AWS Incident Response Runbook: CloudWatch, X-Ray, Logs Insights & SNS

Most AWS incidents feel chaotic because the response is improvised. Someone opens the console, starts scrolling through logs, and hopes to stumble on the cause. This page gives you a concrete six-step runbook: how to detect an incident, confirm its scope, isolate the root cause, fix it, keep stakeholders informed, and close it out with a post-mortem that prevents recurrence.

The runbook is built around the monitoring tools AWS gives you out of the box: CloudWatch alarms for detection, dashboards for scope assessment, Logs Insights for error analysis, X-Ray for tracing request failures across services, and SNS for notification routing. If you have never used these tools together under pressure, this page walks through what to do at each stage.

How incident response works in AWS

Think of your monitoring setup as a hospital triage system. The alarm is the paramedic that detects something is wrong and calls it in. The dashboard is the intake desk that establishes how serious it is and which department is affected. Logs Insights is the diagnostic lab — detailed test results for a specific patient. X-Ray is the imaging system that shows how organs (services) connect and where the blockage is. SNS is the paging system that routes the right alert to the right team.

Without all five pieces in place, you end up either missing incidents entirely (no alarm), wasting time on the wrong service (no dashboard), or diagnosing blind (no logs or traces). The Amazon CloudWatch overview covers how these components fit into the broader CloudWatch architecture.

Each tool answers a different question, and reaching for the right one first is half the battle:

  • Alarms: Is something wrong right now?
  • Dashboards: How bad is it and when did it start?
  • Logs Insights: What specific error or event is happening inside this service?
  • X-Ray: Which part of the request path is broken or slow?
  • SNS: Who needs to know and how do we reach them?

When this workflow applies

This runbook fits any AWS incident where a service is producing errors, running slowly, or failing to serve traffic. Specific scenarios it handles well:

  • Latency spike: API p99 response time jumps from 200ms to 4s
  • 5xx surge: ALB HTTPCode_Target_5XX_Count spikes from near zero to hundreds per minute
  • Lambda throttling: Throttles metric rises as a concurrency limit is hit during a traffic burst
  • RDS load spike: Performance Insights surfaces a new expensive query degrading the database
  • Downstream dependency failure: X-Ray shows faults on an external service segment while your internal logic is healthy
  • Bad deploy: metrics degrade within minutes of a code or config change

When this workflow is the wrong fit:

  • Security incidents (unauthorized access, IAM key compromise): investigate in CloudTrail and GuardDuty, not CloudWatch dashboards
  • Data corruption or compliance incidents: these require a separate escalation path and may involve legal review
  • Infrastructure-level AWS failures (availability zone outage, service degradation): check the AWS Health Dashboard first before assuming the cause is in your code

Before an incident happens

If you set these up only after something breaks, you lose the most valuable window. Get these in place while the system is running normally:

CloudWatch alarms on key metrics. At minimum: error rate, latency (p99), and healthy host count. For Lambda, add Throttles and Duration. For RDS, add DatabaseConnections and FreeStorageSpace. See creating alarms in CloudWatch for threshold guidance and CLI examples.

An SNS topic with confirmed subscriptions. Create a topic for production incidents and subscribe your on-call email, a PagerDuty endpoint, or a Slack-forwarding Lambda. AWS sends a confirmation link and does not deliver notifications until you click it. Test every subscription before you need it. More on how SNS topics and subscriptions work in the Amazon SNS overview and the SNS messaging model.

A pre-built incident dashboard. Build your CloudWatch dashboard with critical metrics pinned and accessible before an incident. The dashboard should show: request count, error rate, latency percentiles, and service-specific metrics for each tier of your stack. Building it during an incident wastes the first 15 minutes.

Structured JSON logs flowing to CloudWatch. Plain text logs make Logs Insights queries fragile. Structured logging gives every log event named fields — level, error_code, request_id, message — that you can filter and aggregate without text pattern matching. This is the difference between “search for errors” and “count errors by type in the last 30 minutes.”

X-Ray enabled on entry-point services. X-Ray only records traces from the moment it is enabled. Enable it during initial service setup on API Gateway, ALB targets, and public-facing Lambda functions. The AWS X-Ray overview covers instrumentation options. If you wait until an incident to enable it, the traces from that incident are gone.

A known runbook location. Every team member should know where this runbook lives. During a high-pressure incident, people revert to the familiar. Make the runbook the familiar thing.

Tip

Test your full detection path now, not during an incident. Use aws cloudwatch set-alarm-state —state-value ALARM to manually trigger an alarm and verify that SNS delivers to the right email, PagerDuty opens the right escalation, and Slack gets the right message. A notification path that silently fails during a real incident is worse than having no alarm at all.

How the incident lifecycle works

Every incident moves through six stages. The order matters: skipping stages creates false resolutions and repeat incidents.

  1. Detect: an alarm fires or a user report surfaces; the team is notified
  2. Assess impact: how many users are affected, which services, and since when
  3. Isolate: narrow from “something is wrong” to “this specific component is failing for this specific reason”
  4. Mitigate: take the action that restores service (rollback, scaling, config fix)
  5. Communicate: keep stakeholders informed without pulling the responder off the investigation
  6. Review: post-mortem covering timeline, root cause, and action items

Most teams handle steps 1, 4, and 5 well. The teams that improve fastest are disciplined about steps 2, 3, and 6. Proper impact assessment prevents over-escalation. Proper isolation prevents fixing the wrong thing. Post-mortems prevent recurrence.

Which AWS tool to use when

Each tool in the incident workflow answers a different question. Reaching for the right one first saves the time lost from diving into logs before you know which service to look at.

ToolThe question it answersWhen to use itWhat it cannot tell you
CloudWatch alarmsIs a metric outside its acceptable range right now?Detection: fires before you open the consoleWhy the metric crossed the threshold; what changed
CloudWatch dashboardsWhich metrics are affected and when did the deviation start?First 2 minutes of triage: establish scope and timestampThe specific cause; what is happening inside any single service
CloudWatch Logs InsightsWhat error messages and patterns are in this service’s logs?After you know which service is affected: get the error detailHow requests flow across service boundaries; latency per component
AWS X-RayWhich service or component in the request path is failing or slow?Multi-service architectures; when the error source is not obvious from logsLog-level detail; aggregate error counts; resource metrics
SNSWho needs to be notified and through which channel?Detection (routing alarm notifications) and communication (broadcast updates)Diagnostic information: it is a delivery mechanism, not a debugging tool
Tip

CloudWatch also has a feature called CloudWatch Investigations that automatically correlates related alarms, metrics, and log anomalies when an alarm fires. If it is available in your region, check it during triage. It surfaces correlated signals you might otherwise connect manually, and can shorten the time from alarm to hypothesis.

Step-by-step runbook

Step 1: Detect

A production incident starts with one of two signals: a CloudWatch alarm fires, or a user reports a problem. Alarms should fire first. If users report problems before your alarms do, your detection setup is too slow or too sparse.

The alarm notification tells you: which service is affected, which metric crossed which threshold, and when the state changed. If your alarm names and descriptions are vague, fix that now. A clear alarm description is worth five minutes during a real incident.

# Create the SNS topic that receives all incident notifications
aws sns create-topic --name production-incidents \
  --query 'TopicArn' --output text

# Subscribe on-call email
aws sns subscribe \
  --topic-arn <TOPIC_ARN> \
  --protocol email \
  --notification-endpoint <EMAIL>

# Subscribe a PagerDuty HTTPS endpoint
aws sns subscribe \
  --topic-arn <TOPIC_ARN> \
  --protocol https \
  --notification-endpoint <PAGERDUTY_ENDPOINT>

Wire an alarm to the topic. Set both —alarm-actions (fires when the alarm triggers) and —ok-actions (fires on recovery) so your team knows when the incident starts and when it ends:

aws cloudwatch put-metric-alarm \
  --alarm-name "api-5xx-rate-high" \
  --namespace "AWS/ApplicationELB" \
  --metric-name "HTTPCode_Target_5XX_Count" \
  --dimensions Name=LoadBalancer,Value=app/my-alb/<ALB_SUFFIX> \
  --statistic Sum \
  --period 60 \
  --threshold 10 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2 \
  --alarm-actions <TOPIC_ARN> \
  --ok-actions <TOPIC_ARN>

For the full alarm setup including composite alarms and recommended thresholds, see creating CloudWatch alarms.

Step 2: Triage

The goal of triage is to answer three questions in under two minutes: how bad is it, when did it start, and which service is affected. Open the CloudWatch dashboard for the affected service before looking at anything else.

  • Set the time range to start 30 minutes before the alarm fired.
  • Identify which metrics deviated first. That metric points you toward the affected component.
  • Note the exact timestamp of the first deviation. You will use this in every query you run.
  • Check whether the pattern is sudden (bad deploy, downstream failure) or gradual (resource exhaustion, memory leak).

Use deployment annotations on your dashboards. Marking deployments on your CloudWatch dashboard charts means a metric degradation that aligns with a deploy annotation is an immediate, high-confidence signal. See CloudWatch dashboards for how to add deployment markers and structure your operational layout.

Step 3: Isolate

Isolation is detective work. You start with all the suspects (every service in your stack) and narrow down to one. X-Ray is the map that shows where each suspect was when the incident started. Logs Insights is the interview that gets them to explain what went wrong.

The goal is to go from “the API is returning errors” to something specific: “the Lambda function process-order is failing when it calls DynamoDB because a new GSI query is exceeding the provisioned read capacity.”

Start with Logs Insights when you already know which service is affected. Open CloudWatch → Logs → Logs Insights, select the log group, and set the time range to the incident window. Start broad:

fields @timestamp, @message
| filter @message like /ERROR/ or @message like /Exception/
| sort @timestamp desc
| limit 50

For services using structured JSON logs, extract fields for a more useful view:

fields @timestamp, level, error_code, message, request_id
| filter level = "ERROR"
| stats count(*) as occurrences by error_code
| sort occurrences desc
| limit 20

A sudden spike in a new error code that did not appear before the incident is a reliable root cause candidate. Compare the error distribution against a normal window earlier in the day to confirm what changed. For teams that want to alert on these patterns automatically, log-based metrics let you build CloudWatch alarms directly from log patterns.

Switch to X-Ray when the source of errors spans multiple services or when logs alone cannot tell you which component in the chain is slow. Open CloudWatch → X-Ray traces → Service map and look for nodes with red rings (faults) or orange rings (errors). The map shows at a glance whether the problem is in your service or in a downstream dependency it calls.

# Pull trace summaries with faults from a specific time window
# Replace start-time and end-time with Unix epoch values for your incident window
aws xray get-trace-summaries \
  --start-time 1700000000 \
  --end-time 1700003600 \
  --filter-expression 'fault = true' \
  --query 'TraceSummaries[*].{Id:Id,Duration:Duration,HasFault:HasFault}' \
  --output table

Sort traces by duration to find the slowest requests. Click into one representative trace and look at each segment: which is widest (most time spent), which has a red bar (unhandled error), and whether a subsegment for an external call (DynamoDB, RDS, HTTPS) is disproportionately large. The distributed tracing guide covers reading trace timelines in depth.

Step 4: Mitigate / Resolve

Resolution depends on what isolation found. Match the action to the signal:

Signal found during isolationResolution action
Metrics degraded immediately after a deploymentRoll back to the previous version; redeploy only after understanding the root cause
Lambda Throttles metric spikedIncrease reserved concurrency or request a service limit increase from AWS
New expensive query surfaced in Performance InsightsKill the offending session, add the missing index, or roll back the code that introduced the query
Lambda Max Memory Used at or near the configured limitIncrease memory allocation; investigate for a memory leak if it grew gradually over time
X-Ray: faults on an external service segmentImplement a circuit breaker or fail gracefully while the dependency recovers; notify the dependency owner
EC2 or ECS: high CPU, low healthy host countManually scale out; after recovery, review Auto Scaling policy thresholds
SQS queue depth growing, Lambda not consuming messagesCheck Lambda Throttles and ConcurrentExecutions; increase concurrency or fix the consumer error
Warning

Do not declare the incident resolved the moment you apply a fix. Rollbacks and config changes can take several minutes to propagate across running instances, Lambda containers, and load balancer targets. Keep the dashboard open and wait for the CloudWatch alarm to transition to OK. For Lambda-specific incidents, also confirm that Errors and Throttles return to zero. Only close the incident after metrics hold at normal levels for at least 10–15 minutes.

Step 5: Communicate

During an active incident, the engineer investigating needs to stay focused on the problem. Assign a separate person to handle communication, sometimes called the incident commander or communicator.

That person posts a short factual update to a Slack incident channel or status page every 10–15 minutes:

  • What is affected and what is confirmed unaffected
  • Current status: investigating / cause identified / fix in progress / monitoring recovery
  • Expected resolution time if known

Engineers focus on fixing. One person focuses on communicating. This prevents the responder from context-switching between debugging and writing status updates, which slows down both.

Step 6: Post-incident review

A post-mortem is a written record of what happened, why, and what specific changes will prevent it from happening again. It is not about blame. Teams that skip post-mortems fix the same incidents three times a year instead of once.

A useful post-mortem includes:

  • Incident summary: one paragraph covering what failed, for how long, and what the user impact was
  • Timeline: timestamped list of events from first detection to resolution, reconstructed from CloudWatch alarm history and log timestamps
  • Root cause: specific and technical. “High load” is not a root cause. “A missing index caused full table scans on the orders table under peak traffic” is a root cause.
  • Detection gap: how long between the incident starting and your team being paged? If longer than 5 minutes, tighten or add alarms.
  • Action items: concrete tasks with owners and due dates: add the alarm, fix the missing index, add the circuit breaker
# Reconstruct the incident timeline from alarm state history
aws cloudwatch describe-alarm-history \
  --alarm-name "api-5xx-rate-high" \
  --history-item-type StateUpdate \
  --max-records 20 \
  --query 'AlarmHistoryItems[*].{Timestamp:Timestamp,NewState:NewStateValue,Reason:NewStateReason}' \
  --output table

Common beginner mistakes

  1. Starting with logs before looking at dashboards. Logs Insights is powerful but verbose. Diving into logs before establishing which service is affected and when the incident started means searching blindly through thousands of error messages. The dashboard gives you the frame; logs fill in the detail.

  2. Not having a dashboard ready before an incident. Building a dashboard while your service is on fire wastes the first 15 critical minutes. Create your incident response dashboard now, share the URL with your team, and pin it somewhere obvious.

  3. Declaring resolution before metrics recover. A rollback or config fix often takes several minutes to propagate. Calling an incident resolved the moment you take action, before the alarm clears and metrics hold at baseline, leads to reopening incidents and erodes stakeholder trust. Wait for sustained recovery.

  4. Skipping the post-mortem after minor incidents. Teams often document major outages and skip small ones. But minor incidents are where systemic problems first surface: the same missing alarm, the same bad query pattern, the same fragile dependency. A 30-minute post-mortem on a 10-minute incident is high-return work.

  5. Only setting alarm actions, not OK actions. If an alarm fires but has no OK action, your team never gets an automated notification when the incident ends. Everyone continues watching dashboards manually or assumes things recovered when they did not. Set —ok-actions to the same SNS topic as —alarm-actions.

  6. Not enabling X-Ray before an incident happens. X-Ray captures traces only from the moment it is enabled. Enable it on your entry-point services during initial setup. If you wait until an outage forces your hand, the traces from that outage are gone and you are diagnosing blind.

Frequently asked questions

What is the first thing to check during an AWS incident?

Open your CloudWatch dashboard for the affected service before looking at logs or traces. The dashboard tells you which metrics are outside their normal range and, crucially, when the deviation started. That timestamp is your reference point for every query you run next.

When should I use X-Ray instead of Logs Insights?

Use X-Ray when you need to understand request flow across multiple services: which service in the chain is slow, where an error occurred, or whether a downstream dependency is the root cause. Use Logs Insights when you already know which service is affected and need the specific error messages, stack traces, or event counts inside it.

How do CloudWatch alarms and SNS work together?

A CloudWatch alarm watches a metric and transitions to ALARM state when the metric crosses your threshold. The alarm is wired to an SNS topic as its alarm action. When the state changes, CloudWatch publishes a message to that SNS topic, which fans it out to all subscribers: an email address, a PagerDuty HTTPS endpoint, a Lambda function posting to Slack, or any combination.

How do I know an incident is actually resolved?

Resolution is confirmed when three things happen: the CloudWatch alarm transitions from ALARM to OK, the affected metrics (error rate, latency) return to their pre-incident baselines, and Logs Insights queries for the error pattern return no results for the most recent 10 to 15 minutes. Watching for sustained recovery prevents false declarations.

Do I need tracing for every workload?

No. X-Ray tracing is most valuable for multi-service architectures where a request touches several components. Single Lambda functions or simple API-to-database paths are usually easier to investigate with logs alone. The cases where tracing pays off most are distributed microservices, event-driven pipelines, and workloads with multiple external dependencies.

Last verified: 3 May 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.