# Monitor WorkSpaces Personal You can use the following features to monitor your WorkSpaces. **CloudWatch metrics** Amazon WorkSpaces publishes data points to Amazon CloudWatch about your WorkSpaces. CloudWatch enables you to retrieve statistics about those data points as an ordered set of time-series data, known as *metrics*. You can use these metrics to verify that your WorkSpaces are performing as expected. For more information, see [Monitor your WorkSpaces using CloudWatch metrics](cloudwatch-metrics.md). **CloudWatch Events** Amazon WorkSpaces can submit events to Amazon CloudWatch Events when users log in to your WorkSpace. This enables you to respond when the event occurs. For more information, see [Monitor your WorkSpaces using Amazon EventBridge](cloudwatch-events.md). **CloudTrail logs** AWS CloudTrail provides a record of actions taken by a user, role, or an AWS service in WorkSpaces. Using the information collected by CloudTrail, you can determine the request that was made to WorkSpaces, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Logging WorkSpaces API Calls by Using CloudTrail](https://docs.aws.amazon.com/workspaces/latest/api/cloudtrail_logging.html). AWS CloudTrail logs successful and unsuccessful sign-in events for smart card users. For more information, see [Understanding AWS sign-in events for smart card users](signin-events.md). **CloudWatch Internet Monitor** Amazon CloudWatch Internet Monitor provides visibility into how internet issues impact the performance and availability between your applications hosted on AWS and your end users. You can also use CloudWatch Internet Monitor to: + Create monitors for one or more WorkSpace directories. + Monitor internet performance. + Get alarms for issues between your end users’ city-network, including its location and ASN, which is typically the Internet Service Provider (ISP), and their WorkSpace Regions. Internet Monitor uses the connectivity data that AWS captures from its global networking footprint to calculate a baseline of performance and availability for internet-facing traffic. Internet Monitor currently can't provide internet performance for individual end user but it can at city and ISP level. **Amazon S3 Access Logs** If your users have application settings data or home folders data stored in Amazon S3 buckets, consider viewing Amazon S3 server access logs to monitor access. These logs provide detailed records about requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. For more information, see [Amazon S3 Server Access Logging](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html) in the *Amazon Simple Storage Service User Guide*. # Monitor your WorkSpaces health using the CloudWatch automatic dashboard Monitor with CloudWatch automatic dashboard You can monitor WorkSpaces using CloudWatch automatic dashboard, which collects raw data and processes it into readable, near real-time metrics. The metrics are kept for 15 months to access historical information and to monitor the performance of your web application or service. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/). The CloudWatch dashboard is automatically created when you use your AWS account to configure your WorkSpaces. The dashboard allows you to monitor your WorkSpaces metrics, such as their health and performance, across Regions. You can also use the dashboard for the following purposes: + Identify unhealthy WorkSpace instances. + Identify running modes, protocols, and operating systems that have unhealthy WorkSpace instances. + View critical resource utilization over time. + Identify anomalies to help with troubleshooting. WorkSpaces CloudWatch automatic dashboards are available in all AWS commercial Regions. **To use the WorkSpaces CloudWatch automatic dashboard** 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the navigation pane, choose **Dashboards**. 1. Choose the **Automatic dashboards** tab. 1. Choose **WorkSpaces**. ## Understanding your WorkSpaces CloudWatch automatic dashboard The CloudWatch automatic dashboard allows you to gain insight into the performance of your WorkSpaces resources and helps you identify performance issues. ![\[WorkSpaces client sign in screen\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/images/cw_dashboard_withcallouts.png) **The dashboard consists of the following features:** 1. View historical data using time and date range controls. 1. Add customized dashboard view to the CloudWatch custom dashboards. 1. Monitor the overall health and utilization status of your WorkSpaces by doing the following: 1. View the total number of provisioned WorkSpaces, number of users connected, number of unhealthy and healthy WorkSpace instances. 1. View unhealthy WorkSpaces and their different variables, such as protocol and compute mode. 1. Hover over the line chart to view the number of healthy or unhealthy WorkSpace instances for a specific protocol and running mode over a period of time. 1. Choose the ellipsis menu, then choose **View in metrics** to view the metrics on a time scale chart. 1. View your connection metrics and their different variables, such as number of connection attempts, successful connections, and failed connections in your WorkSpaces environment at any given time. 1. View InSession latencies that impact your user's experience, such as round trip time (RTT), to determine connection health and packet loss to monitor network health. 1. View host performance and resource utilization to identify and troubleshoot potential performance issues. # Monitor your WorkSpaces using CloudWatch metrics Monitor using CloudWatch metrics WorkSpaces and Amazon CloudWatch are integrated, so you can gather and analyze performance metrics. You can monitor these metrics using the CloudWatch console, the CloudWatch command line interface, or programmatically using the CloudWatch API. CloudWatch also allows you to set alarms when you reach a specified threshold for a metric. For more information about using CloudWatch and alarms, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/). **Prerequisites** To get CloudWatch metrics, enable access on port 443 on the `AMAZON` subset in the `us-east-1` Region. For more information, see [IP address and port requirements for WorkSpaces Personal](workspaces-port-requirements.md). **Topics** + [ ## WorkSpaces metrics ](#wsp-metrics) + [ ## Dimensions for WorkSpaces metrics ](#wsp-metric-dimensions) + [ ## Monitoring example ](#monitoring_example) ## WorkSpaces metrics The `AWS/WorkSpaces` namespace includes the following metrics. | Metric | Description | Dimensions | Statistics | Units | | --- | --- | --- | --- | --- | | `Available`1 | The number of WorkSpaces that returned a healthy status. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `Unhealthy`1 | The number of WorkSpaces that returned an unhealthy status. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `ConnectionAttempt`2 | The number of connection attempts. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `ConnectionSuccess`2 | The number of successful connections. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `ConnectionFailure`2 | The number of failed connections. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `SessionLaunchTime`2,6 | The amount of time it takes to initiate a WorkSpaces session. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Second (time) | | `InSessionLatency`2,6 | The round trip time between the WorkSpaces client and the WorkSpace. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Millisecond (time) | | `SessionDisconnect`2,6 | The number of connections that were closed, including user-initiated and failed connections. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `UserConnected`3 | The number of WorkSpaces that have a user connected. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `Stopped` | The number of WorkSpaces that are stopped. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `Maintenance`4 | The number of WorkSpaces that are under maintenance. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `TrustedDeviceValidationAttempt`5,6 | The number of device authentication signature validation attempts. | `DirectoryId` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `TrustedDeviceValidationSuccess`5,6 | The number of successful device authentication signature validations. | `DirectoryId` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `TrustedDeviceValidationFailure`5,6 | The number of failed device authentication signature validations. | `DirectoryId` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `TrustedDeviceCertificateDaysBeforeExpiration`6 | Days left before the root certificate associated with the directory is expired. | `CertificateId` | Average, Sum, Maximum, Minimum, Data Samples | Count | | `CPUUsage` | The percentage of the CPU resource used. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Maximum, Minimum | Percentage | | `MemoryUsage` | The percentage of the machine memory used. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Maximum, Minimum | Percentage | | `RootVolumeDiskUsage` | The percentage of the root disk volume used. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Maximum, Minimum | Percentage | | `UserVolumeDiskUsage` | The percentage of the user disk volume used. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Maximum, Minimum | Percentage | | `UDPPacketLossRate`7 | The percentage of packets dropped between the client and the gateway. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Maximum, Minimum, Data Samples | Percentage | | `UpTime` | The time since the last reboot of a WorkSpace. | `DirectoryId` `WorkspaceId` `RunningMode` `Protocol` `ComputeType` `BundleId` `UserName` `ComputerName` | Average, Maximum, Minimum, Data Samples | Seconds | 1 WorkSpaces periodically sends status requests to a WorkSpace. A WorkSpace is marked `Available` when it responds to these requests, and `Unhealthy` when it fails to respond to these requests. These metrics are available at a per-WorkSpace level of granularity, and also aggregated for all WorkSpaces in an organization. 2 WorkSpaces records metrics on connections made to each WorkSpace. These metrics are emitted after a user has successfully authenticated via the WorkSpaces client and the client then initiates a session. The metrics are available at a per-WorkSpace level of granularity, and also aggregated for all WorkSpaces in a directory. 3 WorkSpaces periodically sends connection status requests to a WorkSpace. Users are reported as connected when they are actively using their sessions. This metric is available at a per-WorkSpace level of granularity, and is also aggregated for all WorkSpaces in an organization. 4 This metric applies to WorkSpaces that are configured with an AutoStop running mode. If you have maintenance enabled for your WorkSpaces, this metric captures the number of WorkSpaces that are currently under maintenance. This metric is available at a per-WorkSpace level of granularity, which describes when a WorkSpace went into maintenance and when it was removed. 5 If the trusted devices feature is enabled for the directory, Amazon WorkSpaces uses certificate-based authentication to determine whether a device is trusted. When users attempt to access their WorkSpaces, these metrics are emitted to indicate successful or failed trusted device authentication. These metrics are available at a per-directory level of granularity, and only for the Amazon WorkSpaces Windows and macOS client applications. 6 Not available on WorkSpaces Web Access. 7 This metric measures average packet loss. + **On PCoIP**: Measures average UDP packet loss from client to gateway. **Note** This is measured at the gateway. + **On DCV**: Measures UDP packet loss from gateway to client. **Note** This is measured at the gateway. ## Dimensions for WorkSpaces metrics To filter the metric data, use the following dimensions. | Dimension | Description | | --- | --- | | `DirectoryId` | Filters the metric data to the WorkSpaces in the specified directory. The form of the directory ID is `d-XXXXXXXXXX`. | | `WorkspaceId` | Filters the metric data to the specified WorkSpace. The form of the WorkSpace ID is `ws-XXXXXXXXXX`. | | `CertificateId` | Filters the metric data to the specified root certificate associated with the directory. The form of the certificate ID is `wsc-XXXXXXXXX`. | | `RunningMode` | Filters the metric data to the WorkSpaces by their running mode. The form of the running mode is AutoStop or AlwaysOn. | | `BundleId` | Filters the metric data to the WorkSpaces by the protocol. The form of the bundle is `wsb-XXXXXXXXXX`. | | `ComputeType` | Filters the metric data to the WorkSpaces by the compute type. | | `Protocol` | Filters the metric data to the WorkSpaces by the protocol type. | | `UserName` | Filters the metric data to the WorkSpaces by the user's name. The `UserName` cannot consist of non-ASCII characters, such as the following: Accented letters: é, à, ö, ñ, etc. Non-Latin alphabets Symbols: ©️, ®️, €, £, µ, ¥, etc. | | `ComputerName` | Filters the metric data to the specified WorkSpace. See various formats for [WorkSpaces Computer Name]( https://docs.aws.amazon.com/workspaces/latest/adminguide/wsp-directory-identify-computer.html). | ## Monitoring example The following example demonstrates how you can use the AWS CLI to respond to a CloudWatch alarm and determine which WorkSpaces in a directory have experienced connection failures. **To respond to a CloudWatch alarm** 1. Determine which directory the alarm applies to using the [describe-alarms](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/describe-alarms.html) command. ``` aws cloudwatch describe-alarms --state-value "ALARM" { "MetricAlarms": [ { ... "Dimensions": [ { "Name": "DirectoryId", "Value": "directory_id" } ], ... } ] } ``` 1. Get the list of WorkSpaces in the specified directory using the [describe-workspaces](https://docs.aws.amazon.com/cli/latest/reference/workspaces/describe-workspaces.html) command. ``` aws workspaces describe-workspaces --directory-id directory_id { "Workspaces": [ { ... "WorkspaceId": "workspace1_id", ... }, { ... "WorkspaceId": "workspace2_id", ... }, { ... "WorkspaceId": "workspace3_id", ... } ] } ``` 1. Get the CloudWatch metrics for each WorkSpace in the directory using the [get-metric-statistics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/get-metric-statistics.html) command. ``` aws cloudwatch get-metric-statistics \ --namespace AWS/WorkSpaces \ --metric-name ConnectionFailure \ --start-time 2015-04-27T00:00:00Z \ --end-time 2015-04-28T00:00:00Z \ --period 3600 \ --statistics Sum \ --dimensions "Name=WorkspaceId,Value=workspace_id" { "Datapoints" : [ { "Timestamp": "2015-04-27T00:18:00Z", "Sum": 1.0, "Unit": "Count" }, { "Timestamp": "2014-04-27T01:18:00Z", "Sum": 0.0, "Unit": "Count" } ], "Label" : "ConnectionFailure" } ``` # Monitor your WorkSpaces using Amazon EventBridge Monitor using Amazon EventBridge You can use events from Amazon WorkSpaces to view, search, download, archive, analyze, and respond to successful logins to your WorkSpaces. For example, you can use events for the following purposes: + Store or archive WorkSpaces login events as logs for future reference, analyze the logs to look for patterns, and take action based on those patterns. + Use the WAN IP address to determine where users are logged in from, and then use policies to allow users access only to files or data from WorkSpaces that meet the access criteria found in the event type of `WorkSpaces Access`. + Analyze login data and perform automated actions using AWS Lambda. + Use policy controls to block access to files and applications from unauthorized IP addresses. + Find out the WorkSpaces client version used to connect to WorkSpaces. Amazon WorkSpaces emits these events on a best-effort basis. Events are delivered to EventBridge in near real time. With EventBridge, you can create rules that trigger programmatic actions in response to an event. For example, you can configure a rule that invokes an SNS topic to send an email notification or invokes a Lambda function to take some action. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/). ## WorkSpaces Access events WorkSpaces client applications send `WorkSpaces Access` events when a user successfully logs in to a WorkSpace. All WorkSpaces clients send these events. Events emitted for WorkSpaces using DCV require the WorkSpaces client application version 4.0.1 or later. Events are represented as JSON objects. The following is example data for a `WorkSpaces Access` event. ``` { "version": "0", "id": "64ca0eda-9751-dc55-c41a-1bd50b4fc9b7", "detail-type": "WorkSpaces Access", "source": "aws.workspaces", "account": "123456789012", "time": "2023-04-05T16:13:59Z", "region": "us-east-1", "resources": [], "detail": { "clientIpAddress": "192.0.2.3", "actionType": "successfulLogin", "workspacesClientProductName": "WorkSpacesWebClient", "loginTime": "2023-04-05T16:13:37.603Z", "clientPlatform": "Windows", "directoryId": "domain/d-123456789", "clientVersion": "5.7.0.3472", "workspaceId": "ws-xyskdga" } } ```Event-specific fields `clientIpAddress` The WAN IP address of the client application. For PCoIP zero clients, this is the IP address of the Teradici auth client. `actionType` This value is always `successfulLogin`. `workspacesClientProductName` The following values are case-sensitive. + `WorkSpaces Desktop client` — Windows, macOS, and Linux clients + `Amazon WorkSpaces Mobile client` — iOS client + `WorkSpaces Mobile Client` — Android clients + `WorkSpaces Chrome Client` — Chromebook client + `WorkSpacesWebClient` — Web Access client + `AmazonWorkSpacesThinClient` — Amazon WorkSpaces Thin Client device + `Teradici PCoIP Zero Client, Teradici PCoIP Desktop Client, or Dell Wyse PCoIP Client ` — Zero Client `loginTime` The time at which the user logged in to the WorkSpace. `clientPlatform` + `Android` + `Chrome` + `iOS` + `Linux` + `OSX` + `Windows` + `Teradici PCoIP Zero Client and Tera2` + `Web` `directoryId` The identifier of the directory for the WorkSpace. You must prepend the directory identifier with `domain/`. For example, `"domain/d-123456789"`. `clientVersion` The client version used to connect to WorkSpaces. `workspaceId` The identifier of the WorkSpace. ## Create a rule to handle WorkSpaces events Use the following procedure to create a rule to handle the WorkSpaces events. **Prerequisite** To receive email notifications, create an Amazon Simple Notification Service topic. 1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home). 1. In the navigation pane, choose **Topics**. 1. Choose **Create topic**. 1. For **Type**, choose **Standard**. 1. For **Name**, enter a name for your topic. 1. Choose **Create topic**. 1. Choose **Create subscription**. 1. For **Protocol**, choose **Email**. 1. For **Endpoint**, enter the email address that receives the notifications. 1. Choose **Create subscription**. 1. You'll receive an email message with the following subject line: AWS Notification - Subscription Confirmation. Follow the directions to confirm your subscription. **To create a rule to handle WorkSpaces events** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. Choose **Create rule**. 1. For **Name**, enter a name for your rule. 1. For **Rule type**, choose **Rule with an event pattern**. 1. Choose **Next**. 1. For **Event pattern**, do the following: 1. For **Event source**, choose **AWS services**. 1. For **AWS service**, choose **WorkSpaces**. 1. For **Event type**, choose **WorkSpaces Access**. 1. By default, we send notifications for every event. If you prefer, you can create an event pattern that filters events for specific clients or workspaces. 1. Choose **Next**. 1. Specify a target as follows: 1. For **Target types**, choose **AWS service**. 1. For **Select a target**, choose **SNS topic**. 1. For **Topic**, choose the SNS topic that you created for notifications. 1. Choose **Next**. 1. (Optional) Add tags to your rule. 1. Choose **Next**. 1. Choose **Create rule**. # Understanding AWS sign-in events for smart card users Understanding AWS sign-in events for smart card users AWS CloudTrail logs successful and unsuccessful sign-in events for smart card users. This includes sign-in events that are captured each time a user is prompted to solve a specific credential challenge or factor, as well as the status of that particular credential verification request. A user is signed in only after completing all required credential challenges, which results in a `UserAuthentication` event being logged. The following table captures each of the sign-in CloudTrail event names and their purposes. | Event name | Event purpose | | --- | --- | | `CredentialChallenge` | Notifies that AWS sign-in has requested that the user solve a specific credential challenge and specifies the `CredentialType` that is required (for example, SMARTCARD). | | `CredentialVerification` | Notifies that the user has attempted to solve a specific `CredentialChallenge` request, and specifies whether that credential has succeeded or failed. | | `UserAuthentication` | Notifies that all authentication requirements that the user was challenged with have been successfully completed and that the user was successfully signed in. When users fail to successfully complete the required credential challenges, no `UserAuthentication` event is logged. | The following table captures additional useful event data fields contained within specific sign-in CloudTrail events. | Event name | Event purpose | Sign-in event applicability | Example values | | --- | --- | --- | --- | | `AuthWorkflowID` | Correlates all events emitted across an entire sign-in sequence. For each user sign-in, multiple events can be emitted by AWS sign-in. | `CredentialChallenge`, `CredentialVerification`, `UserAuthentication` | "AuthWorkflowID": "9de74b32-8362-4a01-a524-de21df59fd83" | | `CredentialType` | Notifies that the user has attempted to solve a specific `CredentialChallenge` request and specifies whether that credential has succeeded or failed. | `CredentialChallenge`, `CredentialVerification`, `UserAuthentication` | CredentialType": "SMARTCARD" (possible values today: SMARTCARD) | | `LoginTo` | Notifies that all authentication requirements that the user was challenged with have been successfully completed and that the user was successfully signed in. When users fail to successfully complete the required credential challenges, no `UserAuthentication` event is logged. | `UserAuthentication` | "LoginTo": "https://skylight.local“ | ## Example events for AWS sign-in scenarios Example events for AWS sign-in scenarios The following examples show the expected sequence of CloudTrail events for different sign-in scenarios. **Topics** + [ ### Successful sign-in when authenticating with smart card ](#successful-signin) + [ ### Failed sign-in when authenticating with only a smart card ](#failed-signin) ### Successful sign-in when authenticating with smart card The following sequence of events captures an example of a successful smart card sign-in. **CredentialChallenge** ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "509318101470", "arn": "", "accountId": "509318101470", "accessKeyId": "" }, "eventTime": "2021-07-30T17:23:29Z", "eventSource": "signin.amazonaws.com", "eventName": "CredentialChallenge", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36", "requestParameters": null, "responseElements": null, "additionalEventData": { "AuthWorkflowID": "6602f256-3b76-4977-96dc-306a7283269e", "CredentialType": "SMARTCARD" }, "requestID": "65551a6d-654a-4be8-90b5-bbfef7187d3a", "eventID": "fb603838-f119-4304-9fdc-c0f947a82116", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "509318101470", "serviceEventDetails": { CredentialChallenge": "Success" } } ``` **Successful CredentialVerification** ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "509318101470", "arn": "", "accountId": "509318101470", "accessKeyId": "" }, "eventTime": "2021-07-30T17:23:39Z", "eventSource": "signin.amazonaws.com", "eventName": "CredentialVerification", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36", "requestParameters": null, "responseElements": null, "additionalEventData": { "AuthWorkflowID": "6602f256-3b76-4977-96dc-306a7283269e", "CredentialType": "SMARTCARD" }, "requestID": "81869203-1404-4bf2-a1a4-3d30aa08d8d5", "eventID": "84c0a2ff-413f-4d0f-9108-f72c90a41b6c", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "509318101470", "serviceEventDetails": { CredentialVerification": "Success" } } ``` **Successful UserAuthentication** ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "509318101470", "arn": "", "accountId": "509318101470", "accessKeyId": "" }, "eventTime": "2021-07-30T17:23:39Z", "eventSource": "signin.amazonaws.com", "eventName": "UserAuthentication", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36", "requestParameters": null, "responseElements": null, "additionalEventData": { "AuthWorkflowID": "6602f256-3b76-4977-96dc-306a7283269e", "LoginTo": "https://skylight.local", "CredentialType": "SMARTCARD" }, "requestID": "81869203-1404-4bf2-a1a4-3d30aa08d8d5", "eventID": "acc0dba8-8e8b-414b-a52d-6b7cd51d38f6", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "509318101470", "serviceEventDetails": { UserAuthentication": "Success" } } ``` ### Failed sign-in when authenticating with only a smart card The following sequence of events captures an example of failed smart card sign-in. **CredentialChallenge** ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "509318101470", "arn": "", "accountId": "509318101470", "accessKeyId": "" }, "eventTime": "2021-07-30T17:23:06Z", "eventSource": "signin.amazonaws.com", "eventName": "CredentialChallenge", "awaRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36", "requestParameters": null, "responseElements": null, "additionalEventData": { "AuthWorkflowID": "73dfd26b-f812-4bd2-82e9-0b2abb358cdb", "CredentialType": "SMARTCARD" }, "requestID": "73eb499d-91a8-4c18-9c5d-281fd45ab50a", "eventID": "f30a50ec-71cf-415a-a5ab-e287edc800da", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "509318101470", "serviceEventDetails": { CredentialChallenge": "Success" } } ``` **Failed CredentialVerification** ``` { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "509318101470", "arn": "", "accountId": "509318101470", "accessKeyId": "" }, "eventTime": "2021-07-30T17:23:13Z", "eventSource": "signin.amazonaws.com", "eventName": "CredentialVerification", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36", "requestParameters": null, "responseElements": null, "additionalEventData": { "AuthWorkflowID": "73dfd26b-f812-4bd2-82e9-0b2abb358cdb", "CredentialType": "SMARTCARD" }, "requestID": "051ca316-0b0d-4d38-940b-5fe5794fda03", "eventID": "4e6fbfc7-0479-48da-b7dc-e875155a8177", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "509318101470", "serviceEventDetails": { CredentialVerification": "Failure" } } ``` # Create custom CloudWatch dashboards using CloudFormation templates Create custom CloudWatch dashboards AWS provides CloudFormation templates that you can use to create custom CloudWatch dashboards for WorkSpaces. Choose from the following CloudFormation template options to create custom dashboards for your WorkSpaces in the CloudFormation console. ## Considerations before getting started Consider the following before you get started with custom CloudWatch dashboards: + Create your dashboards in the same AWS Region as the deployed WorkSpaces you want to monitor. + You can also create custom dashboards using the CloudWatch console. + A cost might be associated with custom CloudWatch dashboards. For information about pricing, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing) ## Help Desk dashboard The Help Desk dashboard displays the following metrics for a specific WorkSpace: + CPU usage + Memory usage + In-session latency + Root volume + User volume + Packet loss + Disk usage Following is an example of the Help Desk dashboard. ![\[The sample help desk dashboard for CloudWatch.\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/images/help-desk.png) Complete the following procedure to create a custom dashboard in CloudWatch using CloudFormation. 1. [Open the Create Stack page in the CloudFormation console](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=YourStackName&templateURL=https://cfn-templates-global-prod-iad.s3.us-east-1.amazonaws.com/cfn-templates/workspaces_helpdesk_dashboard.yaml). This link opens the page with the Amazon S3 bucket location of the Help Desk custom CloudWatch dashboard template pre-populated. 1. Review the default selections on the **Create Stack** page. Note that the **Amazon S3 URL** field is pre-populated with the Amazon S3 bucket location of the CloudFormation template. 1. Choose **Next**. 1. In the **Stack name** text box, enter the name of the stack. The stack name is an identifier that helps you find a particular stack from a list of stacks. A stack name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 128 characters. 1. In the **DashboardName** text box, enter the name you want to give your dashboard. The dashboard name can contain only alphanumerics, dash (`–`), and underscore (`_`). 1. Choose **Next**. 1. Review the default selections on the **Configure stack options** page, and choose **Next**. 1. Scroll down to **Transforms might require access capabilities** and check the boxes for acknowledgement. Then choose **Submit** to create the stack and the custom CloudWatch dashboard. **Important** A cost might be associated with custom CloudWatch dashboards. For information about pricing, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing) 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation bar, choose **Dashboards**. 1. Under **Custom Dashboards**, choose the dashboard with the dashboard name you entered earlier in this procedure. 1. Using the Help Desk sample template, enter the UserName of the WorkSpace to monitor its data. ## Connection Insights dashboard The Connection Insights dashboard displays the client versions, platforms, and IP addresses that are connected to your WorkSpaces. This dashboard allows you to better understand how your users are connecting so that you can proactively notify your users using an outdated client. The dynamic variables allows you to monitor the details of IP addresses or specific directories. Following is an example of the Connection Insights dashboard. ![\[The sample connection insights dashboard for CloudWatch.\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/images/connection-insights.png) Complete the following procedure to create a custom dashboard in CloudWatch using CloudFormation. 1. [Open the Create Stack page in the CloudFormation console](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=YourStackName&templateURL=https://cfn-templates-global-prod-iad.s3.us-east-1.amazonaws.com/cfn-templates/workspaces_connection_insights_dashboard.yaml). This link opens the page with the Amazon S3 bucket location of the Connection Insights custom CloudWatch dashboard template pre-populated. 1. Review the default selections on the **Create Stack** page. Note that the **Amazon S3 URL** field is pre-populated with the Amazon S3 bucket location of the CloudFormation template. 1. Choose **Next**. 1. In the **Stack name** text box, enter the name of the stack. The stack name is an identifier that helps you find a particular stack from a list of stacks. A stack name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 128 characters. 1. In the **DashboardName** text box, enter the name you want to give your dashboard. Enter other relevant CloudWatch access group setup information. The dashboard name can contain only alphanumerics, dash (`–`), and underscore (`_`). 1. Under **LogRetention**, enter the number of days you want to retain your LogGroup for. 1. Under **SetupEventBridge**, choose whether you want to deploy the EventBridge rule to get WorkSpaces access logs. 1. Under **WorkSpaceAccessLogsName**, enter the name of the CloudWatch LogGroup that has the WorkSpaces access logs. 1. Choose **Next**. 1. Review the default selections on the **Configure stack options** page, and choose **Next**. 1. Scroll down to **Transforms might require access capabilities** and check the boxes for acknowledgement. Then choose **Submit** to create the stack and the custom CloudWatch dashboard. **Important** A cost might be associated with custom CloudWatch dashboards. For information about pricing, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing) 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation bar, choose **Dashboards**. 1. Under **Custom Dashboards**, choose the dashboard with the dashboard name you entered earlier in this procedure. 1. You can now monitor you WorkSpace's data using the Connection Insights dashboard. ## Internet Monitoring dashboard The Internet Monitoring dashboard displays details about the Internet Service Provider (ISP) that your users are using to join their WorkSpaces instances. It provides details on the city, state, ASN, network name, number of connected WorkSpaces, performance, and experience scores. You can also use specific IP addresses to get the details of your users connecting from a specific location. Deploy CloudWatch internet monitor to get ISP data information. For more information, see [ Using Amazon CloudWatch Internet Monitor](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html). Following is an example of the Internet Monitoring dashboard. ![\[The sample Internet Monitoring dashboard for CloudWatch.\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/images/cw-internet-monitor.png) **To create a custom dashboard in CloudWatch using CloudFormation** **Note** Before creating a custom dashboard, make sure you create an Internet Monitor with CloudWatch Internet Monitor. For more information, see [ Creating a monitor in Amazon CloudWatch Internet Monitor using the console](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/CloudWatch-IM-get-started.create.html) 1. [Open the Create Stack page in the CloudFormation console](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=YourStackName&templateURL=https://cfn-templates-global-prod-iad.s3.us-east-1.amazonaws.com/cfn-templates/workspaces_cloudwatch_internet_monitor_dashboard.yaml). This link opens the page with the Amazon S3 bucket location of the Internet Monitoring custom CloudWatch dashboard template pre-populated. 1. Review the default selections on the **Create Stack** page. Note that the **Amazon S3 URL** field is pre-populated with the Amazon S3 bucket location of the CloudFormation template. 1. Choose **Next**. 1. In the **Stack name** text box, enter the name of the stack. The stack name is an identifier that helps you find a particular stack from a list of stacks. A stack name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 128 characters. 1. In the **DashboardName** text box, enter the name you want to give your dashboard. Enter other relevant CloudWatch access group setup information. The dashboard name can contain only alphanumerics, dash (`–`), and underscore (`_`). 1. Under **ResourcesToMonitor**, enter the directory ID of the directory that you've enabled internet monitoring for. 1. Under **MonitorName**, enter the name of the internet monitor you want to use. 1. Choose **Next**. 1. Review the default selections on the **Configure stack options** page, and choose **Next**. 1. Scroll down to **Transforms might require access capabilities** and check the boxes for acknowledgement. Then choose **Submit** to create the stack and the custom CloudWatch dashboard. **Important** A cost might be associated with custom CloudWatch dashboards. For information about pricing, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing) 1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/). 1. In the left navigation bar, choose **Dashboards**. 1. Under **Custom Dashboards**, choose the dashboard with the dashboard name you entered earlier in this procedure. 1. You can now monitor you WorkSpace's data using the Internet Monitoring dashboard.