might not be monitored. By exploring the impact of different traffic percentage values, you can see how different values that you might set would impact your city-networks coverage.

The **Total monitored city-networks** graph shows you how many city-networks are currently monitored, and how many would be monitored if you set the traffic percentage to 100%. To view different traffic percentage values on the graph, select percentages in the drop-down menu.

After you explore the options, you can change the traffic percentage to monitor by choosing **Update monitoring coverage**.

If you want to set a maximum city-networks limit, at the top of the page, choose **Edit monitor**. Then, under **Advanced options**, set a maximum city-networks value.

## Configure your monitor
<a name="CloudWatch-IM-configure-updates"></a>

As on every page in the Internet Monitor dashboard, you can choose **Edit monitor** to change options for your monitor, including adding or removing resources. For details about how to update the following configuration options, see the provided links.

**View health event thresholds**  
In this section, you can see the current thresholds for health events that are configured for this monitor.  
To update health thresholds, see [Change health event thresholds](CloudWatch-IM-get-started.change-threshold.md#IMUpdateThresholdFromOverview).

**View and evaluate traffic coverage**  
In this section, you can compare the effect of changing the percentage of traffic that you monitor for your application on the number of city-networks that are included (for monitoring) when you choose different percentage values.  
You can also change the percentage of traffic that you monitor, or change the limit for the number of city-networks your monitor includes. To change the percentage of traffic, choose **Update monitoring coverage**.  
For detailed steps and information, see [Explore changing your application traffic percentage](IMTrafficPercentage.md#IMExploreTrafficPercentage).

**Configuration details for publishing internet measurements to Amazon S3**  
If you have configured Internet Monitor to publish internet measurements for your monitor to an Amazon S3 bucket, the information about your configuration is shown here.  
To configure this option, see [Publishing internet measurements to S3](CloudWatch-IM-get-started.Publish-to-S3.md#IMPublishToS3).

# Exploring your data with CloudWatch tools and the Internet Monitor query interface
<a name="CloudWatch-IM-view-cw-tools"></a>

In addition to visualizing your performance and availability for your application with the Internet Monitor dashboard, there are several methods that you can use to dive deeper into the data that Internet Monitor generates for you. These methods include using CloudWatch tools with Internet Monitor data stored in CloudWatch Log files and using the Internet Monitor query interface. The tools that you can use include CloudWatch Logs Insights, CloudWatch Metrics, CloudWatch Contributor Insights, and Amazon Athena. You can use some or all these tools, as well as the dashboard, to explore Internet Monitor data, depending on your needs. 

Internet Monitor aggregates CloudWatch metrics about traffic to your application and to each AWS Region, and includes data such as total traffic impact, availability, and round-trip time. This data is published to CloudWatch Logs and is also available to use with the Internet Monitor query interface. Details about geo-granularity and other aspects of the information available to explore for each one varies.

Internet Monitor publishes data for your monitor at 5 minute intervals, and then makes the data available in several ways. The following table lists scenarios for accessing Internet Monitor data, and describes features of the data that is collected for each one.


****  

| Feature | CloudWatch Logs | Export to S3 | Query interface | CloudWatch dashboard | 
| --- | --- | --- | --- | --- | 
| Enabled by default | Yes | No | Yes | Yes | 
| Number of city-networks that data is collected for | Top 500 (see note below) | All | All | All | 
| Data retention | User controlled | User controlled | 30 days | 30 days | 
| Geo-granularities that data is collected for | All (city-network, metro\$1network, subdivision\$1network, country\$1network) | City-network | All (city-network, metro\$1network, subdivision\$1network, country\$1network) | All (city-network, metro\$1network, subdivision\$1network, country\$1network) | 
| How to query and filter data | [Use CloudWatch Logs Insights to explore Internet Monitor measurements](CloudWatch-IM-view-cw-tools-logs-insights.md) | [Use Amazon Athena to query internet measurements in Amazon S3 log files](CloudWatch-IM-view-cw-tools.S3_athena.md) | [Use the Internet Monitor query interface](CloudWatch-IM-view-cw-tools-cwim-query.md) | [Monitor and optimize with the Internet Monitor dashboard](CloudWatch-IM-monitor-and-optimize.md) | 

Note: Top 500 measurements are captured for city-networks; top 250 for metro\$1networks, top 100 for subdivision\$1networks, top 50 for country\$1networks.

This chapter describes how to query and explore your data by using CloudWatch tools or the Internet Monitor query interface, together with examples for each method. 

**Topics**
+ [CloudWatch Logs Insights](CloudWatch-IM-view-cw-tools-logs-insights.md)
+ [CloudWatch Contributor Insights](CloudWatch-IM-view-cw-tools-contributor-insights.md)
+ [CloudWatch Metrics](CloudWatch-IM-view-cw-tools-metrics-dashboard.md)
+ [Athena with S3 logs](CloudWatch-IM-view-cw-tools.S3_athena.md)
+ [Internet Monitor query interface](CloudWatch-IM-view-cw-tools-cwim-query.md)

# Use CloudWatch Logs Insights to explore Internet Monitor measurements
<a name="CloudWatch-IM-view-cw-tools-logs-insights"></a>

You can use CloudWatch Logs Insights queries to filter a subset of logs for a specific city or geography (client location), client ASN (ISP), and AWS source location. Internet Monitor publishes granular measurements of availability and round-trip time to CloudWatch Logs that you can explore using CloudWatch Logs Insights. 

To learn more about client location accuracy in Internet Monitor, see [ Geolocation information and accuracy in Internet Monitor](CloudWatch-IM-inside-internet-monitor.md#IMGeolocationSourceAccuracy).

The examples in this section can help you create CloudWatch Logs Insights queries to learn more about your own application traffic measurements and metrics. If you use these examples in CloudWatch Logs Insights, replace *monitorName* with your own monitor name.

**View traffic optimization suggestions**

On the **Traffic insights** tab in Internet Monitor, you can view traffic optimization suggestions, filtered by a location. To see the same information that is displayed in the **Traffic optimization suggestions** section on that tab, but without the location granularity filter, you can use the following CloudWatch Logs Insights query. 

1. In the AWS Management Console, navigate to CloudWatch Logs Insights.

1. For **Log Group**, select `/aws/internet-monitor/monitorName/byCity` and `/aws/internet-monitor/monitorName/byCountry`, and then specify a time range. 

1. Add the following query, and then run the query. 

```
fields @timestamp, 
clientLocation.city as @city, clientLocation.subdivision as @subdivision, clientLocation.country as @country,
`trafficInsights.timeToFirstByte.currentExperience.serviceName` as @serviceNameField,
concat(@serviceNameField, ` (`, `serviceLocation`, `)`) as @currentExperienceField,
concat(`trafficInsights.timeToFirstByte.ec2.serviceName`, ` (`, `trafficInsights.timeToFirstByte.ec2.serviceLocation`, `)`) as @ec2Field,
`trafficInsights.timeToFirstByte.cloudfront.serviceName` as @cloudfrontField,
concat(`clientLocation.networkName`, ` (AS`, `clientLocation.asn`, `)`) as @networkName
| filter ispresent(`trafficInsights.timeToFirstByte.currentExperience.value`)
| stats avg(`trafficInsights.timeToFirstByte.currentExperience.value`) as @averageTTFB,
avg(`trafficInsights.timeToFirstByte.ec2.value`) as @ec2TTFB,
avg(`trafficInsights.timeToFirstByte.cloudfront.value`) as @cloudfrontTTFB,
sum(`bytesIn` + `bytesOut`) as @totalBytes,
latest(@ec2Field) as @ec2,
latest(@currentExperienceField) as @currentExperience,
latest(@cloudfrontField) as @cloudfront,
count(*) by @networkName, @city, @subdivision, @country
| display @city, @subdivision, @country, @networkName, @totalBytes, @currentExperience, @averageTTFB, @ec2, @ec2TTFB, @cloudfront, @cloudfrontTTFB
| sort @totalBytes desc
```

**View internet availability and RTT (p50, p90, and p95)**

To view the internet availability and round-trip time (p50, p90, and p95) for traffic, you can use the following CloudWatch Logs Insights query.

**End user geography: ** Chicago, IL, United States

**End user network (ASN): ** AS7018 

**AWS service location: ** US East (N. Virginia) Region

To view the logs, do the following:

1. In the AWS Management Console, navigate to CloudWatch Logs Insights.

1. For **Log Group**, select `/aws/internet-monitor/monitorName/byCity` and `/aws/internet-monitor/monitorName/byCountry`, and then specify a time range. 

1. Add the following query, and then run the query. 

The query returns all the performance data for users connecting from AS7018 in Chicago, IL towards US East (N. Virginia) Region over the selected time period.

```
fields @timestamp, 
internetHealth.availability.experienceScore as availabilityExperienceScore, 
internetHealth.availability.percentageOfTotalTrafficImpacted as percentageOfTotalTrafficImpacted,
internetHealth.performance.experienceScore as performanceExperienceScore,
internetHealth.performance.roundTripTime.p50 as roundTripTimep50, 
internetHealth.performance.roundTripTime.p90 as roundTripTimep90, 
internetHealth.performance.roundTripTime.p95 as roundTripTimep95
 | filter clientLocation.country == `United States` 
 and clientLocation.city == `Chicago` 
 and serviceLocation == `us-east-1` 
 and clientLocation.asn == 7018
```

For more information, see [Analyzing log data with CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html).

# Use Contributor Insights to identify top locations and ISPs
<a name="CloudWatch-IM-view-cw-tools-contributor-insights"></a>

CloudWatch Contributor Insights can help you identify top client locations and ASNs (typically, internet service providers or ISPs) for your AWS application. Use the following sample Contributor Insights rules to get started with rules that are useful with Internet Monitor. For more information, see [Create a Contributor Insights rule in CloudWatch](ContributorInsights-CreateRule.md).

To learn more about client location accuracy in Internet Monitor, see [ Geolocation information and accuracy in Internet Monitor](CloudWatch-IM-inside-internet-monitor.md#IMGeolocationSourceAccuracy).

**Note**  
Internet Monitor stores internet measurements data every five minutes, so after you set up a Contributor Insights rule, you must adjust the period to five minutes to see a graph.

**View top locations and ASNs impacted by an availability impact**

To view top client locations and ASNs impacted by a drop in availability, you can use the following Contributor Insights rule in the Syntax editor. Replace *monitor-name* with your own monitor name.

```
{
    "Schema": {
        "Name": "CloudWatchLogRule",
        "Version": 1
    },
    "AggregateOn": "Sum",
    "Contribution": {
        "Filters": [
            {
                "Match": "$.clientLocation.city",
                "IsPresent": true
            }
        ],
        "Keys": [
            "$.clientLocation.city",
            "$.clientLocation.networkName"
        ],
        "ValueOf": "$.awsInternetHealth.availability.percentageOfTotalTrafficImpacted"
    },
    "LogFormat": "JSON",
    "LogGroupNames": [
        "/aws/internet-monitor/monitor-name/byCity"
    ]
}
```

**View top client locations and ASNs impacted by a latency impact**

To view top client locations and ASNs impacted by an increase in round-trip time (latency), you can use the following Contributor Insights rule in the Syntax editor. Replace *monitor-name* with your own monitor name.

```
{
    "Schema": {
        "Name": "CloudWatchLogRule",
        "Version": 1
    },
    "AggregateOn": "Sum",
    "Contribution": {
        "Filters": [            {
                "Match": "$.clientLocation.city",
                "IsPresent": true
            }
        ],
        "Keys": [
            "$.clientLocation.city",
            "$.clientLocation.networkName"
        ],
        "ValueOf": "$.awsInternetHealth.performance.percentageOfTotalTrafficImpacted"
    },
    "LogFormat": "JSON",
    "LogGroupNames": [
        "/aws/internet-monitor/monitor-name/byCity"
    ]
}
```

**View top client locations and ASNs impacted by total percentage of traffic**

To view top client locations and ASNs impacted by total percentage of traffic, you can use the following Contributor Insights rule in the Syntax editor. Replace *monitor-name* with your own monitor name.

```
{
    "Schema": {
        "Name": "CloudWatchLogRule",
        "Version": 1
    },
    "AggregateOn": "Sum",
    "Contribution": {
        "Filters": [
            {
                "Match": "$.clientLocation.city",
                "IsPresent": true
            }
        ],
        "Keys": [
            "$.clientLocation.city",
            "$.clientLocation.networkName"
        ],
        "ValueOf": "$.percentageOfTotalTraffic"
    },
    "LogFormat": "JSON",
    "LogGroupNames": [
        "/aws/internet-monitor/monitor-name/byCity"
    ]
}
```

# View Internet Monitor metrics or set alarms in CloudWatch Metrics
<a name="CloudWatch-IM-view-cw-tools-metrics-dashboard"></a>

You can view or set alarms on Internet Monitor metrics by using CloudWatch alarms and CloudWatch Metrics in the CloudWatch console. Internet Monitor publishes metrics to your account, including metrics for performance, availability, round-trip time, and throughput (bytes per second). To find all metrics for your monitor, in the CloudWatch Metrics dashboard, see the custom namespace `AWS/InternetMonitor`. 

To see examples for using several of these metrics to help determine values to choose for a city-networks maximum limit for your monitor, see [Choosing a city-network maximum value](IMCityNetworksMaximum.md). To learn more about setting alarms for Internet Monitor, see [Create alarms with Internet Monitor](CloudWatch-IM-create-alarm.md).

Metrics are aggregated across all internet traffic to your VPCs, Network Load Balancers, CloudFront distributions, or WorkSpaces directories in the monitor, and to all traffic to each AWS Region and internet edge location that is monitored. Regions are defined by the service location, which can either be all locations or a specific Region, such as `us-east-1`. 

Note: *city-networks* are pairs of client locations and the ASNs the clients use (typically internet service providers or ISPs).

Internet Monitor provides the following metrics.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-view-cw-tools-metrics-dashboard.html)

For more information, see [Metrics in Amazon CloudWatch](working_with_metrics.md).

# Use Amazon Athena to query internet measurements in Amazon S3 log files
<a name="CloudWatch-IM-view-cw-tools.S3_athena"></a>

You can use Amazon Athena to query and view the internet measurements that Internet Monitor publishes to an Amazon S3 bucket. There's an option in Internet Monitor to publish internet measurements for your application to an S3 bucket for internet-facing traffic for your monitored city-networks (client locations and ASNs, typically internet service providers or ISPs). Regardless of whether you choose to publish measurements to S3, Internet Monitor automatically publishes internet measurements to CloudWatch Logs every five minutes for the top 500 (by traffic volume) city-networks for each monitor. 

This chapter includes steps for how to create a table in Athena for internet measurements located in an S3 log file, and then provides [example queries](#CloudWatch-IM-view-cw-tools.S3_athena.athena-sample-queries) to see different views of the measurements. For example, you can query for your top 10 impacted city-networks by latency impact. 

## Using Amazon Athena to create a table for internet measurements in Internet Monitor
<a name="CloudWatch-IM-view-cw-tools.S3_athena.athena-queries"></a>

To start using Athena with your Internet Monitor S3 log files, you first create a table for the internet measurements.

Follow the steps in this procedure to create a table in Athena based on the S3 log files. Then, you can run Athena queries on the table, such as [these example internet measurements queries](#CloudWatch-IM-view-cw-tools.S3_athena.athena-sample-queries), to get information about your measurements.

**To create an Athena table**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/).

1. In the Athena query editor, enter a query statement to generate a table with Internet Monitor internet measurements. Replace the value for the LOCATION parameter with the location of S3 bucket where your Internet Monitor internet measurements are stored. 

   ```
   CREATE EXTERNAL TABLE internet_measurements (
       version INT,
       timestamp INT,
       clientlocation STRING,
       servicelocation STRING,
       percentageoftotaltraffic DOUBLE,
       bytesin INT,
       bytesout INT,
       clientconnectioncount INT,
       internethealth STRING,
       trafficinsights STRING
   )
   PARTITIONED BY (year STRING, month STRING, day STRING)
   ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
   LOCATION
   's3://amzn-s3-demo-bucket/bucket_prefix/AWSLogs/account_id/internetmonitor/AWS_Region/'
   TBLPROPERTIES ('skip.header.line.count' = '1');
   ```

1. Enter a statement to create a partition to read the data. For example, the following query creates a single partition for a specified date and location:

   ```
   ALTER TABLE internet_measurements
   ADD PARTITION (year = 'YYYY', month = 'MM', day = 'dd')
   LOCATION
   's3://amzn-s3-demo-bucket/bucket_prefix/AWSLogs/account_id/internetmonitor/AWS_Region/YYYY/MM/DD';
   ```

1. Choose **Run**.

**Example Athena statements for internet measurements**

The following is an example of a statement to generate a table:

```
CREATE EXTERNAL TABLE internet_measurements (
    version INT,
    timestamp INT,
    clientlocation STRING,
    servicelocation STRING,
    percentageoftotaltraffic DOUBLE,
    bytesin INT,
    bytesout INT,
    clientconnectioncount INT,
    internethealth STRING,
    trafficinsights STRING
)
PARTITIONED BY (year STRING, month STRING, day STRING)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
LOCATION 's3://internet-measurements/TestMonitor/AWSLogs/1111222233332/internetmonitor/us-east-2/'
TBLPROPERTIES ('skip.header.line.count' = '1');
```

The following is an example of a statement to create a partition to read the data:

```
ALTER TABLE internet_measurements
ADD PARTITION (year = '2023', month = '04', day = '07')
LOCATION 's3://internet-measurements/TestMonitor/AWSLogs/1111222233332/internetmonitor/us-east-2/2023/04/07/'
```

## Sample Amazon Athena queries to use with internet measurements in Internet Monitor
<a name="CloudWatch-IM-view-cw-tools.S3_athena.athena-sample-queries"></a>

This section includes example queries that you can use with Amazon Athena to get information about your application's internet measurements published to Amazon S3.

**Query your top 10 impacted (by total percentage of traffic) client locations and ASNs**

Run this Athena query to return your top 10 impacted (by total percentage of traffic) city-networks—that is, client locations and ASNs, typically internet service providers. 

```
SELECT json_extract_scalar(clientLocation, '$.city') as city,
    json_extract_scalar(clientLocation, '$.networkname') as networkName,
    sum(percentageoftotaltraffic) as percentageoftotaltraffic
FROM internet_measurements
GROUP BY json_extract_scalar(clientLocation, '$.city'),
    json_extract_scalar(clientLocation, '$.networkname')
ORDER BY percentageoftotaltraffic desc
limit 10
```

**Query your top 10 impacted (by availability) client locations and ASNs **

Run this Athena query to return your top 10 impacted (by total percentage of traffic) city-networks—that is, client locations and ASNs, typically internet service providers. 

```
SELECT json_extract_scalar(clientLocation, '$.city') as city,
    json_extract_scalar(clientLocation, '$.networkname') as networkName,
    sum(
        cast(
            json_extract_scalar(
                internetHealth,
                '$.availability.percentageoftotaltrafficimpacted'
            )
        as double ) 
    ) as percentageOfTotalTrafficImpacted
FROM internet_measurements
GROUP BY json_extract_scalar(clientLocation, '$.city'),
    json_extract_scalar(clientLocation, '$.networkname')
ORDER BY percentageOfTotalTrafficImpacted desc
limit 10
```

**Query your top 10 impacted (by latency) client locations and ASNs **

Run this Athena query to return your top 10 impacted (by latency impact) city-networks—that is, client locations and ASNs, typically internet service providers. 

```
SELECT json_extract_scalar(clientLocation, '$.city') as city,
    json_extract_scalar(clientLocation, '$.networkname') as networkName,
    sum(
        cast(
            json_extract_scalar(
                internetHealth,
                '$.performance.percentageoftotaltrafficimpacted'
            )
        as double ) 
    ) as percentageOfTotalTrafficImpacted
FROM internet_measurements
GROUP BY json_extract_scalar(clientLocation, '$.city'),
    json_extract_scalar(clientLocation, '$.networkname')
ORDER BY percentageOfTotalTrafficImpacted desc
limit 10
```

**Query traffic highlights for your client locations and ASNs **

Run this Athena query to return traffic highlights, including availability score, performance score, and time to first byte for your city-networks—that is, client locations and ASNs, typically internet service providers. .

```
SELECT json_extract_scalar(clientLocation, '$.city') as city,
    json_extract_scalar(clientLocation, '$.subdivision') as subdivision,
    json_extract_scalar(clientLocation, '$.country') as country,
    avg(cast(json_extract_scalar(internetHealth, '$.availability.experiencescore') as double)) as availabilityScore,
    avg(cast(json_extract_scalar(internetHealth, '$.performance.experiencescore') as double)) performanceScore,
    avg(cast(json_extract_scalar(trafficinsights, '$.timetofirstbyte.currentexperience.value') as double)) as averageTTFB,
    sum(bytesIn) as bytesIn,
    sum(bytesOut) as bytesOut,
    sum(bytesIn + bytesOut) as totalBytes
FROM internet_measurements
where json_extract_scalar(clientLocation, '$.city') != 'N/A'
GROUP BY 
json_extract_scalar(clientLocation, '$.city'),
    json_extract_scalar(clientLocation, '$.subdivision'),
    json_extract_scalar(clientLocation, '$.country')
ORDER BY totalBytes desc
limit 100
```

For more information about using Athena, see the [Amazon Athena User Guide](https://docs.aws.amazon.com/athena/latest/ug/).

# Use the Internet Monitor query interface
<a name="CloudWatch-IM-view-cw-tools-cwim-query"></a>

An option for understanding more about internet traffic for your AWS application is to use the Internet Monitor *query interface*. To use the query interface, you create a query with data filters that you choose, and then run the query to return a subset of your Internet Monitor data. Exploring the data that the query returns can give you insights into how your application is performing on the internet.

You can query and explore all the metrics that Internet Monitor captures with your monitor, including availability and performance scores, bytes transferred, round-trip times, and time to first byte (TTFB). 

Internet Monitor uses the query interface to provide the data that you can explore in the Internet Monitor console dashboard. By using search options in the dashboard—on the **Analyze** page or the **Optimize** page—you can query and filter internet data for your application.

If you'd like more flexibility to explore and filter your data than the dashboard provides, you can use the query interface yourself, by using Internet Monitor API operations with the AWS Command Line Interface or with an AWS SDK. This section introduces the types of queries that you can use with the query interface, and the filters that you can specify to create a subset of data, to get insights about internet traffic for your application.

**Topics**
+ [How to use the query interface](#CloudWatch-IM-view-cw-tools-cwim-query-use-query)
+ [Query examples](#CloudWatch-IM-view-cw-tools-cwim-query-example-queries)
+ [Get query results](#CloudWatch-IM-view-cw-tools-cwim-query-get-data)
+ [Troubleshooting](#CloudWatch-IM-view-cw-tools-cwim-query-troubleshooting)

## How to use the query interface
<a name="CloudWatch-IM-view-cw-tools-cwim-query-use-query"></a>

You create a query with the query interface by choosing a *query type*, and then specifying filter values, to return a specific desired subset of your log file data. Then, you can work with the data subset, to further filter and sort, create reports, and so on.

The query process works like this:

1. When you run a query, Internet Monitor returns a `query ID` that is unique to the query. This section describes the query types that are available, and options for filtering data in queries. To understand how this works, you can also review the section on [query examples](#IMQueryInterfaceExamples). 

1. You specify the query ID with your monitor name with the [GetQueryResults](https://docs.aws.amazon.com/internet-monitor/latest/api/API_GetQueryResults.html) API operation to return data results for the query. Each query type returns a different set of data fields. To learn more, see [Get query results](#IMGetQueryData).

The query interface provides the following query types. Each query type returns a different set of information about your traffic from the log files, as shown.
+ **Measurements:** Provides availability score, performance score, total traffic, and round-trip times, at 5 minute intervals.
+ **Top locations:** Provides availability score, performance score, total traffic, and time to first byte (TTFB) information, for the top location and ASN combinations that you're monitoring, by traffic volume.
+ **Top locations details:** Provides TTFB for Amazon CloudFront, your current configuration, and the best performing Amazon EC2 configuration, at 1 hour intervals.
+ **Overall traffic suggestions:** Provides TTFB, using a 30-day weighted average, for all traffic in each AWS location that is monitored.
+ **Overall traffic suggestions details:** Provides TTFB, using a 30-day weighted average, for each top location, for a proposed AWS location.
+ **Routing suggestions:** Provides the predicted average round-trip time (RTT) from an IP prefix toward an AWS location for a DNS resolver. The RTT is calculated at one hour intervals, over a one hour period.

You can filter the data more by using specific criteria. With most query types, except routing suggestions, you can filter by specifying one or more of the following criteria:
+ **AWS location:** For AWS location, you can specify CloudFront or an AWS Region, such as `us-east-2`.
+ **ASN:** Specify the autonomous system number (ASN) of a DNS resolver (typically, an ISP), for example, 4225.
+ **Client location:** For location, specify a city, metro, subdivision, or country.
+ **Proposed AWS location:** Specify an AWS Region, such as `us-east-2`, or an AWS Local Zone. You can use this filter with the overall traffic suggestions details query type.
+ **Geo:** Specify `geo` for some queries. This is required for queries that use the `Top locations` query type, but not allowed for other query types. To understand when to specify `geo` for filter parameters, see the [query examples](#IMQueryInterfaceExamples) section.

For the routing suggestions query type, you can filter the data more by specifying one or more of the following criteria:
+ **Current AWS location:** Specify an AWS Region, such as `us-east-2`.
+ **Proposed AWS location:** Specify an AWS Region, such as `us-east-2`, or an AWS Local Zone.
+ **IPv4 prefix:** Specify an IPv4 prefix in the standard format, similar to `192.0.2.0/24`.
+ **Monitor ARN:** Specify the ARN for a specific monitor.
+ **DNS resolver IP:** Specify the IP address of a DNS resolver.
+ **DNS resolver ISP:** Specify the name of a DNS resolver (typically an ISP), for example, `Cloudflare`.
+ **DNS resolver ASN:** Specify the autonomous system number (ASN) of a DNS resolver, for example, 4225.

The operators that you can use for filtering your data are `EQUALS` and `NOT_EQUALS`. For details about filtering parameters, see the [FilterParameter](https://docs.aws.amazon.com/internet-monitor/latest/api/API_FilterParameter.html) API operation.

To see details about the query interface operations, see the following API operations in the Internet Monitor API Reference Guide:
+ To create and run a query, see the [StartQuery](https://docs.aws.amazon.com/internet-monitor/latest/api/API_StartQuery.html) API operation. 
+ To stop a query, see the [StopQuery](https://docs.aws.amazon.com/internet-monitor/latest/api/API_StopQuery.html) API operation. 
+ To return data for a query that you've created, see the [GetQueryResults](https://docs.aws.amazon.com/internet-monitor/latest/api/API_GetQueryResults.html) API operation. 
+ To retrieve the status of a query, see the [GetQueryStatus](https://docs.aws.amazon.com/internet-monitor/latest/api/API_GetQueryStatus.html) API operation. 

## Query examples
<a name="CloudWatch-IM-view-cw-tools-cwim-query-example-queries"></a>

To create a query that you can use to retrieve a filtered set of data from your monitor's log file, you use the [StartQuery](https://docs.aws.amazon.com/internet-monitor/latest/api/API_StartQuery.html) API operation. You specify a query type and filter parameters for the query. Then, when you use the Internet Monitor query interface API operation to get query results using the query, it will retrieve the subset of your data that you want to work with. 

To illustrate how query types and filter parameters work, let's look at some examples.

**Example 1**

Let's say that you want to retrieve all of your monitor's log file data for a specific country, except for one city. The following example shows filter parameters for a query that you could create with the `StartQuery` operation for this scenario.

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "MEASUREMENTS"
   FilterParameters: [
      {
       Field: "country",
       Operator: "EQUALS",
       Values: ["Germany"]
      },
      {
       Field: "city",
       Operator: "NOT_EQUALS",
       Values: ["Berlin"]
      },
    ]
}
```

**Example 2**

As another example, let's say that you want to see your top locations by metropolitan area. You could use the following example query for this scenario.

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "TOP_LOCATIONS"
   FilterParameters: [
      {
       Field: "geo",
       Operator: "EQUALS",
       Values: ["metro"]
      },
    ]
}
```

**Example 3**

Now, let's say that you want to see the top city-network combinations in the Los Angeles metro area. To do this, specify `geo=city`, and then set `metro` to Los Angeles. Now, the query returns the top city-networks in the Los Angeles metro area instead of the top metro\$1networks overall.

Here's the example query that you could use:

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "TOP_LOCATIONS"
   FilterParameters: [
      {
       Field: "geo",
       Operator: "EQUALS",
       Values: ["city"]
      },
      {
       Field: "metro",
       Operator: "EQUALS",
       Values: ["Los Angeles"]
      }
    ]
}
```

**Example 4**

Next, let's say that you want to retrieve TTFB data for a specific subdivision (for example, a U.S. state).

The following is an example query for this scenario:

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "TOP_LOCATION_DETAILS"
   FilterParameters: [
      {
       Field: "subdivision",
       Operator: "EQUALS",
       Values: ["California"]
      },
    ]
}
```

**Example 5**

Now, let's say that you want to retrieve TTFB data for every location where your application has client traffic.

The following is an example query for this scenario:

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "OVERALL_TRAFFIC_SUGGESTIONS"
   FilterParameters: []
}

Results:
[us-east-1, 40, us-west-2, 30],
[us-east-1, 40, us-west-1, 35],
[us-east-1, 40, us-east-1, 44],
[us-east-1, 40, CloudFront, 22],
...
[us-east-2, 44, us-west-2, 30],
[us-east-2, 44, us-west-1, 35],
...
```

**Example 6**

Let's say that you want to retrieve TTFB data for a specific new AWS Region.

The following is an example query for this scenario:

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "OVERALL_TRAFFIC_SUGGESTIONS_DETAILS"
   FilterParameters: [
      {
       Field: "proposed_aws_location",
       Operator: "EQUALS",
       Values: ["us-west-2"]
      },
   ]
}

Results:
[San Jose, San Jose-Santa Clara, California, United States, 7922, us-east-1, 40, 350, 350, us-west-2, 45]
[San Jose, San Jose-Santa Clara, California, United States, 7922, us-west-1, 35, 450, 450, us-west-2, 45]
```

**Example 7**

A final example is to retrieve data for specific DNS resolvers.

The following is an example query for this scenario:

```
{
   MonitorName: "TestMonitor"
   StartTime: "2023-07-12T20:00:00Z"
   EndTime: "2023-07-12T21:00:00Z"
   QueryType: "ROUTING_SUGGESTIONS"
   FilterParameters: [
      {
       Field: "proposed_aws_location",
       Operator: "EQUALS",
       Values: ["us-east-1"]
      },
   ]
}

Results:
[162.158.180.245, 13335, Cloudflare, [5.4.0.0/14], us-east-2, 200.0, us-east-1, 160.0]
[162.158.180.243, 13313, Cloudflare, [5.4.0.0/10], us-east-2, 150.0, us-east-1, 125.0]
```

## Get query results
<a name="CloudWatch-IM-view-cw-tools-cwim-query-get-data"></a>

After you define a query, you can return a set of results with the query by running another Internet Monitor API operation, [GetQueryResults](https://docs.aws.amazon.com/internet-monitor/latest/api/API_GetQueryResults.html). When you run `GetQueryResults`, you specify the query ID for the query that you've defined, along with the name of your monitor. `GetQueryResults` retrieves data for the specified query into a result set.

When you run a query, make sure that the query has finished running before you use `GetQueryResults` to look at the results. You can determine if the query has completed by using the [GetQueryStatus](https://docs.aws.amazon.com/internet-monitor/latest/api/API_GetQueryStatus.html) API operation. When the `Status` for the query is `SUCCEEDED`, you can go ahead with reviewing the results.

When your query completes, you can use the following information to help you review the results. Each query type that you use to create a query includes a unique set of data fields from the log files, as described in the following list: 

**Measurements**  
The `measurements` query type returns the following data:  
`timestamp, availability, performance, bytes_in, bytes_out, rtt_p50, rtt_p90, rtt_p95`

**Top locations**  
The `top locations` query type groups data by location, and provides the data averaged over the time period. The data that it returns includes the following:  
`aws_location, city, metro, subdivision, country, asn, availability, performance, bytes_in, bytes_out, current_fbl, best_ec2, best_ec2_region, best_cf_fbl`  
Note that `city`, `metro`, and `subdivision` are only returned if you choose that location type for the `geo` field. The following location fields are returned, depending on the location type that you specify for `geo`:  

```
city = city, metro, subdivision, country
metro = metro, subdivision, country
subdivision = subdivision, country
country = country
```

**Top locations details**  
The `top locations details` query type returns data grouped hour by hour. The query returns the following data:  
`timestamp, current_service, current_fbl, best_ec2_fbl, best_ec2_region, best_cf_fbl`

**Overall traffic suggestions**  
The `overall traffic suggestions` query type returns data grouped hour by hour. The query returns the following data:  
`current_aws_location, proposed_aws_location, average_fbl, traffic, optimized_traffic_excluding_cf, optimized_traffic_including_cf`

**Overall traffic suggestions details**  
The `overall traffic suggestions details` query type returns data grouped hour by hour. The query returns the following data:  
`aws_location, city, metro, subdivision, country, asn, traffic, current_aws_location, fbl_data`

**Routing suggestions**  
The `routing suggestions` query type returns data grouped hour by hour. The query returns the following data:  
`dns_resolver_ip, dns_resolver_asn, dns_resolver_isp, ipv4_prefixes, current_aws_location, current_latency, proposed_aws_location, proposed_latency`

When you run the `GetQueryResults` API operation, Internet Monitor returns the following in the response:
+ A *data string array* that contains the results that the query returns. The information is returned in arrays that are aligned with the `Fields` field, also returned by the API call. Using the `Fields` field, you can parse the information from the `Data` repository and then further filter or sort it for your purposes.
+ An *array of fields* that lists the fields that the query returned data for (in the `Data` field response). Each item in the array is a name-datatype pair, such as `availability_score`-`float`. 

## Troubleshooting
<a name="CloudWatch-IM-view-cw-tools-cwim-query-troubleshooting"></a>

If errors are returned when you use query interface API operations, verify that you have the required permissions to use Internet Monitor. Specifically, make sure that you have the following permissions:

```
internetmonitor:StartQuery
internetmonitor:GetQueryStatus
internetmonitor:GetQueryResults
internetmonitor:StopQuery
```

These permissions are included in the recommended AWS Identity and Access Management policy to use the Internet Monitor dashboard in the console. For more information, see [AWS managed policies for Internet Monitor](CloudWatch-IM-permissions.md).

# Add a monitor using other AWS services
<a name="CloudWatch-IM-integrations"></a>

A simple way to add monitoring with Internet Monitor is to choose to create a monitor when you add a supported resource when you create a resource—or use monitoring for the resource—in console.

Resources with an integrated option for adding Internet Monitor include the following:
+ VPCs
+ Network Load Balancers
+ Amazon CloudFront distributions

The following sections provide more information about Internet Monitor integrations in the service consoles for supported resources.

**Topics**
+ [Add monitor when you create an NLB](CloudWatch-IM-get-started.nlb-monitor.md)
+ [Add monitor when you create a VPC](CloudWatch-IM-get-started.vpc-monitor.md)
+ [Add monitor from the CloudFront console](CloudWatch-IM-get-started.cf-monitor.md)

# Add a monitor with a Network Load Balancer
<a name="CloudWatch-IM-get-started.nlb-monitor"></a>

When you create a Network Load Balancer in the AWS Management Console, you can optionally choose to also set up monitoring for traffic to and from the Network Load Balancer using a monitor in Internet Monitor. You can add the Network Load Balancer to an existing monitor, or you can opt to create a new monitor for your Network Load Balancer traffic.

By using Internet Monitor with your Network Load Balancer, you can view and evaluate measurements and metrics about availability, performance, monitored bytes transferred, and round-trip times that are specific to your application's client locations and ASNs (typically, internet service providers). Internet Monitor also determines when there are anomalies in performance and availability, and then creates health events in your monitor, which you can choose to be notified about. To learn more about how you can use a monitor to manage and improve your clients' experience with your application, see [Use a monitor in Internet Monitor](IMWhyCreateMonitor.md).

**Important**  
To create a monitor, or add a Network Load Balancer to an existing monitor, you must have the correct permissions in place. For more information, see [Identity and Access Management for Internet Monitor](security-iam.md).

## Add a Network Load Balancer to an existing monitor
<a name="CloudWatch-IM-get-started.nlb-monitor.add"></a>

When you create the Network Load Balancer in the AWS Management Console, you can choose to have Internet Monitor add the new Network Load Balancer to an existing monitor. Under **Integrations**, choose Internet Monitor, and then choose **Add monitor**. Choose **Select an existing monitor**, and then enter a monitor name. Or choose **View monitors** to go to the Internet Monitor console, and then scroll down to see a list of available monitors.

After you add the Network Load Balancer to a monitor, wait a few minutes, and then metrics for traffic to and from the load balancer will start being shown on the Internet Monitor console. To learn more about the **Status** and **Data processing status** values, see [Monitoring details in Internet Monitor (Configure page)Monitor details](CloudWatch-IM-configure.md).

You can edit the monitor at any time, to remove the load balancer or add another Network Load Balancer, or other resources. You can also change the percentage of traffic that you're monitoring, or make other changes. If you choose to remove the Network Load Balancer from the monitor, traffic from clients to that load balancer is no longer monitored by Internet Monitor.

To learn more about updating a monitor, see [Edit a monitor in Internet Monitor](CloudWatch-IM-get-started.edit-monitor.md). 

## Create a monitor for a Network Load Balancer
<a name="CloudWatch-IM-get-started.nlb-monitor.create"></a>

Under **Integrations**, choose Internet Monitor, and then choose **Monitor resource traffic**. Choose **Create a new monitor**, and then enter a monitor name. Leave the default traffic percentage to monitor, 100%, or specify a custom percentage, and then choose **Create monitor**.

After you create the monitor, wait a few minutes, and then metrics for traffic to and from the Network Load Balancer will start being shown on the Internet Monitor console. If you like, you can also choose a percentage of client traffic that you want to monitor for your application (the default is 100%).

You can learn more by reviewing the information in [Step 1: Create a monitor](CloudWatch-IM-get-started.md#CloudWatch-IM-get-started.create). 

## Pricing
<a name="CloudWatch-IM-get-started.nlb-monitor.pricing"></a>

With Internet Monitor, you pay only for what you use. Pricing for Internet Monitor has two components: a per monitored resource fee and a per city-network fee. A city-network is the location that clients access your application resources from and the network (an ASN, such as an internet service provider or ISP) that clients access the resources through.

For more information, including pricing examples, see [Pricing for Internet Monitor](CloudWatch-InternetMonitor.pricing.md).

## Stop monitoring a Network Load Balancer
<a name="CloudWatch-IM-get-started.nlb-monitor.removing"></a>

If you'd like to stop monitoring your Network Load Balancer resource with Internet Monitor, do the following in the Internet Monitor console:

**To remove a resource from a monitor**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Update monitor**.

1. Under **Added resources**, choose **Remove resources**.

1. Choose the Network Load Balancer to remove, and then choose **Remove**.

1. Choose **Update**.

# Add an Internet Monitor monitor with Amazon VPC
<a name="CloudWatch-IM-get-started.vpc-monitor"></a>

When you create a Amazon Virtual Private Cloud VPC in the AWS Management Console, you can optionally choose to also set up monitoring for it in Internet Monitor. You can add the VPC to an existing monitor, or you can opt to create a new monitor for the VPC in the Amazon VPC console.

By using Internet Monitor with your VPC, you can view and evaluate measurements and metrics about availability, performance, monitored bytes transferred, and round-trip times that are specific to your application's client locations and ASNs (typically internet service providers). Internet Monitor also determines when there are anomalies in performance and availability and creates health events in your monitor, which you can choose to be notified about. To learn more about how you can use a monitor to manage and improve your clients' experience with your application, see [Use a monitor in Internet Monitor](IMWhyCreateMonitor.md).

**Important**  
To create a monitor, or add a VPC to an existing monitor, you must have the correct permissions in place. For more information, see [Identity and Access Management for Internet Monitor](security-iam.md).

## Add a VPC to an existing monitor
<a name="CloudWatch-IM-get-started.vpc-monitor.add"></a>

You can choose to have Internet Monitor add a new VPC to an existing monitor for you when you create the VPC in the AWS Management Console. After you add the VPC, wait a few minutes, and then metrics for the VPC will start being shown on the Internet Monitor console.

You can edit the monitor at any time, to remove the VPC or add another VPC or other resources. You can also change the percentage of traffic that you're monitoring, or make other changes. If you choose to remove the VPC from the monitor, traffic from clients to that VPC is no longer monitored by Internet Monitor.

To learn more about updating a monitor, see [Edit a monitor in Internet Monitor](CloudWatch-IM-get-started.edit-monitor.md). 

## Create a monitor for a VPC
<a name="CloudWatch-IM-get-started.vpc-monitor.create"></a>

If you opt to create a monitor for a VPC, the **Create monitor** wizard walks you through the steps. You add the VPC as a monitored resource when you create the monitor. If you like, you can also choose a percentage of client traffic that you want to monitor for your application (the default is 100%).

You can learn more by reviewing the information in [Step 1: Create a monitor](CloudWatch-IM-get-started.md#CloudWatch-IM-get-started.create). 

## Pricing
<a name="CloudWatch-IM-get-started.vpc-monitor.pricing"></a>

With Internet Monitor, you pay only for what you use. Pricing for Internet Monitor has two components: a per monitored resource fee and a per city-network fee. A city-network is the location that clients access your application resources from and the network (an ASN, such as an internet service provider or ISP) that clients access the resources through.

For more information, including pricing examples, see [Pricing for Internet Monitor](CloudWatch-InternetMonitor.pricing.md)

## Stop monitoring a VPC
<a name="CloudWatch-IM-get-started.vpc-monitor.removing"></a>

If you'd like to stop monitoring your VPC resource with Internet Monitor, do the following in the Internet Monitor console:

**To remove a resource from a monitor**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Update monitor**.

1. Under **Added resources**, choose **Remove resources**.

1. Choose the VPC to remove, and then choose **Remove**.

1. Choose **Update**.

# Add an Internet Monitor monitor with CloudFront
<a name="CloudWatch-IM-get-started.cf-monitor"></a>

On the metrics dashboard for a distribution in Amazon CloudFront console, you can set up additional monitoring for a distribution in Internet Monitor. You can add the distribution to an existing monitor, or you can create a new monitor for the distribution.

By using Internet Monitor with your CloudFront distribution, you can view and evaluate measurements and metrics about availability, performance, monitored bytes transferred, and round-trip times that are specific to your application's client locations and ASNs (typically internet service providers). Internet Monitor also determines when there are anomalies in performance and availability and creates health events in your monitor, which you can choose to be notified about. To learn more about how you can use a monitor to manage and improve your clients' experience with your application, see [Use a monitor in Internet Monitor](IMWhyCreateMonitor.md).

**Important**  
To create a monitor, or add a distribution to an existing monitor, you must have the correct permissions in place. For more information, see [Identity and Access Management for Internet Monitor](security-iam.md).

## Add a distribution to an existing monitor
<a name="CloudWatch-IM-get-started.cf-monitor.add"></a>

You can choose to have Internet Monitor add a distribution to an existing monitor directly from the CloudFront metrics dashboard in the AWS Management Console. After you add the distribution, wait a few minutes, and then metrics for the distribution will start being shown on the Internet Monitor console.

You can edit the monitor at any time, to remove the distribution or add another distribution or other resources. You can also change the percentage of traffic that you're monitoring, or make other changes. If you choose to remove the distribution from the monitor, traffic from clients to that distribution is no longer monitored by Internet Monitor.

To learn more about updating a monitor, see [Edit a monitor in Internet Monitor](CloudWatch-IM-get-started.edit-monitor.md). 

## Create a monitor for a distribution
<a name="CloudWatch-IM-get-started.cf-monitor.create"></a>

If you opt to create a monitor for a distribution, the **Create monitor** wizard walks you through the steps. You add the distribution as a monitored resource when you create the monitor. If you like, you can also choose a percentage of client traffic that you want to monitor for your application (the default is 100%).

You can learn more by reviewing the information in [Step 1: Create a monitor](CloudWatch-IM-get-started.md#CloudWatch-IM-get-started.create). 

## Pricing
<a name="CloudWatch-IM-get-started.cf-monitor.pricing"></a>

With Internet Monitor, you pay only for what you use. Pricing for Internet Monitor has two components: a per monitored resource fee and a per city-network fee. A city-network is the location that clients access your application resources from and the network (an ASN, such as an internet service provider or ISP) that clients access the resources through.

For more information, including pricing examples, see [Pricing for Internet Monitor](CloudWatch-InternetMonitor.pricing.md).

## Stop monitoring a distribution
<a name="CloudWatch-IM-get-started.cf-monitor.removing"></a>

If you'd like to stop monitoring your distribution resource with Internet Monitor, do the following in the Internet Monitor console:

**To remove a resource from a monitor**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the left navigation pane, under **Network Monitoring**, choose **Internet monitors**.

1. Choose your monitor, and then choose the **Action** menu.

1. Choose **Update monitor**.

1. Under **Added resources**, choose **Remove resources**.

1. Choose the distribution to remove, and then choose **Remove**.

1. Choose **Update**.

# Create alarms with Internet Monitor
<a name="CloudWatch-IM-create-alarm"></a>

You can create Amazon CloudWatch alarms based on Internet Monitor metrics, just as you can for other Amazon CloudWatch metrics.

For example, you can create an alarm based on the Internet Monitor metric `PerformanceScore`, and configure it to send a notification when the metric is lower than a value that you choose. You configure alarms for Internet Monitor metrics following the same guidelines as for other CloudWatch metrics. 

Following are the example Internet Monitor metrics that you might choose to create an alarm for:
+ **PerformanceScore**
+ **AvailabilityScore**
+ **RoundtripTime**

To see all the metrics available for Internet Monitor, see [View Internet Monitor metrics or set alarms in CloudWatch Metrics](CloudWatch-IM-view-cw-tools-metrics-dashboard.md).

The following procedure provides an example of setting an alarm on **PerformanceScore** by navigating to the metric in the CloudWatch dashboard. Then, you follow the standard CloudWatch steps to create an alarm based on a threshold that you choose, and set up a notification or choose other options.

**To create an alarm for **PerformanceScore** in CloudWatch Metrics**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. Choose **Metrics**, and then choose **All metrics**.

1. Filter for Internet Monitor by choosing `AWS/InternetMonitor`.

1. Choose **MeasurementSource, MonitorName**.

1. In the list, select **PerformanceScore**.

1. On the **GraphedMetrics** tab, under **Actions**, choose the bell icon to create an alarm based on a static threshold.

Now, follow the standard CloudWatch steps to choose options for the alarm. For example, you can choose to be notified by an Amazon SNS message if **PerformanceScore** is below a specific threshold number. Alternatively, or in addition, you can add the alarm to a dashboard.

Keep in mind the following:
+ Internet Monitor metrics are typically calculated and published within 20 minutes.
+ When you create an alarm based on Internet Monitor metrics, make sure that you take into account the short delay before publication when you set an alarm’s lookback period. We recommend that you configure **Evaluation Periods** with lookback period that is a minimum of 25 minutes.

To learn more about using CloudWatch alarms with Internet Monitor, see the following blog post: [ Using Internet Monitor for enhanced internet observability](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudwatch-internet-monitor-for-enhanced-internet-observability).

For more information about options when you create a CloudWatch alarm, see [Create a CloudWatch alarm based on a static threshold](ConsoleAlarms.md).

# Using Internet Monitor with Amazon EventBridge
<a name="CloudWatch-IM-EventBridge-integration"></a>

Overall (global) health events that Internet Monitor creates for networking issues are published with Amazon EventBridge, so that you can send notifications about a degradation in end users' experience for your application due to a global health event.

**Note**  
Local health events are not published with EventBridge.

To use EventBridge to work with Internet Monitor health events, follow the guidance here.

**To set up a rule for Internet Monitor in EventBridge**

1. In the AWS Management Console, in EventBridge, choose **Rules**, then enter a name and a description. Create the rule on the **Default** event bus.

1. In Step 2, select **Other** for the event source, and then, under **Event pattern**, match the following source.

   ```
   {
     "source": ["aws.internetmonitor"]
   }
   ```

1. In Step 3, for the target, select **AWS Service** and **CloudWatch Logs Group**, then select an existing log group or create a new one. 

1. Add any desired tags, and then create the rule. This should populate your selected CloudWatch Logs Group with events from EventBridge.

For more information about how EventBridge rules work with event patterns, see [Amazon EventBridge event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the Amazon EventBridge User Guide.

# Troubleshoot CloudWatch logs and metrics access errors
<a name="CloudWatch-IM-troubleshooting"></a>

To support some features, Internet Monitor must interact with certain Amazon CloudWatch resources, including logs and metrics. If Internet Monitor can't access the CloudWatch resources that it requires access to, Internet Monitor sets a status code of `FAULT_ACCESS_CLOUDWATCH` for the monitor.

There are several reasons that your monitor might have the state `FAULT_ACCESS_CLOUDWATCH`. The following sections list possible causes for these errors, and suggested troubleshooting steps. 

## Internet Monitor couldn't access CloudWatch logs in your account
<a name="CloudWatch-IM-troubleshooting_CWlogs"></a>

Internet Monitor publishes diagnostic logs about your monitored application traffic. It publishes these logs to log groups in CloudWatch Logs in the following location: `/aws/internet-monitor/monitor_name/[byCity|byMetro|bySubdivision|byCountry]`. Internet Monitor was unable to access these log groups.

**Error states and potential solutions:**
+ **PutLogEvents throttling error:** The Internet Monitor service might have been throttled when it tried to publish your monitor's logs to CloudWatch. Review the throttling limits for your account, and, if necessary, request an increase in the limit.
+ **Log group not found:** Disable, and then re-enable your monitor. Enabling a monitor restarts log group creation, which might correct the problem.
+ **PutLogEvents access denied error:** Contact AWS support for assistance.
+ **PutLogEvents unknown or general error:** Contact AWS support for assistance.

## Internet Monitor couldn't access CloudWatch metrics in your account
<a name="CloudWatch-IM-troubleshooting_CWmetrics"></a>

Internet Monitor delivers specific CloudWatch metrics about the application traffic that is tracked by a monitor. An error occurred when Internet Monitor tried to deliver these metrics to CloudWatch.

**Error states and potential solutions:**
+ **PutMetricData throttling error:** The Internet Monitor service might have been throttled when it tried to publish your monitor's metrics to CloudWatch. Review the throttling limits for your account, and, if necessary, request an increase in the limit.
+ **PutMetricData access denied error:** Contact AWS support for assistance.
+ **PutMetricData unknown or general error:** Contact AWS support for assistance.



# Data protection and data privacy with Internet Monitor
<a name="CloudWatch-IM-privacy"></a>

The AWS [ shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection and data privacy in Internet Monitor. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. For more information about data privacy, see the [ Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see [ The AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the AWS Security Blog. For more resources about complying with GDPR requirements, see the [ General Data Protection Regulation (GDPR) Center](https://aws.amazon.com/compliance/gdpr-center/).

We strongly recommend that you never put sensitive identifying information, such as your end users’ account numbers, email addresses, or other personal information, into free-form fields. Any data that you enter into Internet Monitor or other services might be included in diagnostic logs. 



# Identity and Access Management for Internet Monitor
<a name="security-iam"></a>

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Internet Monitor resources. IAM is an AWS service that you can use with no additional charge.

**Important**  
**Internet Monitor resource changes on July 8, 2024**  
If you created IAM policies that included Internet Monitor resources before July 8, 2024, be aware of the following change to Internet Monitor resources and resource types:   
Resource-level permissions for the **GetHealthEvent** action are now supported only on the **Monitor** resource type. The permissions are not supported on the **HealthEvent** resource.
To see more information about the actions, resources, and condition keys that you can specify in policies to manage access to AWS resources in Internet Monitor, see [Actions, resources, and condition keys for Internet Monitor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html).

**Topics**
+ [Upgrade IAM policies to IPv6](security_iam_cwim_security-ipv6-upgrade.md)
+ [How Internet Monitor works with IAM](security_iam_service-with-iam-cwim.md)
+ [Confused deputy prevention](security-iam-cwim-confused-deputy.md)
+ [AWS managed policies](CloudWatch-IM-permissions.md)
+ [Service-linked role](using-service-linked-roles-CWIM.md)

# Upgrade IAM policies to IPv6
<a name="security_iam_cwim_security-ipv6-upgrade"></a>

Internet Monitor customers use IAM policies to set an allowed range of IP addresses, to prevent any IP addresses outside the configured range from being able to access Internet Monitor APIs.

The *internetmonitor.*region*.api.aws* endpoint, where you access Internet Monitor APIs, is being upgraded to support dual-stack (IPv4 and IPv6). 

IP address filtering policies that are not updated to handle IPv6 addresses might result in clients losing access to Internet Monitor APIs. 

## Customers impacted by the upgrade to include IPv6
<a name="customers-impacted"></a>

Customers who are using dual-stack with policies that contain the *aws:sourceIp* filter are impacted by this upgrade. Dual-stack means that the network supports both IPv4 and IPv6. 

If you use dual-stack, you must update your IAM policies that are currently configured with IPv4 format addresses to include IPv6 format addresses. 

The following summarizes recommended actions, depending on your scenario. To confirm the endpoint that your SDK uses, see [Identify the Internet Monitor endpoint used by your code](#IMConfirmSDKEndpoint).


| Endpoint | Using IAM policy with `aws:sourceIp` condition? | Recommended action | 
| --- | --- | --- | 
|  `internetmonitor.region.amazonaws.com` (not dual-stack)  |  Yes  |  To restrict access to IPv4 only, take no further action. Or, if you anticipate that you will need IPv6 support in the future, you can take action to ensure compatibility with both IPv4 and IPv6. To ensure future compatibility, on or after November 1, 2024, update your SDK, and then update your application to use the dual-stack endpoint by setting `useDualstackEndpoint=true`. For more information, see [Dual-stack and FIPS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html). If you choose to use both IPv4 and IPv6, you must also update the IP address filtering condition (`aws:sourceIp`) in your IAM policies to include IPv6 addresses.   | 
|  `internetmonitor.region.amazonaws.com` (not dual-stack)  |  No  |  To restrict access to IPv4 only, take no further action. Or, if you anticipate that you will need IPv6 support in the future, you can take action to ensure compatibility with both IPv4 and IPv6. To ensure future compatibility, on or after November 1, 2024, update your SDK, and then update your application to use the dual-stack endpoint by setting `useDualstackEndpoint=true`. For more information, see [Dual-stack and FIPS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html).   | 
|  `internetmonitor.region.api.aws`  |  Yes  |  To ensure future compatibility with both IPv4 and IPv6, update your SDK, and then update your application to use the dual-stack endpoint by setting `useDualstackEndpoint=true`. For more information, see [Dual-stack and FIPS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html).  When you make the change to use both IPv4 and IPv6, you must also update the IP address filtering condition (`aws:sourceIp`) in your IAM policies to include IPv6 addresses. If you instead want to restrict access to IPv4 only, set `useDualstackEndpoint=false`. For more information, see [Dual-stack and FIPS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html).  | 
|  `internetmonitor.region.api.aws`  |  No  |  To ensure future compatibility with both IPv4 and IPv6, update your SDK, and then update your application to use the dual-stack endpoint by setting `useDualstackEndpoint=true`. For more information, see [Dual-stack and FIPS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html).  If you instead want to restrict access to IPv4 only, set `useDualstackEndpoint=false`. For more information, see [Dual-stack and FIPS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html).  | 

For help with access issues, contact [Support](https://support.console.aws.amazon.com/support/home/?nc1=f_dr#/case/create).

## What is IPv6?
<a name="security_iam_cwim_security-ipv6-upgrade.what-is-ipv6"></a>

IPv6 is the next generation IP standard intended to eventually replace IPv4. IPv4 uses a 32-bit addressing scheme, to support 4.3 billion devices. IPv6 instead uses 128-bit addressing, to support approximately 340 trillion trillion trillion (or 2 to the 128th power) devices. 

The following are examples of IPv6 addresses:

```
2001:cdba:0000:0000:0000:0000:3257:9652
2001:cdba:0:0:0:0:3257:9652
2001:cdba::3257:965
```

IPv6 offers a larger address space, improved routing efficiency, and better support for new internet services. By updating to dual-stack and supporting IPv6, Internet Monitor enables improved performance and scalability. Follow the steps in this section to update your configurations and take advantage of dual-stack support.

## Identify the Internet Monitor endpoint used by your code
<a name="security_iam_cwim_security-ipv6-upgrade.identify-endpoint"></a>

If you use an Internet Monitor SDK, start by verifying which endpoint your code is using: the IPv4 endpoint or the dual-stack (IPv4 and IPv6) endpoint. If you don’t use an SDK with Internet Monitor, you can skip this section.

You can run the following code example to determine the Internet Monitor endpoint that you're using. For this example, we’re using the Internet Monitor SDK for Go in the US East (N. Virginia) Region.

```
package main

import (
    "fmt"
    "log"
    
    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/internetmonitor"
)

func main() {
    // Create a new session with the default configuration
    sess := session.Must(session.NewSession(&aws.Config{
        Region: aws.String("us-east-1"),
    }))

    // Create a new Internet Monitor client
    internetMonitorClient := internetmonitor.New(sess)

    // Get the endpoint URL
    endpoint := internetMonitorClient.Endpoint

    fmt.Printf("Internet Monitor endpoint URL: %s\n", endpoint)
}
```

When you run this code, it returns the Internet Monitor endpoint. If you see the following response, you’re using the Internet Monitor domain that supports only IPv4. You can tell because the format of the endpoint URL includes `amazonaws.com`.

```
Internet Monitor endpoint URL: https://internetmonitor.us-east-1.amazonaws.com
```

If you see the following response instead, then you’re using the domain which is being upgraded to support dual-stack (IPv4 and IPv6). Here, you can tell because the endpoint URL includes `api.aws`. However, note that until the upgrade is complete, this endpoint supports only IPv4. 

```
Internet Monitor endpoint URL: https://internetmonitor.us-east-1.api.aws
```



## Update an IAM policy for IPv6
<a name="security_iam_cwim_security-ipv6-upgrade.updating-for-ipv6"></a>

IAM policies use the `aws:SourceIp` filter to set an allowed range of IP addresses. 

Dual-stack supports both IPv4 and IPV6 traffic. If your network uses dual-stack, you must ensure that any IAM polices that are used for IP address filtering are updated to include IPv6 address ranges.

For example, this policy allows IPv4 address ranges `192.0.2.0.*` and `203.0.113.0.*`, identified in the `Condition` element. 

```
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
{
    "Version": "2012-10-17",		 	 	 
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "*aws:SourceIp*": [
                    "*192.0.2.0/24*",
                    "*203.0.113.0/24*"
                ]
            },
            "Bool": {
                "aws:ViaAWSService": "false"
            }
        }
    }
}
```

To update this policy, we'll change the policy's `Condition` element to add IPv6 address ranges, as shown in the following example:

```
"Condition": {
            "NotIpAddress": {
                "*aws:SourceIp*": [
                    "*192.0.2.0/24*", <<Existing IPv4 address - DO NOT REMOVE>>
                    "*203.0.113.0/24*", <<Existing IPv4 address  - DO NOT REMOVE>>
                    "*2001:DB8:1234:5678::/64*", <<New IPv6 IP address>>
                    "*2001:cdba:3257:8593::/64*" <<New IPv6 IP address>>
                ]
            },
            "Bool": {
                "aws:ViaAWSService": "false"
            }
        }
```

**Important**  
Do not remove the existing IPv4 addresses in the policy. They are required for backward compatibility.

For more information about managing access permissions with IAM, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *AWS Identity and Access Management User Guide*.

## Test the network after updating policies
<a name="security_iam_cwim_security-ipv6-upgrade.testing-connection"></a>

After you update your IAM policies to include support for IPv6 addresses, we recommend that you test that your network can access an IPv6 endpoint. This section provides several examples, depending on the operating system that you use.

### Test network with Linux/Unix or Mac OS X
<a name="security_iam_cwim_security-ipv6-upgrade.testing-unix"></a>

If you use Linux/Unix or Mac OS X, you can test that your network can access the IPv6 endpoint by using the following curl command.

`curl -v -s -o /dev/null http://ipv6.ec2-reachability.amazonaws.com/`

If you are connected over IPv6, the connected IP address displays information similar to the following:

```
* About to connect() to aws.amazon.com port 443 (#0)
*   Trying IPv6 address... connected
* Connected to aws.amazon.com (IPv6 address) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.18.1 (x86_64-unknown-linux-gnu) libcurl/7.18.1 OpenSSL/1.0.1t zlib/1.2.3
> Host: aws.amazon.com
```

### Test network with Windows
<a name="security_iam_cwim_security-ipv6-upgrade.testing-windows"></a>

If you use Windows, you can test that your network can access a dual-stack endpoint over IPv6 or IPv4 by using a `ping` command, such as the following:

`ping aws.amazon.com`

If `ping` accesses the endpoint over IPv6, the command returns IPv6 addresses.

## Verify that clients can support IPv6
<a name="security_iam_cwim_security-ipv6-upgrade.verify"></a>

We recommend that before you switch to using the *internetmonitor.\$1region\$1.api.aws* endpoint, that you first verify that your clients can access other AWS service endpoints that are already IPv6-enabled. The following steps describe how to verify this by using an existing IPv6 endpoint. 

This example uses Linux and curl version 8.6.0, and uses the [Amazon Athena service](https://docs.aws.amazon.com/general/latest/gr/athena.html), which has IPv6-enabled endpoints located at the *api.aws* domain. 

**Note**  
Switch your AWS Region to the same Region where the client is located. In this example, we use the US East (N. Virginia) – `us-east-1` endpoint.

Use the following example to verify that your clients can access an IPv6-enabled AWS endpoint.

1. Verify that the Athena endpoint resolves with an IPv6 address by using the following command. 

   ```
   dig +short AAAA athena.us-east-1.api.aws
   2600:1f18:e2f:4e05:1a8a:948e:7c08:d2d6
   2600:1f18:e2f:4e03:4a1e:83b0:8823:4ce5
   2600:1f18:e2f:4e04:34c3:6e9a:2b0d:dc79
   ```

1. Now, determine if your client network can make a connection using IPv6 by using the following command: 

   ```
   curl --ipv6 -o /dev/null --silent -w "\nremote ip: %{remote_ip}\nresponse code: %{response_code}\n" https://athena.us-east-1.api.aws
   
   remote ip: 2600:1f18:e2f:4e05:1a8a:948e:7c08:d2d6
   response code: 404
   ```

   If the remote IP address was identified **and** the response code is not `0`, a network connection was successfully made to the endpoint using IPv6.

   If the remote IP address is blank or the response code is `0`, the client network or the network path to the endpoint is IPv4-only. You can verify this with the following curl command: 

   ```
   curl -o /dev/null --silent -w "\nremote ip: %{remote_ip}\nresponse code: %{response_code}\n" https://athena.us-east-1.api.aws
   
   remote ip: 3.210.103.49
   response code: 404
   ```

   If you run this command, and a remote IP address was identified **and** the response code is not `0`, a network connection was successfully made to the endpoint using IPv4. 

# How Internet Monitor works with IAM
<a name="security_iam_service-with-iam-cwim"></a>

Before you use IAM to manage access to Internet Monitor, learn what IAM features are available to use with Internet Monitor.

To see tables showing a similar high-level view of how AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.






**IAM features you can use with Internet Monitor**  

| IAM feature | Internet Monitor support | 
| --- | --- | 
|  [Identity-based policies](#security_iam_service-with-iam-id-based-policies)  |   Yes  | 
|  [Resource-based policies](#security_iam_service-with-iam-resource-based-policies)  |   No   | 
|  [Policy actions](#security_iam_service-with-iam-id-based-policies-actions)  |   Yes  | 
|  [Policy resources](#security_iam_service-with-iam-id-based-policies-resources)  |   Yes  | 
|  [Policy condition keys (service-specific)](#security_iam_service-with-iam-id-based-policies-conditionkeys)  |   Yes  | 
|  [ACLs](#security_iam_service-with-iam-acls)  |   No   | 
|  [ABAC (tags in policies)](#security_iam_service-with-iam-tags)  |   Partial  | 
|  [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds)  |   Yes  | 
|  [Principal permissions](#security_iam_service-with-iam-principal-permissions)  |   Yes  | 
|  [Service roles](#security_iam_service-with-iam-roles-service)  |   No   | 
|  [Service-linked roles](#security_iam_service-with-iam-roles-service-linked)  |   Yes  | 

## Identity-based policies for Internet Monitor
<a name="security_iam_service-with-iam-id-based-policies"></a>

**Supports identity-based policies:** Yes

Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.

## Resource-based policies within Internet Monitor
<a name="security_iam_service-with-iam-resource-based-policies"></a>

**Supports resource-based policies:** No 

Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM role trust policies and Amazon S3 bucket policies. In services that support resource-based policies, service administrators can use them to control access to a specific resource.

## Policy actions for Internet Monitor
<a name="security_iam_service-with-iam-id-based-policies-actions"></a>

**Supports policy actions:** Yes

Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.

To see a list of Internet Monitor actions, see [Actions defined by Internet Monitor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html#amazoncloudwatchinternetmonitor-actions-as-permissions) in the *Service Authorization Reference*.

Policy actions in Internet Monitor use the following prefix before the action:

```
internetmonitor
```

To specify multiple actions in a single statement, separate them with commas.

```
"Action": [
      "internetmonitor:action1",
      "internetmonitor:action2"
         ]
```





You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action:

```
"Action": "internetmonitor:Describe*"
```

## Policy resources for Internet Monitor
<a name="security_iam_service-with-iam-id-based-policies-resources"></a>

**Supports policy resources:** Yes

In the *Service Authorization Reference*, you can see the following information related to Internet Monitor:
+ To see a list of Internet Monitor resource types and their ARNs, see [Resources defined by Internet Monitor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html#amazoncloudwatchinternetmonitor-resources-for-iam-policies).
+ To learn the actions that you can specify with the ARN of each resource, see [Actions defined by Internet Monitor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html#amazoncloudwatchinternetmonitor-actions-as-permissions).

Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.

```
"Resource": "*"
```

## Policy condition keys for Internet Monitor
<a name="security_iam_service-with-iam-id-based-policies-conditionkeys"></a>

**Supports service-specific policy condition keys:** Yes

Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.

To see a list of Internet Monitor condition keys, see [Condition keys for Internet Monitor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html#amazoncloudwatchinternetmonitor-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions defined by Internet Monitor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html#amazoncloudwatchinternetmonitor-actions-as-permissions).

## ACLs in Internet Monitor
<a name="security_iam_service-with-iam-acls"></a>

**Supports ACLs:** No 

Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.

## ABAC with Internet Monitor
<a name="security_iam_service-with-iam-tags"></a>

**Supports ABAC (tags in policies):** Partial

Internet Monitor has *partial* support for tags in policies. It supports tagging for one resource, monitors.

To use tags with Internet Monitor, use the AWS Command Line Interface or an AWS SDK. Tagging for Internet Monitor is not supported with the AWS Management Console.

To learn more about using tags in policies in general, review the following information.

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and AWS resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.

To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.

If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.

For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.

## Using temporary credentials with Internet Monitor
<a name="security_iam_service-with-iam-roles-tempcreds"></a>

**Supports temporary credentials:** Yes

Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.

## Cross-service principal permissions for Internet Monitor
<a name="security_iam_service-with-iam-principal-permissions"></a>

**Supports forward access sessions (FAS):** Yes

 Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). 

## Service roles for Internet Monitor
<a name="security_iam_service-with-iam-roles-service"></a>

**Supports service roles:** No 

 A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. 

## Service-linked role for Internet Monitor
<a name="security_iam_service-with-iam-roles-service-linked"></a>

**Supports service-linked roles:** Yes

 A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. 

For more information about the service-linked role for Internet Monitor, see [Service-linked role for Internet Monitor](using-service-linked-roles-CWIM.md).

For details about creating or managing service-linked roles in general in AWS, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Find a service in the table that includes a `Yes` in the **Service-linked role** column. Choose the **Yes** link to view the service-linked role documentation for that service.

# Cross-service confused deputy prevention
<a name="security-iam-cwim-confused-deputy"></a>

A confused deputy is an entity (a service or an account) that is coerced by a different entity to perform an action. This type of impersonation can happen cross-account and cross-service.

To prevent confused deputies, AWS provides tools that help you protect your data for all services using service principals that have been given access to resources in your AWS account. This section focuses on cross-service confused deputy prevention specific to Internet Monitor; however, you can learn more about this topic in the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) section of the *IAM User Guide*.

To limit the permissions that IAM gives to Internet Monitor to access your resources, we recommend using the global condition context keys [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) in your resource policies. 

If you use both of these global condition context keys, and the `aws:SourceArn` value contains the AWS account ID, the `aws:SourceAccount` value and the AWS account in `aws:SourceArn` must use the same AWS account ID when used in the same policy statement.

For Internet Monitor, you specify your account ID for `aws:SourceAccount` and your monitor ARN for `aws:SourceArn`. For cross-service access, you also use your monitor ARN for `aws:SourceArn`.

**Note**  
The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the **full ARN** of the resource. If you don’t know the full ARN, or if you're specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcards (`*`) for the unknown portions of the ARN. For example, `arn:aws:internetmonitor:us-east-1:111122223333:*`.

The following is an example of an assume role policy that shows how you can prevent a confused deputy issue. 

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Sid": "ConfusedDeputyPreventionExamplePolicy",
    "Effect": "Allow",
    "Principal": {
      "Service": "internetmonitor.amazonaws.com"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "ArnLike": {
        "aws:SourceArn": "arn:aws:internetmonitor:us-east-1:111122223333:monitor/confused-deputy-monitor"
      },
      "StringEquals": {
        "aws:SourceAccount": "111122223333"
      }
    }
  }
}
```

------

# AWS managed policies for Internet Monitor
<a name="CloudWatch-IM-permissions"></a>

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

## AWS managed policy: CloudWatchInternetMonitorServiceRolePolicy
<a name="security-iam-awsmanpol-CloudWatchInternetMonitorServiceRolePolicy"></a>

This policy is attached to the service-linked role named **AWSServiceRoleForInternetMonitor** to allow Internet Monitor to access resources in your account, such as Amazon Virtual Private Cloud resources or Network Load Balancers, so that you can select them when you create a monitor. For more information, see [Service-linked role for Internet Monitor](using-service-linked-roles-CWIM.md).

## AWS managed policy: CloudWatchInternetMonitorReadOnlyAccess
<a name="security-iam-awsmanpol-CloudWatchInternetMonitorReadOnlyAccess"></a>

You can attach `CloudWatchInternetMonitorReadOnlyAccess` to your IAM entities. This policy grants access to read-only actions to work with monitors and data in with Internet Monitor. Attach it to IAM users and other principals who need access to only read-only actions. 

Specifically, the scope of this policy includes `internetmonitor:` so that users can use read-only Internet Monitor actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch metrics. It includes some `logs:` policies to manage log queries. 

To view the permissions for this policy, see [CloudWatchInternetMonitorReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchInternetMonitorReadOnlyAccess.html) in the *AWS Managed Policy Reference*.

## AWS managed policy: CloudWatchInternetMonitorFullAccess
<a name="security-iam-awsmanpol-CloudWatchInternetMonitorFullAccess"></a>

You can attach `CloudWatchInternetMonitorFullAccess` to your IAM entities. This policy grants full access to [ Actions for Internet Monitor](https://docs.aws.amazon.com/internet-monitor/latest/api/API_Operations.html) for working with Internet Monitor. Attach it to IAM users and other principals who need full access to Internet Monitor actions. 

Specifically, scope of this policy includes `internetmonitor:` so that users can use Internet Monitor actions and resources. It includes some `cloudwatch:` policies to retrieve information on CloudWatch alarms and metrics. It includes some `logs:` policies to manage log queries. It includes some `ec2:`, `cloudfront:`, `elasticloadbalancing:`, and `workspaces:` policies to work with resources that you add to monitors so that Internet Monitor can create a traffic profile for your application. It contains some `iam:` policies to manage IAM roles. 

To view the permissions for this policy, see [CloudWatchInternetMonitorFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchInternetMonitorFullAccess.html) in the *AWS Managed Policy Reference*.

## Internet Monitor updates to AWS managed policies
<a name="security-iam-awsmanpol-updates-cwim-manpol"></a>

To view details about updates to AWS managed policies for Internet Monitor since this service began tracking these changes, see [CloudWatch updates to AWS managed policies](managed-policies-cloudwatch.md#security-iam-awsmanpol-updates). For automatic alerts about managed policy changes in CloudWatch, subscribe to the RSS feed on the CloudWatch [Document history](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/DocumentHistory.html) page.

# Service-linked role for Internet Monitor
<a name="using-service-linked-roles-CWIM"></a>

Internet Monitor uses an AWS Identity and Access Management (IAM)[ service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Internet Monitor. The service-linked role is predefined by Internet Monitor and includes all the permissions that the service requires to call other AWS services on your behalf. 

Internet Monitor defines the permissions of the service-linked role, and unless defined otherwise, only Internet Monitor can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

You can delete the role only after first deleting its related resources. This restriction protects your Internet Monitor resources because you can't inadvertently remove permissions to access the resources.

For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for Internet Monitor
<a name="service-linked-role-permissions-CWIM-AWSServiceRoleForInternetMonitor"></a>

Internet Monitor uses the service-linked role named **AWSServiceRoleForInternetMonitor**. This role allows Internet Monitor to access resources in your account, such as Amazon Virtual Private Cloud resources, Amazon CloudFront distributions, Amazon WorkSpaces directories, and Network Load Balancers, so that you can select them when you create a monitor.

This service-linked role uses the managed policy `CloudWatchInternetMonitorServiceRolePolicy`. 

The **AWSServiceRoleForInternetMonitor** service-linked role trusts the following service to assume the role:
+ `internetmonitor.amazonaws.com`

To view the permissions for this policy, see [CloudWatchInternetMonitorServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchInternetMonitorServiceRolePolicy.html) in the *AWS Managed Policy Reference*.

## Creating a service-linked role for Internet Monitor
<a name="create-service-linked-role-CWIM"></a>

You do not need to manually create the service-linked role for Internet Monitor. The first time that you create a monitor, Internet Monitor creates **AWSServiceRoleForInternetMonitor** for you.

For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*.

## Editing a service-linked role for Internet Monitor
<a name="edit-service-linked-role-CWIM"></a>

After Internet Monitor creates a service-linked role in your account, you cannot change the name of the role because various entities might reference the role. You can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Deleting a service-linked role for Internet Monitor
<a name="delete-service-linked-role-CWIM"></a>

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for the service-linked role before you can manually delete it.

After you've removed your resources from your monitors in Internet Monitor and then deleted the monitors, you can delete the service-linked role **AWSServiceRoleForInternetMonitor**.

**Note**  
If the Internet Monitor service is using the role when you try to delete it, then the deletion might fail. If that happens, wait for a few minutes and then try again.

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the **AWSServiceRoleForInternetMonitor** service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Updates to the Internet Monitor service-linked role
<a name="security-iam-awsmanpol-updates-cwim"></a>

For updates to **AWSServiceRoleForInternetMonitor**, the AWS managed policy for the Internet Monitor service-linked role, see [CloudWatch updates to AWS managed policies](managed-policies-cloudwatch.md#security-iam-awsmanpol-updates). For automatic alerts about managed policy changes in CloudWatch, subscribe to the RSS feed on the CloudWatch [Document history](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/DocumentHistory.html) page.