Efficiency points in analytics environments typically stay invisible till they disrupt dashboards, delay ETL jobs, or affect enterprise choices. For groups operating Amazon Redshift Serverless, unmonitored question queues, long-running queries, or sudden spikes in compute capability can degrade efficiency and enhance prices if left undetected.
Amazon Redshift Serverless streamlines operating analytics at scale by eradicating the necessity to provision or handle infrastructure. Nonetheless, even in a serverless atmosphere, sustaining visibility into efficiency and utilization is important for environment friendly operation and predictable prices. Whereas Amazon Redshift Serverless gives superior built-in dashboards for monitoring efficiency metrics, delivering notifications on to platforms like Slack, brings one other stage of agility. Actual-time alerts within the workforce’s workflow allow sooner response instances and extra knowledgeable decision-making with out requiring fixed dashboard monitoring.
On this publish, we present you the best way to construct a serverless, low-cost monitoring answer for Amazon Redshift Serverless that proactively detects efficiency anomalies and sends actionable alerts on to your chosen Slack channels. This method helps your analytics workforce establish and handle points early, typically earlier than your customers discover an issue.
The answer offered on this publish makes use of AWS companies to gather key efficiency metrics from Amazon Redshift Serverless, consider them towards thresholds that you may flexibly configure, and notify you when anomalies are detected.
The workflow operates as follows:
- Scheduled execution – An Amazon EventBridge rule triggers an AWS Lambda perform on a configurable schedule (by default, each quarter-hour throughout enterprise hours).
- Metric assortment – The AWS Lambda perform gathers metrics together with queued queries, operating queries, compute capability (RPUs), information storage utilization, desk depend, database connections, and slow-running queries utilizing Amazon CloudWatch and the Amazon Redshift Knowledge API.
- Threshold analysis – Collected metrics are in contrast towards your predefined thresholds that mirror acceptable efficiency and utilization limits.
- Alerting – When a threshold is exceeded, the Lambda perform publishes a notification to an Amazon SNS subject.
- Slack notification – Amazon Q Developer in Chat purposes (previously AWS Chatbot) delivers the alert to your designated Slack channel.
- Observability – Lambda execution logs are saved in Amazon CloudWatch Logs for troubleshooting and auditing.
This structure is totally serverless and requires no adjustments to your present Amazon Redshift Serverless workloads. To simplify deployment, we offer an AWS CloudFormation template that provisions all required sources.
Conditions
Earlier than deploying this answer, you have to acquire details about your present Amazon Redshift Serverless workgroup and namespace that you just need to monitor. To establish your Amazon Redshift Serverless sources:
- Open the Amazon Redshift console.
- Within the navigation pane, select Serverless dashboard.
- Notice down your workgroup and namespace names. You’ll use these values when launching this weblog’s AWS CloudFormation template.
Deploy the answer
You’ll be able to launch the CloudFormation stack and deploy the answer through the offered hyperlink.
When launching the CloudFormation stack, full the next steps within the AWS CloudFormation Console:
- For Stack title, enter a descriptive title similar to redshift-serverless-monitoring.
- Assessment and modify the parameters as wanted in your atmosphere.
- Acknowledge that AWS CloudFormation might create IAM sources with customized names.
- Select Submit.
CloudFormation parameters
Amazon Redshift Serverless Workgroup configuration
Present particulars in your present Amazon Redshift Serverless atmosphere. These values join the monitoring answer to your Redshift atmosphere. Some parameters include the default values that you may substitute along with your precise configuration.
| Parameter | Default worth | Description |
| Amazon Redshift Workgroup Title | Your Amazon Redshift Serverless workgroup title. | |
| Amazon Redshift Namespace Title | Your Amazon Redshift Serverless namespace title. | |
| Amazon Redshift Workgroup ID | Workgroup ID (UUID) of the Amazon Redshift Serverless workgroup to observe. Should observe the UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (lowercase hexadecimal with hyphens). |
|
Namespace ID (UUID) of the Amazon Redshift Serverless namespace. Should observe the UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (lowercase hexadecimal with hyphens). |
||
| Database Title | dev |
Goal Amazon Redshift database for SQL-based diagnostic and monitoring queries. |
Monitoring schedule
The default schedule runs diagnostic SQL queries each quarter-hour throughout enterprise hours, balancing responsiveness and price effectivity. Working extra regularly would possibly enhance prices, whereas much less frequent monitoring may delay detection of efficiency points. You’ll be able to modify this schedule to your precise want.
| Parameter | Default worth | Description |
| Schedule Expression | cron(0/15 8-17 ? * MON-FRI *) | EventBridge schedule expression for Lambda perform execution. Default runs each quarter-hour, Monday by means of Friday, 8 AM to five PM UTC. |
Threshold configuration
Thresholds ought to be tuned based mostly in your workload traits.
| Parameter | Default worth | Description |
| Queries Queued Threshold | 20 | Alerts threshold for queued queries. |
| Queries Working Threshold | 20 | Alerts threshold for operating queries. |
| Compute Capability Threshold (RPUs) | 64 | Alert threshold for compute capability (RPUs). |
| Knowledge Storage Threshold (MB) | 5242880 | Threshold for information storage in MB (default 5 TB). |
| Desk Depend Threshold (MB) | 1000 | Alerts threshold for whole desk depend. |
| Database Connections Threshold | 50 | Alert threshold for database connections. |
| Sluggish Question Threshold (seconds) | 10 | Thresholds in seconds for sluggish question detection. |
| Question Timeout (Seconds) | 30 | Timeout for SQL diagnostics queries. |
Tip: Begin with conservative thresholds and refine them after observing baseline conduct for one to 2 weeks.
Lambda configuration
Configure the AWS Lambda perform settings. The chosen default values are acceptable for many monitoring eventualities. It’s possible you’ll need to change them solely in case of troubleshooting.
| Parameter | Default worth | Description |
| Lambda Reminiscence Dimension (MB) | 256 | Lambda perform reminiscence measurement in MB. |
| Lambda Time Out (Seconds) | 240 | Lambda perform timeout in seconds. |
Safety Configuration – Amazon Digital Non-public Cloud (VPC)
In case your group has community isolation necessities, you’ll be able to optionally allow VPC deployment for the Lambda perform. When enabled, the Lambda perform runs inside your specified VPC subnets, offering community isolation and permitting entry to VPC-only sources.
| Parameter | Default worth | Description |
| VPC ID | VPC ID for Lambda deployment (required if EnableVPC is true). The Lambda perform can be deployed on this VPC. Make sure that the VPC has acceptable routing (NAT Gateway or VPC Endpoints) to permit Lambda to entry AWS companies like CloudWatch, Amazon Redshift, and Amazon SNS. |
|
| VPC Subnet IDs | Comma-separated checklist of subnet IDs for Lambda deployment (required if EnableVPC is true). |
|
| Safety Group IDs | Comma-separated checklist of safety group IDs for Lambda (elective). If not offered and EnableVPC is true, a default safety group can be created with outbound HTTPS entry. Customized safety teams should enable outbound HTTPS (port 443) to AWS service endpoints. |
Notice that VPC deployment would possibly enhance chilly begin instances and requires an NAT Gateway or VPC endpoints for AWS service entry. We advocate provisioning interface VPC endpoints (by means of AWS PrivateLink) for the 5 companies the Lambda perform calls which retains all visitors personal with out the recurring price of a NAT Gateway.
Safety configuration – Encryption
In case your group requires encryption of knowledge at relaxation, you’ll be able to optionally allow AWS Key Administration Service (AWS KMS) encryption for the Lambda perform’s atmosphere variables, CloudWatch Logs, and SNS subject. When enabled, the template encrypts every useful resource utilizing the AWS KMS keys that you just present, both a single shared key for all three companies, or particular person keys for granular key administration and audit separation.
| Parameter | Default worth | Description |
| Shared KMS Key ARN | AWS KMS key ARN to make use of for all encryption (Lambda, Logs, and SNS) except service-specific keys are offered. This streamlines key administration by utilizing a single key for all companies. The important thing coverage should grant encrypt/decrypt permissions to Lambda, CloudWatch Logs, and SNS. | |
| Lambda KMS Key ARN | AWS KMS key ARN for Lambda atmosphere variable encryption (elective, overrides SharedKMSKeyArn). Use this for separate key administration per service. The important thing coverage should grant decrypt permissions to the Lambda execution position. If not offered, SharedKMSKeyArn can be used when EnableKMSEncryption is true. |
|
| CloudWatch Logs KMS Key ARN | AWS KMS key ARN for CloudWatch Logs encryption (elective, overrides SharedKMSKeyArn). Use this for separate key administration per service. The important thing coverage should grant encrypt/decrypt permissions to the CloudWatch Logs service. If not offered, SharedKMSKeyArn can be used when EnableKMSEncryption is true. |
|
| SNS Matter KMS Key ARN | AWS KMS key ARN for SNS subject encryption (elective, overrides SharedKMSKeyArn). Use this for separate key administration per service. The important thing coverage should grant encrypt/decrypt permissions to SNS service and the Lambda execution position. If not offered, SharedKMSKeyArn can be used when EnableKMSEncryption is true. |
|
| Allow Lifeless Letter Queue | False | Optionally allow Lifeless Letter Queue (DLQ) for failed Lambda invocations to enhance reliability and safety monitoring. When enabled, occasions that fail in spite of everything retry makes an attempt can be despatched to an SQS queue for investigation and potential replay. This helps stop information loss, gives visibility into failures, and permits safety audit trails for monitoring anomalies. The DLQ retains messages for 14 days. |
Notice that AWS KMS encryption requires the important thing coverage to grant acceptable permissions to every consuming service (Lambda, CloudWatch Logs, and SNS).
- On the evaluation web page, choose I acknowledge that AWS CloudFormation would possibly create IAM sources with customized names.
- Select Submit.
Assets created
The CloudFormation stack creates the next sources:
- EventBridge rule for scheduled execution
- AWS Lambda perform (Python 3.12 runtime)
- Amazon SNS subject for alerts
- IAM position with permissions for CloudWatch, Amazon Redshift Knowledge API, and SNS
- CloudWatch Log Group for Lambda logs
Notice: CloudFormation deployment sometimes takes 10–quarter-hour to finish. You’ll be able to monitor progress in actual time below the Occasions tab of your CloudFormation stack.
Submit-deployment configuration
After the CloudFormation stack has been efficiently created, full the next steps.
Step 1: Report CloudFormation outputs
- Navigate to the AWS CloudFormation console.
- Choose your stack and select the Outputs tab.
- Notice the values for LambdaRoleArn and SNSTopicArn. You have to these in subsequent steps.
Step 2: Grant Amazon Redshift permissions
Grant permissions to the Lambda perform to question Amazon Redshift system tables for monitoring information. Full the next steps to grant the mandatory entry:
- Navigate to the Amazon Redshift console.
- Within the left navigation pane, select Question Editor V2.
- Connect with your Amazon Redshift Serverless workgroup.
- Execute the next SQL instructions, changing
with the LambdaRoleArn worth out of your CloudFormation outputs:
These instructions create an AmazonRedshift consumer related to the Lambda IAM position and grant it the sys:monitor Amazon Redshift position. This position gives read-only entry to catalog and system tables with out granting permissions to consumer information tables.
Step 3: Configure Slack notifications
Amazon Q Developer in chat purposes gives native AWS integration and managed authentication, eradicating customized webhook code and decreasing setup complexity. To obtain alerts in Slack, configure Amazon Q Developer in Chat Purposes to attach your SNS subject to your most popular Slack channel:
- Navigate to Amazon Q Developer in chat purposes (previously AWS Chatbot) within the AWS console.
- Observe the directions within the Slack integration documentation to authorize AWS entry to your Slack workspace.
- When configuring the Slack channel, make sure that you choose the right AWS Area the place you deployed the CloudFormation stack.
- Within the Notifications part, choose the SNS subject created by your CloudFormation stack (check with the SNSTopicArn output worth).
- Preserve the default IAM read-only permissions for the channel configuration.
After configured, alerts robotically seem in Slack each time thresholds are exceeded.
Value issues
With the default configuration, this answer incurs minimal ongoing prices. The Lambda perform executes roughly 693 instances monthly (each quarter-hour throughout an 8-hour enterprise day, Monday by means of Friday), leading to a month-to-month price of roughly $0.33 USD. This contains Lambda compute prices ($0.26) and CloudWatch GetMetricData API calls ($0.07). All different companies (EventBridge, SNS, CloudWatch Logs, and Amazon Redshift Knowledge API). The Amazon Redshift Knowledge API has no further prices past the minimal Amazon Redshift Serverless RPU consumption for the Amazon Redshift Serverless system desk question execution. You’ll be able to scale back prices by reducing the monitoring frequency (similar to, each half-hour) or enhance responsiveness by operating extra regularly (similar to, each 5 minutes) with a proportional price enhance.
All prices are estimates and will differ based mostly in your atmosphere. Variations typically happen as a result of queries scanning system tables might take longer or require further sources relying on the system complexity
Safety greatest practices
This answer implements the next safety controls:
- IAM insurance policies scoped to particular useful resource ARNs for the Amazon Redshift workgroup, namespace, SNS subject, and log group.
- Knowledge API assertion entry restricted to the Lambda perform’s personal IAM consumer ID.
- Learn-only
sys:monitordatabase position for operational metadata entry. Restrict to the position created by the CloudFormation template. - Reserved concurrent executions capped at 5.
To additional strengthen your safety posture, think about the next enhancements:
- Allow
EnableKMSEncryptionto encrypt atmosphere variables, logs, and SNS messages at relaxation. - Allow
EnableVPCto deploy the perform inside a VPC for community isolation. - Audit entry by means of AWS CloudTrail.
Vital: That is pattern code for non-production utilization. Work along with your safety and authorized groups to satisfy your organizational safety, regulatory, and compliance necessities earlier than deployment. This answer demonstrates monitoring capabilities however requires further safety hardening for manufacturing environments, together with encryption configuration, IAM coverage scoping, VPC deployment, and complete testing.
Clear up
To take away all sources and keep away from ongoing prices if you happen to don’t need to use the answer anymore:
- Delete the CloudFormation stack.
- Take away the Slack integration from Amazon Q Developer in chat purposes.
Troubleshooting
- If no metrics or incomplete SQL diagnostics are returned, confirm that the Amazon Redshift Serverless workgroup is energetic with current question exercise, and make sure the database consumer has the
sys:monitorposition (GRANT ROLE sys:monitor TO) within the question editor. With out this position, queries execute efficiently however solely return information seen to that consumer’s permissions moderately than the complete cluster exercise. - For VPC-deployed features that fail to achieve AWS companies, affirm that VPC endpoints or a NAT Gateway are configured for CloudWatch, Amazon Redshift Knowledge API, Amazon Redshift Serverless, SNS, and CloudWatch Logs.
- If the Lambda perform instances out, enhance the
LambdaTimeoutandQueryTimeoutSecondsparameters. The default timeout of 240 seconds accommodates most workloads, however clusters with many energetic queries might require further time for SQL diagnostics to finish.
Conclusion
On this publish, we confirmed how one can construct a proactive monitoring answer for Amazon Redshift Serverless utilizing AWS Lambda, Amazon CloudWatch, and Amazon SNS with Slack integration. By robotically amassing metrics, evaluating thresholds, and delivering alerts in close to actual time to Slack or your most popular collaborative platform, this answer helps detect efficiency and price points early. As a result of the answer itself is serverless, it aligns with the operational simplicity objectives of Amazon Redshift Serverless—scaling robotically, requiring minimal upkeep, and delivering excessive worth at low price. You’ll be able to lengthen this basis with further metrics, diagnostic logic, or different notification channels to satisfy your group’s wants.
To study extra, see the Amazon Redshift documentation on monitoring and efficiency optimization.
In regards to the authors
