Efficiency points in analytics environments typically stay invisible till they disrupt dashboards, delay ETL jobs, or affect enterprise selections. For groups operating Amazon Redshift Serverless, unmonitored question queues, long-running queries, or sudden spikes in compute capability can degrade efficiency and improve prices if left undetected.
Amazon Redshift Serverless streamlines operating analytics at scale by eradicating the necessity to provision or handle infrastructure. Nonetheless, even in a serverless setting, sustaining visibility into efficiency and utilization is important for environment friendly operation and predictable prices. Whereas Amazon Redshift Serverless gives superior built-in dashboards for monitoring efficiency metrics, delivering notifications on to platforms like Slack, brings one other stage of agility. Actual-time alerts within the staff’s workflow allow quicker response instances and extra knowledgeable decision-making with out requiring fixed dashboard monitoring.
On this publish, we present you the best way to construct a serverless, low-cost monitoring answer for Amazon Redshift Serverless that proactively detects efficiency anomalies and sends actionable alerts on to your chosen Slack channels. This strategy helps your analytics staff determine and deal with points early, typically earlier than your customers discover an issue.
The answer offered on this publish makes use of AWS providers to gather key efficiency metrics from Amazon Redshift Serverless, consider them towards thresholds that you may flexibly configure, and notify you when anomalies are detected.
The workflow operates as follows:
- Scheduled execution – An Amazon EventBridge rule triggers an AWS Lambda perform on a configurable schedule (by default, each quarter-hour throughout enterprise hours).
- Metric assortment – The AWS Lambda perform gathers metrics together with queued queries, operating queries, compute capability (RPUs), knowledge storage utilization, desk depend, database connections, and slow-running queries utilizing Amazon CloudWatch and the Amazon Redshift Knowledge API.
- Threshold analysis – Collected metrics are in contrast towards your predefined thresholds that replicate acceptable efficiency and utilization limits.
- Alerting – When a threshold is exceeded, the Lambda perform publishes a notification to an Amazon SNS subject.
- Slack notification – Amazon Q Developer in Chat purposes (previously AWS Chatbot) delivers the alert to your designated Slack channel.
- Observability – Lambda execution logs are saved in Amazon CloudWatch Logs for troubleshooting and auditing.
This structure is totally serverless and requires no modifications to your present Amazon Redshift Serverless workloads. To simplify deployment, we offer an AWS CloudFormation template that provisions all required sources.
Stipulations
Earlier than deploying this answer, you could accumulate details about your present Amazon Redshift Serverless workgroup and namespace that you just wish to monitor. To determine your Amazon Redshift Serverless sources:
- Open the Amazon Redshift console.
- Within the navigation pane, select Serverless dashboard.
- Be aware down your workgroup and namespace names. You’ll use these values when launching this weblog’s AWS CloudFormation template.
Deploy the answer
You may launch the CloudFormation stack and deploy the answer through the offered hyperlink.
When launching the CloudFormation stack, full the next steps within the AWS CloudFormation Console:
- For Stack title, enter a descriptive title equivalent to redshift-serverless-monitoring.
- Evaluate and modify the parameters as wanted to your setting.
- Acknowledge that AWS CloudFormation could create IAM sources with customized names.
- Select Submit.
CloudFormation parameters
Amazon Redshift Serverless Workgroup configuration
Present particulars to your present Amazon Redshift Serverless setting. These values join the monitoring answer to your Redshift setting. Some parameters include the default values that you may substitute together with your precise configuration.
| Parameter | Default worth | Description |
| Amazon Redshift Workgroup Title | Your Amazon Redshift Serverless workgroup title. | |
| Amazon Redshift Namespace Title | Your Amazon Redshift Serverless namespace title. | |
| Amazon Redshift Workgroup ID | Workgroup ID (UUID) of the Amazon Redshift Serverless workgroup to observe. Should comply with the UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (lowercase hexadecimal with hyphens). |
|
Namespace ID (UUID) of the Amazon Redshift Serverless namespace. Should comply with the UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (lowercase hexadecimal with hyphens). |
||
| Database Title | dev |
Goal Amazon Redshift database for SQL-based diagnostic and monitoring queries. |
Monitoring schedule
The default schedule runs diagnostic SQL queries each quarter-hour throughout enterprise hours, balancing responsiveness and price effectivity. Operating extra often would possibly improve prices, whereas much less frequent monitoring might delay detection of efficiency points. You may regulate this schedule to your precise want.
| Parameter | Default worth | Description |
| Schedule Expression | cron(0/15 8-17 ? * MON-FRI *) | EventBridge schedule expression for Lambda perform execution. Default runs each quarter-hour, Monday by means of Friday, 8 AM to five PM UTC. |
Threshold configuration
Thresholds ought to be tuned primarily based in your workload traits.
| Parameter | Default worth | Description |
| Queries Queued Threshold | 20 | Alerts threshold for queued queries. |
| Queries Operating Threshold | 20 | Alerts threshold for operating queries. |
| Compute Capability Threshold (RPUs) | 64 | Alert threshold for compute capability (RPUs). |
| Knowledge Storage Threshold (MB) | 5242880 | Threshold for knowledge storage in MB (default 5 TB). |
| Desk Rely Threshold (MB) | 1000 | Alerts threshold for whole desk depend. |
| Database Connections Threshold | 50 | Alert threshold for database connections. |
| Sluggish Question Threshold (seconds) | 10 | Thresholds in seconds for gradual question detection. |
| Question Timeout (Seconds) | 30 | Timeout for SQL diagnostics queries. |
Tip: Begin with conservative thresholds and refine them after observing baseline conduct for one to 2 weeks.
Lambda configuration
Configure the AWS Lambda perform settings. The chosen default values are acceptable for many monitoring eventualities. Chances are you’ll wish to change them solely in case of troubleshooting.
| Parameter | Default worth | Description |
| Lambda Reminiscence Measurement (MB) | 256 | Lambda perform reminiscence dimension in MB. |
| Lambda Time Out (Seconds) | 240 | Lambda perform timeout in seconds. |
Safety Configuration – Amazon Digital Non-public Cloud (VPC)
In case your group has community isolation necessities, you possibly can optionally allow VPC deployment for the Lambda perform. When enabled, the Lambda perform runs inside your specified VPC subnets, offering community isolation and permitting entry to VPC-only sources.
| Parameter | Default worth | Description |
| VPC ID | VPC ID for Lambda deployment (required if EnableVPC is true). The Lambda perform might be deployed on this VPC. Be sure that the VPC has acceptable routing (NAT Gateway or VPC Endpoints) to permit Lambda to entry AWS providers like CloudWatch, Amazon Redshift, and Amazon SNS. |
|
| VPC Subnet IDs | Comma-separated listing of subnet IDs for Lambda deployment (required if EnableVPC is true). |
|
| Safety Group IDs | Comma-separated listing of safety group IDs for Lambda (non-compulsory). If not offered and EnableVPC is true, a default safety group might be created with outbound HTTPS entry. Customized safety teams should permit outbound HTTPS (port 443) to AWS service endpoints. |
Be aware that VPC deployment would possibly improve chilly begin instances and requires an NAT Gateway or VPC endpoints for AWS service entry. We advocate provisioning interface VPC endpoints (by means of AWS PrivateLink) for the 5 providers the Lambda perform calls which retains all site visitors non-public with out the recurring value of a NAT Gateway.
Safety configuration – Encryption
In case your group requires encryption of information at relaxation, you possibly can optionally allow AWS Key Administration Service (AWS KMS) encryption for the Lambda perform’s setting variables, CloudWatch Logs, and SNS subject. When enabled, the template encrypts every useful resource utilizing the AWS KMS keys that you just present, both a single shared key for all three providers, or particular person keys for granular key administration and audit separation.
| Parameter | Default worth | Description |
| Shared KMS Key ARN | AWS KMS key ARN to make use of for all encryption (Lambda, Logs, and SNS) until service-specific keys are offered. This streamlines key administration through the use of a single key for all providers. The important thing coverage should grant encrypt/decrypt permissions to Lambda, CloudWatch Logs, and SNS. | |
| Lambda KMS Key ARN | AWS KMS key ARN for Lambda setting variable encryption (non-compulsory, overrides SharedKMSKeyArn). Use this for separate key administration per service. The important thing coverage should grant decrypt permissions to the Lambda execution function. If not offered, SharedKMSKeyArn might be used when EnableKMSEncryption is true. |
|
| CloudWatch Logs KMS Key ARN | AWS KMS key ARN for CloudWatch Logs encryption (non-compulsory, overrides SharedKMSKeyArn). Use this for separate key administration per service. The important thing coverage should grant encrypt/decrypt permissions to the CloudWatch Logs service. If not offered, SharedKMSKeyArn might be used when EnableKMSEncryption is true. |
|
| SNS Matter KMS Key ARN | AWS KMS key ARN for SNS subject encryption (non-compulsory, overrides SharedKMSKeyArn). Use this for separate key administration per service. The important thing coverage should grant encrypt/decrypt permissions to SNS service and the Lambda execution function. If not offered, SharedKMSKeyArn might be used when EnableKMSEncryption is true. |
|
| Allow Useless Letter Queue | False | Optionally allow Useless Letter Queue (DLQ) for failed Lambda invocations to enhance reliability and safety monitoring. When enabled, occasions that fail in spite of everything retry makes an attempt might be despatched to an SQS queue for investigation and potential replay. This helps stop knowledge loss, gives visibility into failures, and allows safety audit trails for monitoring anomalies. The DLQ retains messages for 14 days. |
Be aware that AWS KMS encryption requires the important thing coverage to grant acceptable permissions to every consuming service (Lambda, CloudWatch Logs, and SNS).
- On the evaluate web page, choose I acknowledge that AWS CloudFormation would possibly create IAM sources with customized names.
- Select Submit.
Sources created
The CloudFormation stack creates the next sources:
- EventBridge rule for scheduled execution
- AWS Lambda perform (Python 3.12 runtime)
- Amazon SNS subject for alerts
- IAM function with permissions for CloudWatch, Amazon Redshift Knowledge API, and SNS
- CloudWatch Log Group for Lambda logs
Be aware: CloudFormation deployment sometimes takes 10–quarter-hour to finish. You may monitor progress in actual time underneath the Occasions tab of your CloudFormation stack.
Put up-deployment configuration
After the CloudFormation stack has been efficiently created, full the next steps.
Step 1: Report CloudFormation outputs
- Navigate to the AWS CloudFormation console.
- Choose your stack and select the Outputs tab.
- Be aware the values for LambdaRoleArn and SNSTopicArn. You’ll need these in subsequent steps.
Step 2: Grant Amazon Redshift permissions
Grant permissions to the Lambda perform to question Amazon Redshift system tables for monitoring knowledge. Full the next steps to grant the required entry:
- Navigate to the Amazon Redshift console.
- Within the left navigation pane, select Question Editor V2.
- Connect with your Amazon Redshift Serverless workgroup.
- Execute the next SQL instructions, changing
with the LambdaRoleArn worth out of your CloudFormation outputs:
These instructions create an AmazonRedshift person related to the Lambda IAM function and grant it the sys:monitor Amazon Redshift function. This function gives read-only entry to catalog and system tables with out granting permissions to person knowledge tables.
Step 3: Configure Slack notifications
Amazon Q Developer in chat purposes gives native AWS integration and managed authentication, eradicating customized webhook code and lowering setup complexity. To obtain alerts in Slack, configure Amazon Q Developer in Chat Purposes to attach your SNS subject to your most well-liked Slack channel:
- Navigate to Amazon Q Developer in chat purposes (previously AWS Chatbot) within the AWS console.
- Observe the directions within the Slack integration documentation to authorize AWS entry to your Slack workspace.
- When configuring the Slack channel, be certain that you choose the proper AWS Area the place you deployed the CloudFormation stack.
- Within the Notifications part, choose the SNS subject created by your CloudFormation stack (consult with the SNSTopicArn output worth).
- Hold the default IAM read-only permissions for the channel configuration.
After configured, alerts routinely seem in Slack at any time when thresholds are exceeded.
Value issues
With the default configuration, this answer incurs minimal ongoing prices. The Lambda perform executes roughly 693 instances per thirty days (each quarter-hour throughout an 8-hour enterprise day, Monday by means of Friday), leading to a month-to-month value of roughly $0.33 USD. This consists of Lambda compute prices ($0.26) and CloudWatch GetMetricData API calls ($0.07). All different providers (EventBridge, SNS, CloudWatch Logs, and Amazon Redshift Knowledge API). The Amazon Redshift Knowledge API has no extra prices past the minimal Amazon Redshift Serverless RPU consumption for the Amazon Redshift Serverless system desk question execution. You may scale back prices by lowering the monitoring frequency (equivalent to, each half-hour) or improve responsiveness by operating extra often (equivalent to, each 5 minutes) with a proportional value improve.
All prices are estimates and will range primarily based in your setting. Variations typically happen as a result of queries scanning system tables could take longer or require extra sources relying on the system complexity
Safety finest practices
This answer implements the next safety controls:
- IAM insurance policies scoped to particular useful resource ARNs for the Amazon Redshift workgroup, namespace, SNS subject, and log group.
- Knowledge API assertion entry restricted to the Lambda perform’s personal IAM person ID.
- Learn-only
sys:monitordatabase function for operational metadata entry. Restrict to the function created by the CloudFormation template. - Reserved concurrent executions capped at 5.
To additional strengthen your safety posture, take into account the next enhancements:
- Allow
EnableKMSEncryptionto encrypt setting variables, logs, and SNS messages at relaxation. - Allow
EnableVPCto deploy the perform inside a VPC for community isolation. - Audit entry by means of AWS CloudTrail.
Essential: That is pattern code for non-production utilization. Work together with your safety and authorized groups to satisfy your organizational safety, regulatory, and compliance necessities earlier than deployment. This answer demonstrates monitoring capabilities however requires extra safety hardening for manufacturing environments, together with encryption configuration, IAM coverage scoping, VPC deployment, and complete testing.
Clear up
To take away all sources and keep away from ongoing prices in case you don’t wish to use the answer anymore:
- Delete the CloudFormation stack.
- Take away the Slack integration from Amazon Q Developer in chat purposes.
Troubleshooting
- If no metrics or incomplete SQL diagnostics are returned, confirm that the Amazon Redshift Serverless workgroup is lively with current question exercise, and make sure the database person has the
sys:monitorfunction (GRANT ROLE sys:monitor TO) within the question editor. With out this function, queries execute efficiently however solely return knowledge seen to that person’s permissions relatively than the total cluster exercise. - For VPC-deployed features that fail to achieve AWS providers, verify that VPC endpoints or a NAT Gateway are configured for CloudWatch, Amazon Redshift Knowledge API, Amazon Redshift Serverless, SNS, and CloudWatch Logs.
- If the Lambda perform instances out, improve the
LambdaTimeoutandQueryTimeoutSecondsparameters. The default timeout of 240 seconds accommodates most workloads, however clusters with many lively queries could require extra time for SQL diagnostics to finish.
Conclusion
On this publish, we confirmed how one can construct a proactive monitoring answer for Amazon Redshift Serverless utilizing AWS Lambda, Amazon CloudWatch, and Amazon SNS with Slack integration. By routinely amassing metrics, evaluating thresholds, and delivering alerts in close to actual time to Slack or your most well-liked collaborative platform, this answer helps detect efficiency and price points early. As a result of the answer itself is serverless, it aligns with the operational simplicity targets of Amazon Redshift Serverless—scaling routinely, requiring minimal upkeep, and delivering excessive worth at low value. You may prolong this basis with extra metrics, diagnostic logic, or different notification channels to satisfy your group’s wants.
To be taught extra, see the Amazon Redshift documentation on monitoring and efficiency optimization.
Concerning the authors