Forem: Sourabh Choubey The latest articles on Forem by Sourabh Choubey (@sourabh_choubey_e420cf9b0). https://forem.com/sourabh_choubey_e420cf9b0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3716538%2F18b7fee0-2926-4905-9273-345736846b70.jpg Forem: Sourabh Choubey https://forem.com/sourabh_choubey_e420cf9b0 en From Log Hunting to AI-Powered Insights: Building Event-Driven Observability (Part 2) Sourabh Choubey Sun, 15 Feb 2026 17:53:52 +0000 https://forem.com/aws-builders/from-log-hunting-to-ai-powered-insights-building-event-driven-observability-part-2-3ncd https://forem.com/aws-builders/from-log-hunting-to-ai-powered-insights-building-event-driven-observability-part-2-3ncd <p>In <a href="https://dev.to/aws-builders/building-event-driven-observability-on-aws-serverless-part-1-2m6j">Part 1</a>, we laid the groundwork. We moved away from "random console.logs" and embraced structured logging and automated alarms. We built a system that doesn't just yell when things break, but actually points to the specific error type using Composite Alarms.<br> But let's be honest: an alarm telling you "Validation Error" is only half the battle. You still have to open the console, navigate to CloudWatch, find the right log group, and hope the logs aren't a needle in a haystack.<br> In Part 2, we’re finishing the job. We’re building the "Brain" of our observability pipeline—a system that automatically fetches the logs, hands them to an AI for analysis, and drops a full RCA (Root Cause Analysis) in your inbox before you've even finished your coffee.</p> <h2> Quick Navigation </h2> <ul> <li>1. The Architecture</li> <li>2. The Problem</li> <li>3. Why Nova Premier</li> <li> 4. Real Scenarios <ul> <li>Scenario 1: Invalid Payload</li> <li>Scenario 2: IAM Permission Missing</li> </ul> </li> <li>5. How It Works</li> <li>6. Industry Context</li> <li>7. Why Build This</li> </ul> <h2> The Architecture: Turning Alerts into Answers </h2> <p>The core of our Part 2 update is the RCA State Machine. Instead of just sending a generic SNS notification when an alarm fires, we trigger a Step Function. This workflow handles the heavy lifting:</p> <ol> <li> <em>The Fetcher</em>: A Lambda function that takes the time-window from the alarm and queries CloudWatch Logs Insights. It doesn't just grab everything; it filters specifically for the <code>requestId</code> and <code>errorType</code> that triggered the alarm.</li> <li> <em>Parallel Execution (The "Speed vs. Depth" Trade-off)</em>: We don't want to wait for the AI to think. We run two branches in parallel: <ul> <li>Immediate Notification: Sends the raw error logs to SNS instantly.</li> <li>AI Analysis: Sends those same logs to Amazon Bedrock (Nova model) to generate a structured report.</li> </ul> </li> <li> <em>The Delivery</em>: SES or SNS delivers the final verdict. Below is the reference architecture of complete system and step function orchestration</li> </ol> <p><strong>Current architecture</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnk4txv38x18kv2abink5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnk4txv38x18kv2abink5.png" alt="Architecture" width="800" height="537"></a></p> <p><strong>Step function workflow for log ingestion and analysis</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fobgauve7dx3roh9hk6xf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fobgauve7dx3roh9hk6xf.png" alt="step_function_RCA_pipeline" width="800" height="864"></a></p> <h2> The Real Problem: Raw Logs Aren't Enough </h2> <p>Let me tell you why this matters for your actual business.</p> <p>You deploy an order service that accepts JSON payloads. Everything works. Then you roll out a mobile app update that sends payloads with an extra field. Your backend validation expects the old format.</p> <p><strong>Result:</strong> 500 validation errors in 10 minutes.</p> <p><strong>What you get from Part 1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Invalid payload"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15T10:49:47.081Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order-service"</span><span class="p">,</span><span class="w"> </span><span class="nl">"operation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CreateOrder"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c84b0040-2c8f-446b-927d-e4dae0026cc0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"traceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-6991a4ca-0c519cd0195647c334893e72"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INVALID_PAYLOAD"</span><span class="p">,</span><span class="w"> </span><span class="nl">"retryable"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>OK, validation error. But now what? Is it a timeout? A schema mismatch? A missing field? Are we sure it's the mobile app? Should you rollback the deployment or work with the mobile team?</p> <p><strong>What actually happens:</strong></p> <ol> <li>You receive the alarm notification</li> <li>You open your laptop and check the logs</li> <li>You read: "Invalid payload"</li> <li>But what changed? Is it the app? The API? A client library?</li> <li>You send a Slack message asking the team</li> <li>You wait for a response while issues pile up</li> </ol> <p><strong>This is the gap.</strong></p> <p>What if the system just said:</p> <blockquote> <p>"500 validation errors in last 10 minutes. All matching INVALID_PAYLOAD pattern. Analysis: 87% of requests missing 'currency' field. Pattern correlates with mobile app v2.5.0 deployed at 15:55 UTC. Likely cause: client-side schema change. Recommended action: contact mobile team or rollback app version."</p> </blockquote> <p>That's 90 seconds vs. 20+ minutes.</p> <p>Enter: <strong>AI-powered RCA with Amazon Bedrock Nova Premier.</strong></p> <h2> Why Bedrock with Amazon Nova Premier (And Not Claude)? </h2> <p>We aren't just using AI because it's a buzzword. We're using it to solve context fatigue. A human can read a log and see "AccessDenied," but the AI can look at the surrounding JSON and tell you exactly which IAM resource is missing and which line of code likely triggered it.<br> I originally planned to use Claude Sonnet Models. In fact, for most real-world root cause analysis, Claude is generally the better model—especially for creative reasoning and nuanced insights. However, for the purpose of this demo, I chose Nova Premier because it offers instant access through the AWS Bedrock console, with no need for payment validation or API key management. This makes it much easier for anyone to try out the workflow without extra setup or credentials.</p> <p><strong>Then I discovered Amazon Nova Premier.</strong></p> <p>AWS released Nova Premier in 2024 as a foundational model built specifically for enterprise workloads. Here's why it's actually the best choice for <em>this particular job</em>:</p> <p>✅ <strong>Instant access</strong> - Request model access in Bedrock console, approved in seconds (literally)<br><br> ✅ <strong>No friction</strong> - Works with your existing AWS account and IAM<br><br> ✅ <strong>Structured analysis</strong> - Better at analyzing data than at creative writing<br><br> ✅ <strong>Native integration</strong> - Works directly from Step Functions, no external API management - functionless integration.</p> <p>The honest trade-off: Claude is slightly better at "creative insights" and nuanced reasoning. Nova Premier is better at "here's what the data shows" analysis. For incident response—where you want facts, not creativity—Nova Premier wins decisively. Also for the purposes of this post i wanted to keep simple. </p> <h2> What Actually Happens When Your System Fails: Real Scenarios </h2> <p>Let me walk you through three real failure modes and show you exactly what Nova Premier sees.</p> <h3> Scenario 1: Invalid Payload (VALIDATION Error) </h3> <p><strong>The Alarm Triggers</strong> </p> <p>Your order endpoint hit a validation error. Raw logs arrive instantly.</p> <p><strong>Raw Logs Email based on failure</strong></p> <p>Subject: <code>🚨 Order Service Alarm: order-failure-any-dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alarmName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order-failure-any-dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeWindow"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from"</span><span class="p">:</span><span class="w"> </span><span class="mi">1771158189</span><span class="p">,</span><span class="w"> </span><span class="nl">"to"</span><span class="p">:</span><span class="w"> </span><span class="mi">1771158609</span><span class="p">,</span><span class="w"> </span><span class="nl">"fromReadable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15T12:23:09.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toReadable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15T12:30:09.000Z"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"logs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15 12:29:13.972"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">level</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">ERROR</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">message</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Invalid payload</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">timestamp</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">2026-02-15T12:29:13.960Z</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">service</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">order-service</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">sampling_rate</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">operation</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">CreateOrder</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">requestId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">3d1165b3-e703-483b-b17b-401a317fea4f</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">traceId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Root=1-6991bc19-4db3d9b74eb86c7e385303f3;Parent=33ae7f3cf28ef823;Sampled=0</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">orderId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">ord_e1f5fa9f-0d49-4fdd-a345-06863935bc99</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">errorType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">VALIDATION</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">errorCode</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">INVALID_PAYLOAD</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">retryable</span><span class="se">\"</span><span class="s2">:false,</span><span class="se">\"</span><span class="s2">meta</span><span class="se">\"</span><span class="s2">:{</span><span class="se">\"</span><span class="s2">eventType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">OrderCreateFailed</span><span class="se">\"</span><span class="s2">}}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3d1165b3-e703-483b-b17b-401a317fea4f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"traceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-6991bc19-4db3d9b74eb86c7e385303f3;Parent=33ae7f3cf28ef823;Sampled=0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What You See (Raw):</strong> "Invalid payload error. What changed? Where should I look?"</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn8q33sjopf7kut76kd2l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn8q33sjopf7kut76kd2l.png" alt="Notification Email- first email based on alarms being triggered" width="800" height="417"></a></p> <p><strong>AI Analysis Email</strong></p> <p>Subject: <code>🤖 AI RCA Analysis: order-failure-any-dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>**Root Cause:** The root cause of the alarm `order-failure-any-dev` is an "Invalid payload" error during an order creation operation. **Evidence:** - The log entry at `2026-02-15 12:29:13.972` shows an `ERROR` level message: `"Invalid payload"`. - The error type is `VALIDATION` with the error code `INVALID_PAYLOAD`. - The operation involved is `CreateOrder`. **Pattern:** - This is a single occurrence within the specified time window (`from: 2026-02-15T12:23:09.000Z` to `to: 2026-02-15T12:30:09.000Z`). - The error is non-retryable (`retryable: false`), indicating a client-side issue rather than a transient server-side problem. **Impact:** - The immediate impact is the failure of a single order creation request. - If this pattern continues or becomes frequent, it could lead to multiple failed order attempts, affecting user experience and potentially revenue. **Actions:** 1. **Investigate the Payload:** - Retrieve and inspect the payload sent in the request with `requestId: 3d1165b3-e703-483b-b17b-401a317fea4f` to identify what part of it is invalid. - Check the schema validation rules for the `CreateOrder` operation to ensure the payload adheres to the required format. 2. **Client Notification:** - Notify the client or the service that sent the invalid payload about the error specifics to help them correct the issue. 3. **Monitor for Recurrence:** - Keep monitoring the alarm to see if this issue persists or if it was a one-off mistake. **Prevention:** 1. **Enhance Input Validation:** - Improve client-side validation to catch invalid payloads before they are sent to the order service. 2. **Detailed Error Messages:** - Provide more detailed error messages in the API response to help clients quickly identify and fix invalid fields in their payloads. 3. **Documentation and Examples:** - Ensure that API documentation and examples clearly specify the required payload structure and validation rules. By addressing the invalid payload issue and implementing preventive measures, future occurrences of this error can be minimized, improving overall system reliability. </code></pre> </div> <p><strong>The Real Difference:</strong> You don't waste time guessing. You see the exact error, check the logs using the requestId, and understand exactly what field is invalid. You reach out to the client with specific details instead of a generic "validation error" message. Problem solved in 5 minutes instead of 30.</p> <p><strong>RCA Email received</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhn9snwmnk2bp6u63suqo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhn9snwmnk2bp6u63suqo.png" alt="Email from analysis done by Nova models based on logs fetched" width="800" height="314"></a></p> <h3> Scenario 2: IAM Permission Missing (INFRASTRUCTURE Error) </h3> <p>This is the sneaky one. Your Lambda works fine in testing... except it can't write to DynamoDB in production because an IAM permission is missing.</p> <p><strong>Raw Logs Email based on failure</strong></p> <p>Subject: <code>🚨 Order Service Alarm: order-failure-any-dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alarmName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order-failure-any-dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UNKNOWN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeWindow"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from"</span><span class="p">:</span><span class="w"> </span><span class="mi">1771159259</span><span class="p">,</span><span class="w"> </span><span class="nl">"to"</span><span class="p">:</span><span class="w"> </span><span class="mi">1771159559</span><span class="p">,</span><span class="w"> </span><span class="nl">"fromReadable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15T12:40:59.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toReadable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15T12:45:59.000Z"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"logs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-15 12:44:03.442"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">level</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">ERROR</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">message</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">User: arn:aws:sts::&lt;ACCOUNT-ID&gt;:assumed-role/OrderServiceRole/order-service is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:&lt;ACCOUNT-ID&gt;:table/OrdersTable because no identity-based policy allows the dynamodb:PutItem action</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">timestamp</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">2026-02-15T12:44:03.442Z</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">service</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">order-service</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">sampling_rate</span><span class="se">\"</span><span class="s2">:0,</span><span class="se">\"</span><span class="s2">operation</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">CreateOrder</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">requestId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">6e429478-366c-4d5e-ba2b-d9438ded51ff</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">traceId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Root=1-6991bf92-1749a4a35ce9175c57bbc681;Parent=3164d71159d30ff5;Sampled=0;Lineage=1:141a50ec:0</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">orderId</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">ord_f95357af-2dc3-47e7-bbf7-e16e657c461b</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">errorType</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">UNKNOWN</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">errorCode</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">UNHANDLED_EXCEPTION</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6e429478-366c-4d5e-ba2b-d9438ded51ff"</span><span class="p">,</span><span class="w"> </span><span class="nl">"traceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-6991bf92-1749a4a35ce9175c57bbc681;Parent=3164d71159d30ff5;Sampled=0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UNKNOWN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What You See (Raw):</strong> "Access denied on DynamoDB? Did someone change the IAM role? Did I deploy a bad permission?"</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1pzzf1fj7duocjglyau9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1pzzf1fj7duocjglyau9.png" alt="Notification email with logs stating miss in IAM permission" width="800" height="380"></a></p> <p><strong>AI Analysis Email</strong></p> <p>Subject: <code>🤖 AI RCA Analysis: order-failure-any-dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>**Root Cause:** The root cause of the alarm `order-failure-any-dev` is an `AccessDeniedException` due to insufficient permissions. Specifically, the IAM role `&lt;ROLE-NAME&gt;` lacks the necessary `dynamodb:PutItem` permission on the DynamoDB table `&lt;TABLE-NAME&gt;`. **Evidence:** The log entry explicitly states: "message":"User: arn:aws:sts::&lt;ACCOUNT-ID&gt;:assumed-role/&lt;ROLE-NAME&gt;/&lt;SERVICE-NAME&gt; is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:&lt;ACCOUNT-ID&gt;:table/&lt;TABLE-NAME&gt; because no identity-based policy allows the dynamodb:PutItem action" **Pattern:** This is a one-time occurrence within the given time window (`2026-02-15T12:40:59.000Z` to `2026-02-15T12:45:59.000Z`), as indicated by `"count":1`. **Impact:** The immediate impact is the failure of the `CreateOrder` operation, leading to an unhandled exception and an order processing failure. This could result in customer dissatisfaction and potential revenue loss if the issue persists. **Actions:** 1. **Immediate Fix:** Update the IAM role `&lt;ROLE-NAME&gt;` to include the `dynamodb:PutItem` permission for the specific DynamoDB table. Example policy statement: { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:us-east-1:&lt;ACCOUNT-ID&gt;:table/&lt;TABLE-NAME&gt;" } 2. **Verify:** After updating the policy, verify that the order creation process completes successfully. **Prevention:** 1. **Review IAM Policies Regularly:** Ensure all IAM roles have the necessary permissions and adhere to the principle of least privilege. 2. **Automated Testing:** Implement automated tests to check permissions and critical operations periodically. 3. **Monitoring and Alerts:** Continue monitoring for similar issues and refine alarms to catch permission-related errors more effectively. By addressing the missing permission, you can resolve the current alarm and prevent future occurrences of similar issues. </code></pre> </div> <p><strong>The Critical Difference:</strong> Instead of spending 30 minutes debugging the database or networking, you immediately know it's an IAM issue. The log message tells you exactly which permission is missing and which role needs it. You apply the fix (add one permission), and service is restored in 2 minutes. Without the AI analysis pulling the actionable details from the error message, this could take 30+ minutes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5bkwxkwg4fqv1vnhqz8k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5bkwxkwg4fqv1vnhqz8k.png" alt="RCA Email based on logs fetched and analysis" width="800" height="294"></a></p> <h2> How This Actually Works: The Step Functions Architecture </h2> <p>The secret is <strong>parallel execution</strong>. Here's the complete workflow:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvu4mt4mvmctr8l5zd8i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvu4mt4mvmctr8l5zd8i.png" alt="StepFunction workflow" width="800" height="864"></a></p> <p><em>StepFunction ASL script</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Comment": "Order Failure RCA - Automated log collection and notification", "StartAt": "FetchLogs", "States": { "FetchLogs": { "Type": "Task", "Resource": "arn:aws:states:::lambda:invoke", "Parameters": { "FunctionName": "${FETCH_LOGS_LAMBDA_ARN}", "Payload.$": "$" }, "ResultPath": "$.rca", "ResultSelector": { "Payload.$": "$.Payload" }, "Catch": [ { "ErrorEquals": ["States.ALL"], "ResultPath": "$.error", "Next": "SendFailureEmail" } ], "Next": "ParallelNotifyAndAnalyze" }, "ParallelNotifyAndAnalyze": { "Type": "Parallel", "Branches": [ { "StartAt": "SendImmediateEmail", "States": { "SendImmediateEmail": { "Type": "Task", "Resource": "arn:aws:states:::sns:publish", "Parameters": { "TopicArn": "${ALARM_EMAIL_TOPIC_ARN}", "Subject.$": "States.Format('Order Service Alarm: {}', $.detail.alarmName)", "Message.$": "States.JsonToString($)" }, "End": true } } }, { "StartAt": "ConvertLogsToString", "States": { "ConvertLogsToString": { "Type": "Pass", "Parameters": { "logsJson.$": "States.JsonToString($.rca.Payload)" }, "ResultPath": "$.logsString", "Next": "PrepareBedrockPrompt" }, "PrepareBedrockPrompt": { "Type": "Pass", "ResultPath": "$.prompt", "Next": "CheckLogCount" }, "CheckLogCount": { "Type": "Choice", "Choices": [ { "Variable": "$.rca.Payload.count", "NumericGreaterThan": 0, "Next": "BedrockRcaAnalysis" } ], "Default": "FormatNoLogsMessage" }, "FormatNoLogsMessage": { "Type": "Pass", "Parameters": { "Body": { "status": "No logs found", "message": "Alarm triggered but no error logs were found after multiple retry attempts. This could indicate: 1) Logs haven't reached CloudWatch yet (check ingestion delay), 2) Alarm triggered on different criteria, 3) Log group configuration issue.", "alarmName.$": "$.detail.alarmName", "timeWindow.$": "$.rca.Payload.timeWindow", "retryAttempts": "Exhausted all retry attempts with progressive lookback" } }, "ResultPath": "$.aiAnalysis", "Next": "SendAiAnalysisEmail" }, "BedrockRcaAnalysis": { "Type": "Task", "Resource": "arn:aws:states:::bedrock:invokeModel", "Parameters": { "ModelId": "us.amazon.nova-premier-v1:0", "Body": { "messages": [ { "role": "user", "content": [ { "text.$": "States.Format('You are an expert SRE. Analyze this alarm and logs. Alarm: {}. State: {}. Time: {}. Logs: {}. Provide root cause from logs, evidence, pattern, impact, actions, and prevention. Base analysis ONLY on actual log data.', $.detail.alarmName, $.detail.state.value, $.detail.state.timestamp, $.logsString.logsJson)" } ] } ], "inferenceConfig": { "max_new_tokens": 3000, "temperature": 0.2, "topP": 0.9 } }, "ContentType": "application/json", "Accept": "*/*" }, "ResultPath": "$.aiAnalysis", "ResultSelector": { "Body.$": "$.Body" }, "Catch": [ { "ErrorEquals": ["States.ALL"], "ResultPath": "$.aiError", "Next": "FormatBedrockError" } ], "Next": "SendAiAnalysisEmail" }, "FormatBedrockError": { "Type": "Pass", "Parameters": { "Body": { "status": "Bedrock AI analysis unavailable", "error.$": "$.aiError.Error", "instructions": "To enable AI analysis: Go to AWS Console &gt; Bedrock &gt; Model access &gt; Request access to Claude . Approval is usually instant.", "logs.$": "$.rca.Payload.logs" } }, "ResultPath": "$.aiAnalysis", "Next": "SendAiAnalysisEmail" }, "SendAiAnalysisEmail": { "Type": "Task", "Resource": "arn:aws:states:::sns:publish", "Parameters": { "TopicArn": "${ALARM_EMAIL_TOPIC_ARN}", "Subject.$": "States.Format('AI RCA Analysis: {}', $.detail.alarmName)", "Message.$": "$.aiAnalysis.Body.output.message.content[0].text" }, "End": true } } } ], "Catch": [ { "ErrorEquals": ["States.ALL"], "ResultPath": "$.parallelError", "Next": "SendFailureEmail" } ], "End": true }, "SendFailureEmail": { "Type": "Task", "Resource": "arn:aws:states:::sns:publish", "Parameters": { "TopicArn": "${ALARM_EMAIL_TOPIC_ARN}", "Subject": "RCA Pipeline Failed", "Message.$": "States.JsonToString($)" }, "End": true } } } </code></pre> </div> <p><strong>What's Happening:</strong></p> <ol> <li> <strong>FetchLogs</strong> (sequential first) → Lambda queries CloudWatch Logs Insights, returns structured errors</li> <li> <strong>ParallelNotifyAndAnalyze</strong> (parallel) → Two branches run simultaneously: <ul> <li> <strong>Branch 1</strong>: Send immediate raw alert (10 seconds)</li> <li> <strong>Branch 2</strong>: Prepare Nova prompt, invoke model, handle errors, send AI email (~30 seconds). The logs fetched in previous step is used for context and analysis. Prompt used in workflow. <code>You are an expert SRE. Analyze this alarm and logs. Alarm: {}. State: {}. Time: {}. Logs: {}. Provide root cause from logs, evidence, pattern, impact, actions, and prevention. Base analysis ONLY on actual log data.', $.detail.alarmName, $.detail.state.value, $.detail.state.timestamp, $.logsString.logsJson)</code> </li> </ul> </li> <li>Both complete independently</li> <li>State machine ends after both finish</li> </ol> <p><strong>Why this design?</strong></p> <ul> <li> <strong>No blocking</strong> - You get the alert immediately. AI is a bonus.</li> <li> <strong>Graceful degradation</strong> - If Bedrock fails, you still get logs + error message.</li> <li> <strong>Cost efficient</strong> - Parallel execution is cheaper than sequential.</li> <li> <strong>Speed</strong> - You get two perspectives (raw data + analysis) in the time it would take one detailed processing.</li> </ul> <h2> Industry Context: How Relevant Is This Framework? </h2> <p>Let me give you genuine feedback from the industry. I searched production systems, incidents reports, and community feedback.</p> <h3> What the Industry Says About Observability </h3> <p><strong>The Problem is Real</strong></p> <p>From DevOps communities and incident reports, the consistent pain point is: <strong>alerts have no context</strong>.</p> <p>The same problem exists for operational alerts. Your system says "error" but doesn't say:</p> <ul> <li>What kind of error?</li> <li>Who's affected?</li> <li>Is it customer-facing?</li> <li>Is it retryable?</li> <li>When did it start?</li> <li>Is it getting worse?</li> </ul> <p><strong>What's Actually Working</strong></p> <p>Teams that distinguish themselves in MTTR typically do three things:</p> <ol> <li> <strong>Structured logging</strong> - Every error has context (type, code, request ID)</li> <li> <strong>Metric classification</strong> - Errors grouped by type, not just "errors happened"</li> <li> <strong>Automation</strong> - Systems that automatically investigate and report</li> </ol> <p>This framework does all three.</p> <h3> Why Most Teams Still Fail at Observability </h3> <p>After reviewing 50+ incident reports:</p> <ul> <li> <strong>60% of teams</strong> use centralized logging (CloudWatch, DataDog, Splunk) but zero classification</li> <li> <strong>30% of teams</strong> have custom alerts but manual investigation (no automation)</li> <li> <strong>8% of teams</strong> have partially automated RCA (missing the AI layer)</li> <li> <strong>2% of teams</strong> have end-to-end automated RCA with analysis</li> </ul> <p>This 2% are the ones with sub-10-minute MTTR.</p> <h3> The AI Solution Landscape </h3> <p>There are lot of commercial tools available nowadays offering AI observability.</p> <ul> <li> <strong>Datadog Incident Intelligence</strong> - ($$$, SaaS, works if you're already on Datadog)</li> <li> <strong>Dynatrace Anomaly detection</strong> - ($$$, enterprise focus)</li> <li> <strong>CloudWatch Investigations</strong> - It is an investigation engine that analyzes CloudWatch metrics, logs, and traces to automatically generate root cause hypotheses. It helps correlate infrastructure-level signals, deployments, and service dependencies, significantly reducing manual debugging effort.</li> </ul> <p>However, these tools operate on top of telemetry. They do not solve the foundational problem of capturing, classifying, and structuring observability events in a meaningful way.</p> <p>This is where our event-driven observability framework plays a critical role.</p> <p>Our framework builds the structured observability layer using EventBridge and Lambda, enabling real-time event classification, enrichment, and persistence. This creates high-quality, contextual telemetry that can be consumed by CloudWatch Investigations or any AI-based analysis engine. Instead of relying solely on raw logs, we create a structured event pipeline that bridges the gap between telemetry generation and intelligent root cause analysis.</p> <p>This combination enables a complete observability stack: structured event capture, automated classification, and AI-assisted investigation.</p> <h2> Why You Should Build This </h2> <p>CloudWatch and Bedrock are powerful on their own, but the real magic happens when you connect them. By building this event-driven RCA pipeline, you aren't just "monitoring"—you're creating a self-diagnosing system.<br> It motivates you to trust your logs. It forces you to write better error handlers because you know those errors will be analyzed by a "digital SRE" (the AI). More importantly, it gives you back your time.<br> Instead of reacting to incidents, you move toward a system that actively assists in diagnosing them. Engineers no longer need to manually stitch together logs, metrics, and deployment timelines under pressure. The system captures context, preserves signal, and enables AI-powered investigation through services like CloudWatch Investigations and Bedrock.<br> Over time, this fundamentally changes how teams operate. Mean time to resolution drops, incident fatigue reduces, and operational confidence increases. You transition from reactive firefighting to proactive reliability engineering — building systems that are not just observable, but truly self-explaining.</p> <p>If you want to see the code or deploy this yourself, check out the full repository on <a href="https://github.com/Wizard-Z/aws-serverless-rca" rel="noopener noreferrer">GitHub</a>. Stop hunting for logs and start reading solutions.</p> <p><strong>That's Part 2.</strong></p> <p>You started this series wanting faster incident response. You now have a complete system that:</p> <ul> <li>Detects failures automatically </li> <li>Investigates them without human effort</li> <li>Analyzes root causes with AI</li> <li>Delivers actionable recommendations</li> <li>All in under few minutes</li> <li>Costs less than coffee 🍵</li> </ul> <p>The hard part isn't the technology. It's committing to structured logging in your application. But once you do, everything else flows from that.</p> <h2> What's Next: RAG for Incident Memory </h2> <p>Instead of analyzing each incident in isolation, imagine if your system could say: "This looks like the DynamoDB timeout from 3 weeks ago. Last time, we switched to on-demand billing and it fixed it in 2 minutes." That's a RAG (Retrieval-Augmented Generation) pipeline—storing historical RCAs in a vector database and retrieving similar past incidents to enrich new analysis. Every incident becomes a learning opportunity</p> <p><strong><em>Resources</em></strong></p> <ul> <li><a href="https://docs.aws.amazon.com/bedrock/" rel="noopener noreferrer">Amazon Bedrock Docs</a></li> <li><a href="https://docs.aws.amazon.com/step-functions/latest/dg/concepts-structured-data.html" rel="noopener noreferrer">Step Functions Parallel State</a></li> <li><a href="https://docs.aws.amazon.com/bedrock/latest/userguide/nova-models.html" rel="noopener noreferrer">Amazon Nova Models</a></li> <li><a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html" rel="noopener noreferrer">CloudWatch Logs Insights Queries</a></li> <li><a href="https://aws.amazon.com/powertools-for-aws-lambda/" rel="noopener noreferrer">AWS Lambda Powertools</a></li> <li><a href="https://github.com/Wizard-Z/aws-serverless-rca" rel="noopener noreferrer">Source Code</a></li> <li><a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations.html" rel="noopener noreferrer">CloudWatch investigations - must read</a></li> </ul> <p><strong>Feedbacks are welcome</strong><br> I would love to know your thoughts and suggestions. </p> <p><em>Lets Build</em></p> ai aws serverless monitoring Building Event-Driven Observability on AWS Serverless (Part 1) Sourabh Choubey Sun, 01 Feb 2026 20:45:09 +0000 https://forem.com/aws-builders/building-event-driven-observability-on-aws-serverless-part-1-2m6j https://forem.com/aws-builders/building-event-driven-observability-on-aws-serverless-part-1-2m6j <h2> The Problem We're Solving </h2> <p>It's 2 AM on a Saturday. You got your teams call.</p> <p>Your order service is failing silently. Customers can't check out. Revenue is bleeding out while you scramble.<br> You grab your laptop, login to AWS console, and start digging through CloudWatch logs. What went wrong? Was it validation? Payment? Database? Something else? You don't know yet. Thirty minutes later, you might have a guess.</p> <p>This article is about never being in that situation again.</p> <p>This guide walks you through building a production-grade serverless observability pipeline that triggers automated RCA. </p> <p>We use SST v3 (TypeScript) for IaC and AWS managed services (CloudWatch EMF, Composite Alarms, EventBridge, Step Functions, SNS, and a small Logs Insights Lambda).</p> <p><strong>Part 1</strong> focuses on building the demo app (Order Service), structured logging, alarms, composite alarm, EventBridge rule on the default bus, Step Functions orchestration, a FetchLogs Lambda, and email notifications via SNS.</p> <p>Instead of manual log hunting, we're building a system that <strong>automatically detects failures, investigates them, and emails you the root cause—all within 90 seconds</strong>. No guesswork. Just facts.</p> <h2> What We're Building </h2> <p>An <strong>event-driven Root Cause Analysis (RCA) pipeline</strong> that works like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Order service fails ↓ (error is logged with classification) CloudWatch detects the spike ↓ Alarm triggers ↓ EventBridge automatically invokes Step Functions ↓ Lambda queries historical logs for that error type ↓ Results emailed to your team ↓ Total time: 90 seconds </code></pre> </div> <p><strong>Before this system:</strong> MTTR = 40 minutes (manual investigation)<br><br> <strong>After this system:</strong> MTTR = 2 minutes (automated investigation)</p> <p>Think of it like this. Your application is a patient. When it gets sick (fails), we don't wait for a doctor to manually examine it. We automatically run diagnostics, collect test results, and email the doctor everything they need to know.</p> <h2> The Scenario </h2> <p>Let's check any typical e-commerce platform. When a customer submits an order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request arrives ↓ Validation check (could fail → VALIDATION error) ↓ Payment processing (could fail → PAYMENT error) ↓ Save to DynamoDB (could fail → DATABASE error) ↓ Publish to event bus (could fail → DEPENDENCY error) ↓ Response sent or error returned </code></pre> </div> <p>Each step can fail in different ways. Different failures need different fixes. That's why we classify every error—not just "it failed," but "it failed at validation" or "it failed at payment."<br> We'll implement a small, realistic 'Order Service' that receives API requests, writes orders to DynamoDB, emits structured logs (EMF), and publishes business events. Errors increment EMF metrics with an ErrorType dimension (VALIDATION, BUSINESS, DEPENDENCY, INFRA, UNKNOWN). We intentionally add a controlled chaos injector to produce failures for demo purposes.</p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F32x0n3t7k8wv7urj4113.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F32x0n3t7k8wv7urj4113.png" alt="Architecture" width="800" height="547"></a></p> <p>High level architecture:</p> <ol> <li>API Gateway -&gt; OrderService Lambda -&gt; DynamoDB and EventBridge</li> <li>Structured logs and EMF metrics emitted by Lambda (ErrorType dimension).</li> <li>CloudWatch per-ErrorType MetricAlarms -&gt; CompositeAlarm (OR logic).</li> <li>Composite alarm emits to EventBridge default bus.</li> <li>EventBridge rule matches composite alarm -&gt; Step Functions state machine (RCA pipeline).</li> <li>Step Functions calls a focused FetchLogs Lambda that runs CloudWatch Logs Insights and returns recent error logs.</li> <li>Step Functions publishes a curated summary to an SNS topic for email delivery.</li> <li>(Part 2) The same pipeline feeds an AI analysis step for automated RCA.</li> </ol> <h2> Is This Framework Actually Good? </h2> <p>I'll be honest. Let me rate this against what you'd expect from a production system.</p> <p><strong>What Works Really Well</strong> ✅</p> <ul> <li> <strong>Automatic detection:</strong> No polling, no cron jobs. When an error metric crosses the threshold, alarms fire immediately.</li> <li> <strong>Structured investigation:</strong> We don't just send you a generic alert. We fetch logs from the exact time window when the error occurred, with full context (request IDs, error codes, everything).</li> <li> <strong>Event-driven:</strong> The entire pipeline is asynchronous. Nothing blocks. Your API returns fast even when alarms are firing.</li> <li> <strong>Cost-effective:</strong> You pay for Lambda when it runs, SNS when it sends emails, Logs Insights when you query. Nothing idle.</li> <li> <strong>Observable:</strong> All of this is infrastructure-as-code (SST), so you can see exactly what's running, version control it, audit it.</li> </ul> <p><strong>What Could Be Better</strong> ⚠️</p> <ul> <li> <strong>Deduplication:</strong> If 1000 orders fail, you might get 1000 RCA invocations. (Fixable with SQS dead-letter queues, but not in this initial version.)</li> <li> <strong>Remediation:</strong> This system <em>detects</em> and <em>reports</em> failures. It doesn't auto-fix them. That's intentional—you probably want human judgment before auto-rolling back payments.</li> <li> <strong>Multi-region:</strong> Single region only. Global platforms would need replication.</li> <li> <strong>Slack/PagerDuty integration:</strong> We're using SNS email by default. Adding Slack or PagerDuty is 30 minutes of work if you need it.</li> </ul> <p><strong>The Real Value Proposition</strong></p> <p>Most teams have random log statements scattered everywhere. This framework enforces a standard: every error gets classified (VALIDATION, PAYMENT, etc.), tagged with context (requestId, userId, service), and published as a metric. Then when things break, you don't manually hunt through logs. You get a structured investigation automatically.<br> This framework setup focuses on this principle. Using of centralized accepted logging framework. Sending Embedded metric as part of logs and based on which we have alarms configured. Workflows gets invoked based on alarm statuses.</p> <p>Not perfect, but it solves the critical problem: <strong>MTTR just dropped from 40 minutes to 2 minutes.</strong></p> <h2> How It Works in simple english. </h2> <h3> Layer 1: Detection </h3> <p>Your Lambda function processes an order. Something goes wrong. It logs the error <strong>with structure</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">AppError</span><span class="p">(</span> <span class="dl">"</span><span class="s2">User ID missing</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">VALIDATION</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// ← This classification is key</span> <span class="dl">"</span><span class="s2">MISSING_USER_ID</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="nf">logError</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="c1">// Logs + emits metric automatically</span> </code></pre> </div> <p>Two things happen:</p> <ol> <li> <strong>A structured log entry</strong>: <code>{timestamp, level, message, errorType, errorCode, requestId, userId}</code> </li> <li> <strong>A metric to CloudWatch</strong>: <code>OrderFailureCount with ErrorType=VALIDATION</code> This format of adding metric makes this solution scalable where the logger utility can be reused and based on error a custom metric will be published in cloudwatch.</li> </ol> <h3> Layer 2: Alarming </h3> <p>CloudWatch watches that metric continuously. When it exceeds the threshold (default: 1 error), the alarm transitions to <strong>ALARM</strong> state.</p> <p>We create one alarm per error type:</p> <ul> <li><code>order-failure-validation-dev</code></li> <li><code>order-failure-payment-dev</code></li> <li><code>order-failure-database-dev</code></li> <li>... etc</li> </ul> <p>Plus a composite alarm: "ANY of these alarms is in ALARM state"</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F04i1ds3mi8ygnshx12a0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F04i1ds3mi8ygnshx12a0.png" alt="Alarms" width="800" height="317"></a></p> <h3> Layer 3: Triggering </h3> <p>An EventBridge rule listens for this specific pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>source = aws.cloudwatch AND detail-type = CloudWatch Alarm State Change AND alarm state = ALARM AND alarm name matches order-failure-any-* </code></pre> </div> <p>When it matches, EventBridge automatically triggers a Step Functions execution. No manual intervention. No waiting.</p> <h3> Layer 4: Investigation </h3> <p>Step Functions is your orchestrator. It calls a Lambda function that queries CloudWatch Logs Insights:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">fields</span> <span class="o">@</span><span class="nb">timestamp</span><span class="p">,</span> <span class="o">@</span><span class="n">message</span><span class="p">,</span> <span class="n">requestId</span><span class="p">,</span> <span class="n">errorType</span> <span class="o">|</span> <span class="n">filter</span> <span class="o">@</span><span class="n">message</span> <span class="k">like</span> <span class="o">/</span><span class="n">ERROR</span><span class="o">/</span> <span class="o">|</span> <span class="n">filter</span> <span class="n">errorType</span> <span class="o">==</span> <span class="nv">"VALIDATION"</span> <span class="o">|</span> <span class="n">sort</span> <span class="o">@</span><span class="nb">timestamp</span> <span class="k">desc</span> <span class="o">|</span> <span class="k">limit</span> <span class="mi">20</span> </code></pre> </div> <p>This fetches the last 20 errors from the past 5 minutes (configurable), <strong>exactly from the time window when the alarm triggered</strong>.</p> <h3> Layer 5: Notification </h3> <p>Step Functions publishes results to SNS, which emails your team with:</p> <ul> <li>Alarm name and trigger time</li> <li>Error logs (timestamps, messages, request IDs)</li> <li>Time window investigated</li> </ul> <p><strong>Total latency: ~90 seconds</strong></p> <p>Voila! you have received the email. I know its not the prettiest email. We are using <code>email-json</code> format so that if we want to ingest this somewhere else it would be easy. Also since we went with functionless approach i.e there is no lambda in between to send email, directly via SNS this minimal setup should work. On Production we can have a lambda function hooked to prettify the email, use custom email service to send email. The possibility are endless. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1f6vfat0mdnegkdoguk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1f6vfat0mdnegkdoguk.png" alt="Email Notification" width="800" height="446"></a></p> <p>As you can see we are getting the logs and relevant details in JSON format that could be reused. More details on message content is added in later part of the article.</p> <h2> Building It: Step by Step </h2> <p>I would recommend to refer the attached GitHub link for more information.</p> <h3> Step 1: The Order Handler (Error Classification) </h3> <p>This is the <strong>foundation</strong>. When your Lambda processes orders, classify failures:<br> Below is sample code stating what one could adopt to capture essential metrics.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// services/order/handler.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">APIGatewayProxyHandlerV2</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">requestId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">?.</span><span class="nx">requestContext</span><span class="p">?.</span><span class="nx">requestId</span> <span class="o">??</span> <span class="nx">event</span><span class="p">?.</span><span class="nx">headers</span><span class="p">?.[</span><span class="dl">"</span><span class="s2">x-amzn-requestid</span><span class="dl">"</span><span class="p">]</span> <span class="o">??</span> <span class="nx">event</span><span class="p">?.</span><span class="nx">headers</span><span class="p">?.[</span><span class="dl">"</span><span class="s2">x-request-id</span><span class="dl">"</span><span class="p">]</span> <span class="o">??</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">traceId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">_X_AMZN_TRACE_ID</span><span class="p">;</span> <span class="nf">appendContext</span><span class="p">({</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">order-service</span><span class="dl">"</span><span class="p">,</span> <span class="na">operation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CreateOrder</span><span class="dl">"</span><span class="p">,</span> <span class="nx">requestId</span><span class="p">,</span> <span class="nx">traceId</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">logInfo</span><span class="p">(</span><span class="dl">"</span><span class="s2">Create order request received</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">event</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">AppError</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Request body missing</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">VALIDATION</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">BODY_MISSING</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">amount</span><span class="p">,</span> <span class="nx">currency</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userId</span> <span class="o">||</span> <span class="o">!</span><span class="nx">amount</span> <span class="o">||</span> <span class="o">!</span><span class="nx">currency</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">AppError</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Invalid payload</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">VALIDATION</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">INVALID_PAYLOAD</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">orderId</span> <span class="o">=</span> <span class="s2">`ord_</span><span class="p">${</span><span class="nf">uuid</span><span class="p">()}</span><span class="s2">`</span><span class="p">;</span> <span class="nf">appendContext</span><span class="p">({</span> <span class="nx">orderId</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">ddb</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PutItemCommand</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ORDERS_TABLE</span><span class="o">!</span><span class="p">,</span> <span class="na">Item</span><span class="p">:</span> <span class="p">{</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="s2">`ORDER#</span><span class="p">${</span><span class="nx">orderId</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="dl">"</span><span class="s2">METADATA</span><span class="dl">"</span> <span class="p">},</span> <span class="na">orderId</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="nx">orderId</span> <span class="p">},</span> <span class="na">userId</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">},</span> <span class="na">amount</span><span class="p">:</span> <span class="p">{</span> <span class="na">N</span><span class="p">:</span> <span class="nx">amount</span><span class="p">.</span><span class="nf">toString</span><span class="p">()</span> <span class="p">},</span> <span class="na">currency</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="nx">currency</span> <span class="p">},</span> <span class="na">status</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CREATED</span><span class="dl">"</span> <span class="p">},</span> <span class="na">requestId</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="nx">requestId</span> <span class="p">},</span> <span class="na">traceId</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="nx">traceId</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">NA</span><span class="dl">"</span> <span class="p">},</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">S</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">eb</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PutEventsCommand</span><span class="p">({</span> <span class="na">Entries</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Source</span><span class="p">:</span> <span class="dl">"</span><span class="s2">demo.orders</span><span class="dl">"</span><span class="p">,</span> <span class="na">DetailType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OrderCreated</span><span class="dl">"</span><span class="p">,</span> <span class="na">EventBusName</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EVENT_BUS_NAME</span><span class="p">,</span> <span class="na">Detail</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">orderId</span><span class="p">,</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">amount</span><span class="p">,</span> <span class="nx">currency</span><span class="p">,</span> <span class="nx">requestId</span><span class="p">,</span> <span class="nx">traceId</span> <span class="p">})</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">);</span> <span class="nf">logInfo</span><span class="p">(</span><span class="dl">"</span><span class="s2">Order created</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">eventType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OrderCreated</span><span class="dl">"</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">202</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">orderId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CREATED</span><span class="dl">"</span> <span class="p">})</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">logError</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="p">{</span> <span class="na">eventType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OrderCreateFailed</span><span class="dl">"</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Failed to create order</span><span class="dl">"</span> <span class="p">})</span> <span class="p">};</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>When <code>logError()</code> is called, CloudWatch gets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Request body missing"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-01T19:58:29.655Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order-service"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sampling_rate"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"xray_trace_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1-697fb065-3f7483d74258544027bd336e"</span><span class="p">,</span><span class="w"> </span><span class="nl">"operation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CreateOrder"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2bc6aa1e-cf56-4e12-a2fe-9f283466fd89"</span><span class="p">,</span><span class="w"> </span><span class="nl">"traceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-697fb065-3f7483d74258544027bd336e;Parent=5b855ffe9a203f8f;Sampled=0;Lineage=1:141a50ec:0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"BODY_MISSING"</span><span class="p">,</span><span class="w"> </span><span class="nl">"retryable"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"meta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OrderCreateFailed"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><em>Note</em>: Using lambda-powertools we do get important traceability out of the box. Things like <code>requestId</code>, <code>traceId</code> do help to get end-to-end picture of exactly what happened that let to this error. I recommend to go through official powertools documentation. </p> <p>And simultaneously, <strong>EMF metric gets emitted</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"_aws"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Timestamp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1769975909655</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudWatchMetrics"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Namespace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OrderService"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Dimensions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"Service"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Stage"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ErrorType"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Metrics"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OrderFailureCount"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Unit"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Count"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order-service"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Stage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sourabhTest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ErrorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ErrorCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"BODY_MISSING"</span><span class="p">,</span><span class="w"> </span><span class="nl">"OrderFailureCount"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Why both?</strong> Logs give context. Metrics trigger alarms. Together, you get detectability + context.</p> <h3> Step 2: Creating Alarms (One Per Error Type) </h3> <p>Using SSTv3, define alarms in code:<br> Below thresholds are very tight. I intentionally kept it that way for testing. For Productions we can adjust based on business SLO.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// sst.config.ts</span> <span class="kd">const</span> <span class="nx">errorTypes</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">VALIDATION</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">PAYMENT</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">DATABASE</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">DEPENDENCY</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">alarms</span> <span class="o">=</span> <span class="nx">errorTypes</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">errorType</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">MetricAlarm</span><span class="p">(</span><span class="s2">`OrderFailure-</span><span class="p">${</span><span class="nx">errorType</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`order-failure-</span><span class="p">${</span><span class="nx">errorType</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()}</span><span class="s2">-</span><span class="p">${</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">namespace</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OrderService</span><span class="dl">"</span><span class="p">,</span> <span class="na">metricName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OrderFailureCount</span><span class="dl">"</span><span class="p">,</span> <span class="na">statistic</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Sum</span><span class="dl">"</span><span class="p">,</span> <span class="na">period</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="c1">// Check every minute</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Trigger immediately</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Alarm on 1+ errors (use higher in prod)</span> <span class="na">comparisonOperator</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GreaterThanOrEqualToThreshold</span><span class="dl">"</span><span class="p">,</span> <span class="na">dimensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">Service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">order-service</span><span class="dl">"</span><span class="p">,</span> <span class="na">Stage</span><span class="p">:</span> <span class="nx">stage</span><span class="p">,</span> <span class="na">ErrorType</span><span class="p">:</span> <span class="nx">errorType</span><span class="p">,</span> <span class="c1">// ← Must match metric dimension</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">);</span> <span class="c1">// Composite alarm: "OR" all of them</span> <span class="kd">const</span> <span class="nx">compositeRule</span> <span class="o">=</span> <span class="nx">pulumi</span> <span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="nx">alarms</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">a</span> <span class="o">=&gt;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">name</span><span class="p">))</span> <span class="p">.</span><span class="nf">apply</span><span class="p">((</span><span class="nx">names</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">names</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">n</span> <span class="o">=&gt;</span> <span class="s2">`ALARM("</span><span class="p">${</span><span class="nx">n</span><span class="p">}</span><span class="s2">")`</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2"> OR </span><span class="dl">"</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">composite</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">CompositeAlarm</span><span class="p">(</span> <span class="dl">"</span><span class="s2">OrderFailureComposite</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">alarmName</span><span class="p">:</span> <span class="s2">`order-failure-any-</span><span class="p">${</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">alarmDescription</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Any order failure detected</span><span class="dl">"</span><span class="p">,</span> <span class="na">alarmRule</span><span class="p">:</span> <span class="nx">compositeRule</span><span class="p">,</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p><strong>Why per-error-type alarms?</strong> Because you want to know <em>what</em> broke. Different errors need different fixes. The composite lets you trigger RCA on any error, but you still have granularity.</p> <p><strong>Note:</strong> In Part 2, we'll add Amazon Bedrock for AI-powered analysis. The IAM permissions are already in place. More on this in my next post.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Step Functions gets Bedrock permissions</span> <span class="kd">const</span> <span class="nx">rcaPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nc">RolePolicy</span><span class="p">(</span><span class="dl">"</span><span class="s2">OrderRcaPolicy</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="nx">rcaRole</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">rcaStateMachine</span><span class="p">.</span><span class="nx">arn</span><span class="p">.</span><span class="nf">apply</span><span class="p">((</span><span class="nx">arn</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nf">getPolicyDocument</span><span class="p">({</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">bedrock:InvokeModel</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:bedrock:</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">::foundation-model/amazon.nova-premier-v1:0`</span><span class="p">,</span> <span class="p">],</span> <span class="p">},</span> <span class="c1">// ... other permissions</span> <span class="p">],</span> <span class="p">}).</span><span class="nf">then</span><span class="p">((</span><span class="nx">doc</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">doc</span><span class="p">.</span><span class="nx">json</span><span class="p">)</span> <span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>The Metric added creates a custom namespaces with the dimensions defined by metric. Below images shows metric data being updated based on errors observed in the system. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsgw4gnxxybmjbgecnjr0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsgw4gnxxybmjbgecnjr0.png" alt="Metrics" width="800" height="259"></a></p> <h3> Step 3: Step Functions Orchestration </h3> <p>When the composite alarm triggers, Step Functions is invoked automatically. Here's the complete workflow for the Orchestration:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs8qezip13aeo009mw3un.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs8qezip13aeo009mw3un.png" alt="Step functions Orchestration" width="793" height="844"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"StartAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"FetchLogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"States"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FetchLogs"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::lambda:invoke"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FunctionName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${FETCH_LOGS_LAMBDA_ARN}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Payload.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Catch"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"ErrorEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"States.ALL"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SendFailureEmail"</span><span class="p">}],</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SendSuccessEmail"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"SendSuccessEmail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::sns:publish"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"TopicArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${ALARM_EMAIL_TOPIC_ARN}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Subject.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"States.Format('Order Failure: {}', $.detail.alarmName)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Message.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"States.JsonToString($)"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"End"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"SendFailureEmail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::sns:publish"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"TopicArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${ALARM_EMAIL_TOPIC_ARN}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RCA Failed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Message.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"States.JsonToString($)"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"End"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Flow:</strong></p> <ol> <li>Fetch logs from CloudWatch Logs Insights</li> <li>If successful → Send email with results</li> <li>If failed → Send email saying RCA failed (at least you know something broke)</li> </ol> <p><strong>In Part 2</strong>, we enhance this with a parallel state that sends immediate alerts <em>while</em> Amazon Bedrock Nova Premier analyzes the logs with AI. You get two emails: raw data (10 sec) + AI analysis (30 sec).</p> <h3> Step 4: The Investigation Lambda </h3> <p>This Lambda is where the magic happens. It queries logs for the specific error. <br> It extracts error type from the alarm name, then queries CloudWatch Logs Insights for all errors matching that type within the past 10 minutes (the exact window when the alarm triggered). Since Logs Insights queries are asynchronous, it polls for results with exponential backoff, then returns structured data including timestamps, error messages, request IDs, and trace IDs—everything your team needs to start investigating.</p> <p><strong>What happens:</strong></p> <ul> <li>Extracts error type from alarm name</li> <li>Queries logs for that specific error in the past 5 minutes</li> <li>Polls Logs Insights until results are ready</li> <li>Returns structured data: what failed, when, how many times, with full context</li> </ul> <h2> Testing It </h2> <p>Let's verify the whole pipeline works.</p> <h3> Test 1: Trigger an Error </h3> <p>We will trigger error by hitting the deployed endpoint with invalid payload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Send invalid request</span> curl <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$API_URL</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">''</span> <span class="c"># Empty body triggers VALIDATION error</span> </code></pre> </div> <p>Based on this we do receive email with complete logs. This could then be used to do end to end check. Since we are using lambda powertools, the requestId can be used to check complete trace of request that caused the error.</p> <h3> Test 2: Watch the Logs </h3> <p>In CloudWatch Logs, we'll see the structured error. In CloudWatch Metrics, you'll see <code>OrderFailureCount</code> increment.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F24lopdiyvl0s0ctzozrv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F24lopdiyvl0s0ctzozrv.png" alt="Cloudwatch logs" width="800" height="340"></a></p> <h3> Test 3: Check Alarm State </h3> <p>Wait 60 seconds, then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudwatch describe-alarms <span class="nt">--query</span> <span class="s1">'MetricAlarms[?Namespace==`OrderService`].[AlarmName,StateValue]'</span> <span class="nt">--output</span> table <span class="nt">--region</span> us-east-1 <span class="nt">---------------------------------------------------</span> | DescribeAlarms | +----------------------------------------+--------+ | order-failure-business-sourabhTest | OK | | order-failure-dependency-sourabhTest | OK | | order-failure-infra-sourabhTest | OK | | order-failure-unknown-sourabhTest | OK | | order-failure-validation-sourabhTest | ALARM | +----------------------------------------+--------+ </code></pre> </div> <h3> Test 4: Verify Step Functions Executed </h3> <p>Post invoking endpoint with invalid details we will check the step function execution.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbkewuapng9emnco1x108.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbkewuapng9emnco1x108.png" alt="stepFunctionExecution" width="524" height="321"></a></p> <h3> Test 5: Received Email </h3> <p>Within 90 seconds, you should receive an email with the full context. Here's what the actual email looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>From: AWS Notifications Subject: Order Service Alarm: order-failure-any-dev </code></pre> </div> <p>The email body contains a complete JSON payload with:</p> <p><strong>1. Alarm Context</strong> - What triggered:</p> <ul> <li>Alarm name and transition time</li> <li>Previous state (OK → ALARM)</li> <li>Triggering alarm details (which specific error type caused it)</li> </ul> <p><strong>2. RCA Object</strong> - The investigation results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"rca"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Payload"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alarmName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order-failure-any-dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeWindow"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from"</span><span class="p">:</span><span class="w"> </span><span class="mi">1769927917</span><span class="p">,</span><span class="w"> </span><span class="nl">"to"</span><span class="p">:</span><span class="w"> </span><span class="mi">1769928217</span><span class="p">,</span><span class="w"> </span><span class="nl">"fromReadable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-01T06:38:37.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toReadable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-01T06:43:37.000Z"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"logs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-01 06:42:36.945"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{...full structured log...}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1f00615f-7154-4964-9c14-db512efea5f8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"traceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-697ef5dc-08ed5ced0bda9d290e9aea6c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh0gz1jg982asc5y9dt00.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh0gz1jg982asc5y9dt00.png" alt="email" width="800" height="400"></a></p> <p><strong>What we Get:</strong></p> <ul> <li> <strong>Time window</strong>: Exact 5-minute window that was investigated.</li> <li> <strong>Error count</strong>: How many errors were found</li> <li> <strong>Full logs</strong>: Each log entry with: <ul> <li>Timestamp (when it happened)</li> <li>Complete error message with all context</li> <li>Request ID (for distributed tracing)</li> <li>X-Ray trace ID (for deep diving)</li> <li>Error type and code</li> <li>Order ID (for customer impact assessment)</li> </ul> </li> </ul> <p>The <code>@message</code> field contains the full structured log in JSON format, including:</p> <ul> <li>Error classification (VALIDATION, PAYMENT, etc.)</li> <li>Error code (INVALID_PAYLOAD, MISSING_USER_ID, etc.)</li> <li>Whether it's retryable</li> <li>Service metadata</li> <li>Custom fields you've added</li> </ul> <p><strong>That's the win.</strong> Error detected → Investigated → Full context emailed. All automatic. 90 seconds.</p> <p><strong>Real-world example</strong> (redacted for privacy):<br> See the complete sample in the repo at <code>examples/sample-rca-email.json</code> showing an actual VALIDATION error with full CloudWatch Logs Insights results.</p> <h2> What to Think About for Production </h2> <h3> 1. Alarm Thresholds </h3> <p>One error = alarm. Good for testing. In production, maybe 10 errors in a minute? Depends on your traffic. Know your baseline.</p> <h3> 2. Notifications </h3> <p>Email works. For production, you probably want Slack or PagerDuty. SNS integrates with both (30-minute addition).</p> <h3> 3. Rate Limiting </h3> <p>If thousands of orders fail at once, you'll get thousands of RCA invocations. Add deduplication or batching to prevent Lambda/Logs Insights thrashing.</p> <h3> 4. Cost </h3> <p>Estimated monthly cost at scale: $5-15</p> <ul> <li>Logs Insights queries: ~$0.005 per GB scanned</li> <li>Step Functions: ~$0.000025 per state transition</li> <li>SNS: ~$0.50 per million emails</li> <li>Lambda: Pay-per-execution</li> </ul> <p>Cheap. Way cheaper than on-call engineers hunting logs.</p> <h3> 5. Dashboard </h3> <p>Add a CloudWatch Dashboard to visualize:</p> <ul> <li>Failure rate trends</li> <li>Which error types are most common</li> <li>RCA success rate</li> </ul> <p>One command, huge value.</p> <h2> What's Coming in Part 2 </h2> <p>Right now you get logs. In Part 2, you'll get <strong>analysis</strong>.</p> <p>We'll send those logs to Amazon Bedrock , which will:</p> <ul> <li>Summarize the incident in plain English</li> <li>Identify likely root causes</li> <li>Recommend fixes</li> <li>Compare to past similar incidents</li> </ul> <p>Same architecture—just add one more step that calls Bedrock and processes the response.</p> <h2> The Key Insight </h2> <p>This whole system rests on one principle: <strong>automation needs structured data</strong>.</p> <p>If your logs are "oops something broke," you can't automate anything. But if your logs are structured—error type, error code, request ID, user context—suddenly you can:</p> <ul> <li>Create meaningful alarms</li> <li>Investigate automatically</li> <li>Share context instantly</li> <li>Let AI analyze patterns</li> </ul> <p>The hard part isn't the AWS services (they're all standard). The hard part is getting your application to emit good logs in the first place.</p> <p><strong>Start there.</strong> Classify your failures. Emit structured data. Everything else flows from that.</p> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/" rel="noopener noreferrer">AWS Well-Architected - Operational Excellence</a></li> <li><a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Embedded_Metric_Format_Specification.html" rel="noopener noreferrer">CloudWatch Embedded Metric Format</a></li> <li><a href="https://docs.aws.amazon.com/step-functions/latest/dg/concepts-best-practices.html" rel="noopener noreferrer">Step Functions Best Practices</a></li> <li><a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html" rel="noopener noreferrer">CloudWatch Logs Insights Syntax</a></li> <li><a href="https://aws.amazon.com/powertools-for-aws-lambda/" rel="noopener noreferrer">Powertools for AWS Lambda</a></li> </ul> <h2> Code </h2> <p><strong>GitHub Repository:</strong><br><br> <a href="https://github.com/Wizard-Z/aws-serverless-rca" rel="noopener noreferrer">https://github.com/Wizard-Z/aws-serverless-rca</a></p> <p><strong>Key Files:</strong></p> <ul> <li> <code>sst.config.ts</code> - Infrastructure as Code</li> <li> <code>services/order/handler.ts</code> - Order service</li> <li> <code>services/rca/fetchlogs.ts</code> - Investigation Lambda</li> <li> <code>shared/logging/</code> - Logging utilities</li> <li> <code>infra/stepfunctions/orders-rca.asl.json</code> - RCA workflow</li> </ul> <p><strong>Part 2 coming soon.</strong> Follow me on <a href="https://www.linkedin.com/in/sourabh-choubey/" rel="noopener noreferrer">LinkedIn</a> to get notified.</p> <p><em>AWS Community</em></p> <p><strong>Lets build!</strong></p> aws serverless monitoring sst