AWS Health Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Management and governance

1. Introduction

AWS Health is AWS’s service for tracking AWS events and changes that can affect your AWS environment—especially your specific account and resources. It helps you detect, understand, and respond to outages, scheduled maintenance, security notifications, and other operational events published by AWS.

In simple terms: AWS Health tells you when AWS is doing something (or something is happening) that might impact your workloads, and it gives you the details needed to act—what services are affected, which resources are impacted, and what remediation steps are recommended.

Technically, AWS Health provides an account-aware event feed (via the AWS Health Dashboard in the console and the AWS Health API) containing: – Events (issues, scheduled changes, account notifications, security notifications) – Event metadata (service, region, status, timestamps) – Affected entities (which specific AWS resources are impacted, when provided)

It solves a common problem in cloud operations: the public AWS status page can be too broad, while your teams need actionable, account-specific impact to reduce incident response time, improve reliability, and automate operational workflows.

Naming note: You may still see older references to the “Personal Health Dashboard.” In current AWS terminology, the service is AWS Health, and the console experience is often referred to as the AWS Health Dashboard. Verify the latest naming in the official user guide if your organization uses older internal documentation.

2. What is AWS Health?

Official purpose: AWS Health provides visibility into the performance and availability of AWS services and account-specific notifications about events that may affect your resources. It is intended to help operators understand impact and take action.

Core capabilities: – A dashboard showing current and historical AWS Health events for your account – An API for programmatic access to events, event details, and affected resources – (For organizations) an organizational view so a central team can see events across multiple accounts (requires AWS Organizations configuration and permissions)

Major components: – AWS Health Dashboard (console): Interactive view of events and impacted resources. – AWS Health API: Programmatic access to the same type of data (used for automation, integrations, and reporting). – Event model: – Event types (definitions of possible events) – Events (instances that occur at a time and may affect accounts) – Affected entities (resources that are impacted, when AWS provides entity-level detail)

Service type: Management and governance / operations visibility and event notification service.

Scope (global vs regional): – AWS Health is conceptually a global service because events can span regions and services and relate to your account globally. – Important operational detail: the AWS Health API is commonly accessed via the us-east-1 endpoint (and many CLI examples use --region us-east-1). Always confirm the current endpoint behavior in the official documentation.

How it fits into the AWS ecosystem: AWS Health is a key operational signal source that can feed: – Incident response workflows (ticketing, paging, chat notifications) – Operations tooling (AWS Systems Manager OpsCenter, runbooks) – Automation (AWS Lambda + EventBridge schedules; EventBridge event rules where supported) – Governance and reporting (central operations teams in multi-account setups)

Official documentation entry point: https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html

3. Why use AWS Health?

Business reasons

Reduce downtime cost: Faster detection and clearer impact analysis reduces time-to-mitigation.
Improve customer experience: Proactively communicate incidents and planned maintenance.
Operational maturity: Standardizes cloud event handling and post-incident review inputs.

Technical reasons

Account-specific impact: Goes beyond the public AWS status view by correlating events to your account and (often) your resources.
Automation-friendly: The AWS Health API enables polling, reporting, and integration with existing tooling.
Structured event data: Consistent fields like service, region, status, time windows, and descriptions.

Operational reasons

Better triage: Operators can quickly learn “is it us or AWS?” and which components are affected.
Centralized visibility: With AWS Organizations integration (where used), platform teams can monitor many accounts from one place.
Runbook triggers: Map event types to standard operating procedures (SOPs) and automation.

Security/compliance reasons

Security notifications: Some AWS Health events include security-related guidance that supports incident response and compliance obligations.
Auditability: API access can be logged via AWS CloudTrail (your calls to the Health API, not AWS’s internal publication of events).

Scalability/performance reasons

Scale operations across accounts: Particularly valuable for multi-account enterprises that need centralized operations signals.
Consistent integration patterns: Combine with EventBridge/Lambda/SNS to notify thousands of stakeholders with consistent routing.

When teams should choose AWS Health

You operate production workloads on AWS and need account-aware operational intelligence.
You want automation (notifications, ticketing, runbooks) triggered by AWS-originated events.
You run multi-account environments and want centralized visibility (organizational view).

When teams should not choose it

You only need broad, public service availability updates (the public AWS Service Health Dashboard may be sufficient).
You expect to publish your own custom application health events—AWS Health is for AWS-published health events, not arbitrary app events.
You cannot meet prerequisites for API access in your environment (for example, support plan requirements). In that case, build a partial process around public status feeds and your own monitoring—while noting it’s not the same as AWS Health.

Support plan note: Historically, some AWS Health capabilities (notably certain API access and organizational features) have been associated with specific AWS Support plans. Verify current eligibility in official docs and your AWS Support plan before building critical dependencies.

4. Where is AWS Health used?

Industries

Financial services (strict uptime and change management)
Healthcare (regulated environments, maintenance planning)
Retail/e-commerce (availability and peak events)
SaaS providers (multi-tenant operations)
Media/streaming (high availability, regional capacity planning)
Public sector (governance, centralized operations)

Team types

SRE and operations teams
Platform engineering teams managing AWS Organizations
DevOps teams implementing incident automation
Security operations teams consuming security notifications
IT service management teams integrating with ticketing systems

Workloads

Mission-critical web and API platforms
Data processing pipelines (where scheduled changes can disrupt SLAs)
Compliance-heavy workloads requiring change visibility
Multi-region architectures that need rapid impact pinpointing

Architectures

Multi-account landing zones (central “operations” account)
Microservices on ECS/EKS
Serverless systems (Lambda/API Gateway/DynamoDB)
Traditional EC2-based stacks with load balancers and auto scaling
Hybrid integrations where AWS-side events must be communicated internally

Real-world deployment contexts

Production: Most valuable in production for actionable incident response and planned maintenance coordination.
Dev/test: Useful when test environments mirror production and are sensitive to AWS maintenance windows or service events.

5. Top Use Cases and Scenarios

Below are realistic scenarios where AWS Health is commonly used.

1) Central outage detection and notification

Problem: Teams learn about AWS incidents late or through social channels.
Why AWS Health fits: It provides official AWS event details and account impact context.
Example: A platform team routes AWS Health “issue” events to an on-call rotation via SNS → chat/ticketing.

2) Scheduled maintenance change management

Problem: Planned AWS maintenance disrupts workloads when teams aren’t prepared.
Why AWS Health fits: ScheduledChange events help teams plan mitigations and communicate timelines.
Example: A database team receives notices for RDS maintenance windows and updates internal change calendars.

3) Multi-account organizational visibility

Problem: In an AWS Organization, each account has separate visibility; operations teams lack a consolidated view.
Why AWS Health fits: Organizational view (where enabled) supports cross-account event monitoring.
Example: A centralized NOC monitors all accounts and regions for AWS Health events, then notifies owning teams.

4) Automated incident creation in OpsCenter

Problem: AWS incidents are handled manually without consistent tracking.
Why AWS Health fits: Event data can populate standardized incident records.
Example: A Lambda polls AWS Health and creates AWS Systems Manager OpsItems for relevant event types.

5) On-call runbook automation

Problem: Operators waste time searching for what an AWS event means and what actions to take.
Why AWS Health fits: Event types can be mapped to SOPs.
Example: For “scheduled change” impacting EC2, automation triggers a runbook to validate Auto Scaling health and capacity.

6) Executive communications and customer status updates

Problem: Business stakeholders need timely, accurate updates.
Why AWS Health fits: Provides authoritative event descriptions and timestamps.
Example: A comms template is filled automatically using AWS Health event descriptions and ETA updates.

7) Compliance evidence for operational awareness

Problem: Auditors ask how the organization stays informed of provider issues and changes.
Why AWS Health fits: Demonstrates systematic ingestion of cloud provider notifications.
Example: Weekly reports extracted via the API show event awareness and response actions.

8) Correlating AWS events with observability alarms

Problem: Many alarms fire; unclear if root cause is internal or provider-side.
Why AWS Health fits: Helps correlate incident windows with AWS events.
Example: A postmortem pipeline tags incidents with any overlapping AWS Health events.

9) Regional impact routing

Problem: Global teams need region-specific routing to the right responders.
Why AWS Health fits: Events include region/service metadata.
Example: APAC on-call receives events affecting ap-southeast-1, while EMEA receives eu-west-1.

10) Service owner targeted notifications

Problem: Notifications go to a generic mailbox, delaying action.
Why AWS Health fits: Event types reference AWS services; route to service owners.
Example: S3-related events notify the storage platform team; EKS-related events notify Kubernetes platform owners.

11) Post-incident analysis and trend reporting

Problem: Teams can’t quantify provider-related disruptions over time.
Why AWS Health fits: Events can be queried and summarized by service/region.
Example: Monthly trend report: count of “issue” events affecting critical services and time-to-close.

12) Security notification response workflows

Problem: Security-relevant provider notifications aren’t handled consistently.
Why AWS Health fits: Includes account notifications and sometimes security notifications.
Example: AWS Health event triggers creation of a security ticket and links to remediation guidance.

6. Core Features

AWS Health Dashboard (console)

What it does: Displays AWS Health events relevant to your AWS account, including current and historical items.
Why it matters: Human-friendly visibility for operations and incident response.
Practical benefit: Quickly answer: “Is AWS reporting an issue that affects us?”
Limitations/caveats: Access and content may depend on account configuration and eligibility; verify event availability and scope in official docs.

AWS Health API (programmatic access)

What it does: Provides API operations to list event types, query events, retrieve event details, and list affected entities.
Why it matters: Enables automation (notifications, ticket creation, dashboards).
Practical benefit: Build scheduled checks and integrate with your tooling.
Limitations/caveats: API access may require a specific AWS Support plan. If you see authorization/subscription errors, confirm plan eligibility.

Event metadata: service, region, time window, status

What it does: Each event includes structured metadata such as impacted service, impacted region(s), start/end/lastUpdated time, and status (e.g., open/closed).
Why it matters: Enables routing and prioritization.
Practical benefit: Route to the correct on-call group and apply severity rules.
Limitations/caveats: Not every event includes every field with the same precision.

Event details (descriptions, remediation guidance)

What it does: Provides event descriptions and sometimes recommended actions.
Why it matters: Reduces time spent searching for context.
Practical benefit: Auto-populate internal incident tickets with authoritative AWS descriptions.
Limitations/caveats: Guidance may be high-level; you still need workload-specific runbooks.

Affected entities (impacted resources)

What it does: For some events, AWS identifies specific impacted resources (entities), such as instance IDs or resource ARNs (varies).
Why it matters: Moves from “service is impacted” to “these are the resources we must check.”
Practical benefit: Targeted mitigation (failover only the impacted resources).
Limitations/caveats: Entity-level detail is not guaranteed for all services or event types.

Aggregations and filtering

What it does: Supports filtering by service, region, event category, time range, and status; provides aggregation APIs in some cases.
Why it matters: Scales from manual viewing to fleet-level reporting.
Practical benefit: Daily summary reports per service/team.
Limitations/caveats: Be mindful of API throttling and pagination for large organizations.

Organizational view (AWS Organizations integration)

What it does: Enables a management/delegated admin account to view AWS Health events across member accounts.
Why it matters: Central operations and governance in multi-account environments.
Practical benefit: One operations dashboard for all accounts, with routing to owners.
Limitations/caveats: Requires AWS Organizations configuration and permissions; ensure you follow official setup steps.

Integrations (common patterns)

What it does: AWS Health data can be integrated into:
Amazon EventBridge (where supported)
AWS Lambda for automation
Amazon SNS for notifications
AWS Systems Manager OpsCenter / Incident Manager (workflow tooling)
AWS Chatbot (chat notifications)
Why it matters: Turns events into actions.
Practical benefit: Automated, consistent incident management.
Limitations/caveats: Integration specifics depend on your architecture; some require additional configuration and incur separate service costs.

7. Architecture and How It Works

High-level architecture

At a high level: 1. AWS publishes health events internally. 2. AWS Health makes these events available to you via: – AWS Health Dashboard (console) – AWS Health API (programmatic access) – Event-driven patterns (commonly via Amazon EventBridge, where configured/supported) 3. Your tooling consumes events and triggers notifications or automation.

Request/data/control flow (typical API polling workflow)

A scheduled job (Lambda, container, or CI runner) calls the AWS Health API:
DescribeEvents to list relevant events
DescribeEventDetails to fetch human-readable descriptions
DescribeAffectedEntities to identify impacted resources (when present)
The job transforms results into actions:
Notify via SNS/Chat
Open an incident/ticket
Trigger runbooks

Integrations with related services

Amazon EventBridge: Match aws.health events (if enabled/available) and route to targets.
AWS Lambda: Transform and route event payloads, call internal APIs, create tickets.
Amazon SNS: Email/SMS/HTTP(S) fan-out for notifications.
AWS Systems Manager OpsCenter / Incident Manager: Create OpsItems/incidents from events.
AWS Chatbot: Send notifications to Slack/Chime channels.
AWS CloudTrail: Logs your API activity against AWS Health (useful for audit).

Dependency services

AWS Health itself is managed by AWS. In your automation, common dependencies include: – IAM (roles/policies) – Lambda runtime – EventBridge schedules or rules – SNS topics/subscriptions – CloudWatch Logs

Security/authentication model

Uses AWS IAM for access control.
Policies specify health:* actions (and health:*ForOrganization for org view).
Recommended: use least-privilege roles for automation (Lambda execution role) and separate human access roles.

Networking model

AWS Health API is accessed via AWS public endpoints.
Your calls go over the internet (or AWS network paths depending on your environment). There is typically no VPC interface endpoint for AWS Health—verify in official docs if private connectivity is required.

Monitoring/logging/governance considerations

Log automation output to CloudWatch Logs.
Track notification delivery and failures in SNS.
Use CloudTrail to audit:
Who changed notification rules
Who queried AWS Health data
Tag and document rules, topics, and Lambda functions as part of governance.

Simple architecture diagram (starter)

flowchart LR
  A[AWS Health] --> B[AWS Health API]
  B --> C[Lambda (scheduled)]
  C --> D[SNS Topic]
  D --> E[Email / Chat / Webhook]

Production-style architecture diagram (multi-account)

flowchart TB
  subgraph Org[AWS Organization]
    MA[Management / Delegated Admin Account]
    A1[Workload Account A]
    A2[Workload Account B]
    A3[Workload Account C]
  end

  H[AWS Health\n(Events + Affected Entities)] --> API[AWS Health API\n(Org view where enabled)]
  API --> POLLER[Central Poller\nLambda / Container]
  POLLER --> EB[EventBridge (custom bus optional)]
  EB --> SNS[SNS Topics\n(team routing)]
  EB --> SSM[Systems Manager OpsCenter/\nIncident Manager]
  SNS --> CHAT[AWS Chatbot -> Slack/Chime]
  SNS --> EMAIL[Email distribution]
  SSM --> ITSM[Ticketing / ITSM Integration\n(via webhook/Lambda)]

8. Prerequisites

Before you start, confirm the following.

Account / support plan requirements

An AWS account.
AWS Support plan eligibility: Some AWS Health API and organizational features may require Business or Enterprise Support. If your API calls fail with subscription-related errors, verify your plan and AWS Health API eligibility in official docs.

Permissions / IAM roles

For the hands-on lab, you typically need: – Permission to create IAM roles and policies (or use an existing role). – Permission to create Lambda functions. – Permission to create SNS topics and subscriptions. – Permission to create EventBridge rules/schedules. – Permission to call AWS Health API actions (health:DescribeEvents, health:DescribeEventDetails, health:DescribeAffectedEntities, etc.).

For org-wide visibility (optional): – AWS Organizations configured – Permission for AWS Health organizational view actions (the *ForOrganization Health actions) – Delegated administrator configured for AWS Health (verify official steps)

Billing requirements

AWS Health itself is generally described as no additional charge, but:
Your AWS Support plan may have a monthly cost.
Integrated services (Lambda, SNS, EventBridge, logs) can incur usage-based charges.

CLI/SDK/tools needed

AWS CLI v2 installed and configured: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Python 3.11+ (or similar) if you want to run local scripts
(Optional) AWS SAM or CDK if you prefer IaC, though this tutorial uses CLI + console-friendly steps.

Region availability / endpoints

AWS Health API is commonly used with us-east-1. Plan to run CLI commands with:
--region us-east-1
Events themselves may reference any region.

Quotas/limits

AWS Health API has request rate limits/throttling. Design automation with:
Backoff/retry
Pagination
Incremental polling windows
Exact quotas can change; verify in the AWS Health API documentation.

Prerequisite services

Amazon SNS
AWS Lambda
Amazon EventBridge
IAM
CloudWatch Logs

9. Pricing / Cost

Current pricing model (accurate overview)

AWS Health is generally presented as available at no additional charge, but the total cost to use AWS Health in production depends on: 1. AWS Support plan (if required for the features you use) 2. Automation and notification services you integrate with AWS Health

Start here: – AWS Health overview: https://aws.amazon.com/premiumsupport/technology/aws-health/ – AWS Support pricing: https://aws.amazon.com/premiumsupport/pricing/ – AWS Pricing Calculator: https://calculator.aws/#/

Because AWS Support plan pricing varies by plan and account spend (and can change), do not hard-code cost assumptions. Confirm with the official pricing page and your account team.

Pricing dimensions

Direct AWS Health charges – Typically described as $0 for AWS Health itself (verify in official docs).

Support plan cost (often the biggest driver) – If you require Business/Enterprise Support to access the AWS Health API or organizational view, the plan itself becomes a cost driver. – This is frequently the dominant cost when adopting AWS Health automation at scale.

Integrated service costs – AWS Lambda: per invocation + duration + memory. – Amazon EventBridge: rules/events/schedules depending on implementation. – Amazon SNS: per publish + delivery type (email is usually inexpensive; SMS costs more). – CloudWatch Logs: ingestion + retention/storage. – Incident tooling: Systems Manager Incident Manager may have its own pricing model (verify current pricing if you use it).

Free tier considerations

Lambda and SNS have free tier components in many regions for eligible accounts, but free tier eligibility is time-bound and account-specific. Verify your account’s free tier status.
Even if AWS Health is free, your automation still generates usage (invocations, logs).

Hidden/indirect costs

Operational overhead: building and maintaining routing logic, runbooks, on-call processes.
Noise cost: excessive or poorly filtered notifications cause alert fatigue.
Cross-account complexity: organizational setups require governance and access reviews.

Network/data transfer implications

AWS Health API calls are typically small payloads.
SNS email deliveries don’t incur data transfer in the same way as large payload services, but charges depend on SNS usage type.
If you forward data to external systems (webhooks, SIEM), egress may apply.

How to optimize cost

Use scheduled polling intervals appropriate for your needs (e.g., every 15–60 minutes vs every minute).
Filter events by category/service/region to reduce processing and noise.
Control log verbosity; set log retention policies in CloudWatch Logs.
Batch notifications (daily summary) for low-severity items; page only for high-severity categories.

Example low-cost starter estimate (conceptual)

A starter setup that runs a Lambda once per hour and emails a summary: – Likely low cost if within Lambda free tier and minimal SNS usage – Main cost risk: CloudWatch Logs retention if left unbounded – If a paid support plan is required, that cost can dwarf the automation cost

Example production cost considerations

In a large organization (hundreds of accounts): – Central poller may process many events/entities, increasing Lambda duration and log volume. – More SNS topics, subscriptions, and integrations (chat, ITSM) increase operational complexity. – Support plan eligibility and cost must be part of the business case.

10. Step-by-Step Hands-On Tutorial

This lab builds a practical, low-cost AWS Health notification pipeline using the AWS Health API, AWS Lambda, Amazon SNS, and an EventBridge schedule.

Objective

Create an automated workflow that: 1. Queries AWS Health for open/recent events. 2. Summarizes results. 3. Sends an email notification via SNS on a schedule (and on-demand test).

Lab Overview

You will: 1. Verify AWS Health API access. 2. Create an SNS topic and confirm an email subscription. 3. Create an IAM role for Lambda with least-privilege permissions. 4. Deploy a Lambda function that calls the AWS Health API and publishes to SNS. 5. Schedule the Lambda using Amazon EventBridge. 6. Validate via CloudWatch Logs and email. 7. Clean up all resources.

Estimated time: 45–75 minutes
Cost: Typically low. Primary costs come from Lambda, SNS, EventBridge, and logs; plus any required AWS Support plan.

Step 1: Verify AWS Health API access (CLI)

Ensure AWS CLI is configured:

aws sts get-caller-identity

Try calling AWS Health API (use us-east-1 unless your docs specify otherwise):

aws health describe-event-types --region us-east-1 --max-results 10

Expected outcome – If successful: a JSON response containing event type definitions. – If you see an error such as subscription/plan required (wording varies): you likely need a different AWS Support plan for AWS Health API access.
– Action: Confirm eligibility in the official AWS Health documentation and your AWS Support plan. – You can still proceed with infrastructure creation, but the Lambda’s Health API call will fail until access is available.

Step 2: Create an SNS topic and email subscription

Create a topic:

TOPIC_ARN=$(aws sns create-topic --name aws-health-alerts --query TopicArn --output text)
echo "$TOPIC_ARN"

Subscribe your email address:

aws sns subscribe \
  --topic-arn "$TOPIC_ARN" \
  --protocol email \
  --notification-endpoint you@example.com

Confirm the subscription: – Check your inbox for the AWS confirmation email. – Click the confirmation link.

Expected outcome – SNS shows the subscription as confirmed. You can verify in the console: – Amazon SNS → Topics → aws-health-alerts → Subscriptions

Step 3: Create an IAM role for Lambda (least privilege)

Create a trust policy that allows Lambda to assume the role:

cat > trust-policy.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "lambda.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

Create the role:

aws iam create-role \
  --role-name AwsHealthNotifierLambdaRole \
  --assume-role-policy-document file://trust-policy.json

Attach basic logging permissions:

aws iam attach-role-policy \
  --role-name AwsHealthNotifierLambdaRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Create an inline policy for AWS Health + SNS publish. Adjust actions if you use additional API calls. Some environments may require fewer or more actions.

cat > health-sns-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowHealthRead",
      "Effect": "Allow",
      "Action": [
        "health:DescribeEvents",
        "health:DescribeEventDetails",
        "health:DescribeAffectedEntities",
        "health:DescribeEventTypes"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowSnsPublish",
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": "$TOPIC_ARN"
    }
  ]
}
EOF

Attach the inline policy:

aws iam put-role-policy \
  --role-name AwsHealthNotifierLambdaRole \
  --policy-name AwsHealthReadAndSnsPublish \
  --policy-document file://health-sns-policy.json

Get the role ARN:

ROLE_ARN=$(aws iam get-role --role-name AwsHealthNotifierLambdaRole --query Role.Arn --output text)
echo "$ROLE_ARN"

Expected outcome – You have a Lambda execution role that can: – write logs – call AWS Health read APIs – publish to your SNS topic

Step 4: Create the Lambda function (Python)

Create lambda_function.py:

import os
import json
from datetime import datetime, timedelta, timezone

import boto3

HEALTH_REGION = os.environ.get("HEALTH_REGION", "us-east-1")
TOPIC_ARN = os.environ["TOPIC_ARN"]

health = boto3.client("health", region_name=HEALTH_REGION)
sns = boto3.client("sns")

def _iso(dt: datetime) -> str:
    return dt.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")

def lambda_handler(event, context):
    now = datetime.now(timezone.utc)
    lookback_days = int(os.environ.get("LOOKBACK_DAYS", "7"))
    start_time = now - timedelta(days=lookback_days)

    # Filter for common categories. Adjust for your needs.
    # Common categories include: issue, scheduledChange, accountNotification.
    # Exact values and availability can vary; verify in AWS docs.
    filter_ = {
        "eventStatusCodes": ["open", "upcoming"],
        "startTimes": [{"from": start_time}]
    }

    events = []
    next_token = None

    while True:
        kwargs = {"filter": filter_, "maxResults": 50}
        if next_token:
            kwargs["nextToken"] = next_token

        resp = health.describe_events(**kwargs)
        events.extend(resp.get("events", []))
        next_token = resp.get("nextToken")
        if not next_token:
            break

    # Fetch details for events (if any)
    details_map = {}
    if events:
        arns = [{"eventArn": e["arn"]} for e in events]
        det = health.describe_event_details(eventArns=arns)
        for s in det.get("successfulSet", []):
            details_map[s["event"]["arn"]] = s.get("eventDescription", {}).get("latestDescription", "")

    lines = []
    lines.append(f"AWS Health summary ({_iso(now)}), lookback {lookback_days}d")
    lines.append(f"Query region/endpoint: {HEALTH_REGION}")
    lines.append("")

    if not events:
        lines.append("No open/upcoming AWS Health events found for this account in the selected window.")
    else:
        lines.append(f"Found {len(events)} event(s):")
        for e in sorted(events, key=lambda x: x.get("lastUpdatedTime", now), reverse=True):
            arn = e["arn"]
            svc = e.get("service", "unknown-service")
            reg = e.get("region", "global-or-unknown")
            status = e.get("statusCode", "unknown")
            category = e.get("eventTypeCategory", "unknown")
            event_type = e.get("eventTypeCode", "unknown-type")
            last = e.get("lastUpdatedTime")
            start = e.get("startTime")
            end = e.get("endTime")

            lines.append("")
            lines.append(f"- {svc} | {reg} | {category} | {status}")
            lines.append(f"  type: {event_type}")
            if start:
                lines.append(f"  start: {_iso(start)}")
            if last:
                lines.append(f"  lastUpdated: {_iso(last)}")
            if end:
                lines.append(f"  end: {_iso(end)}")
            desc = details_map.get(arn, "")
            if desc:
                # Keep emails readable; truncate long descriptions
                lines.append("  description:")
                snippet = desc.strip().replace("\n", " ")
                lines.append(f"    {snippet[:500]}{'...' if len(snippet) > 500 else ''}")

    message = "\n".join(lines)

    sns.publish(
        TopicArn=TOPIC_ARN,
        Subject="AWS Health summary",
        Message=message
    )

    return {
        "eventsFound": len(events),
        "publishedTo": TOPIC_ARN
    }

Package it:

zip function.zip lambda_function.py

Create the Lambda function (choose a region for Lambda; this example uses us-east-1, but you can choose another region—your Lambda can still call AWS Health API in us-east-1):

aws lambda create-function \
  --function-name aws-health-notifier \
  --runtime python3.12 \
  --handler lambda_function.lambda_handler \
  --zip-file fileb://function.zip \
  --role "$ROLE_ARN" \
  --timeout 30 \
  --memory-size 256 \
  --environment "Variables={TOPIC_ARN=$TOPIC_ARN,HEALTH_REGION=us-east-1,LOOKBACK_DAYS=7}" \
  --region us-east-1

Expected outcome – Lambda function aws-health-notifier is created. – It has environment variables pointing to your SNS topic and AWS Health API region.

Step 5: Test the Lambda manually

Invoke the Lambda:

aws lambda invoke \
  --function-name aws-health-notifier \
  --payload '{}' \
  --region us-east-1 \
  output.json

cat output.json

Check CloudWatch Logs for the function: – CloudWatch → Logs → Log groups → /aws/lambda/aws-health-notifier

Expected outcome – output.json returns eventsFound and publishedTo. – You receive an email from SNS: – If you have no events, the message explicitly says so. – If you have events, it lists them.

Step 6: Schedule the Lambda with Amazon EventBridge

Create a scheduled rule (runs every 6 hours; adjust as needed):

aws events put-rule \
  --name aws-health-notifier-schedule \
  --schedule-expression "rate(6 hours)" \
  --state ENABLED \
  --region us-east-1

Allow EventBridge to invoke the Lambda:

aws lambda add-permission \
  --function-name aws-health-notifier \
  --statement-id allow-eventbridge-invoke \
  --action lambda:InvokeFunction \
  --principal events.amazonaws.com \
  --source-arn arn:aws:events:us-east-1:$(aws sts get-caller-identity --query Account --output text):rule/aws-health-notifier-schedule \
  --region us-east-1

Attach the Lambda as a target:

aws events put-targets \
  --rule aws-health-notifier-schedule \
  --targets "Id"="1","Arn"="$(aws lambda get-function --function-name aws-health-notifier --query Configuration.FunctionArn --output text --region us-east-1)" \
  --region us-east-1

Expected outcome – The rule is enabled. – Lambda will run on schedule and email summaries.

Validation

Use these checks:

Confirm rule exists and is enabled:

aws events describe-rule --name aws-health-notifier-schedule --region us-east-1

Confirm Lambda invocation metrics: – CloudWatch → Metrics → Lambda → Invocations, Errors
Confirm SNS publishes: – Check email delivery (and confirm you clicked the SNS subscription confirmation link).
Confirm AWS Health API access: – If the Lambda fails, inspect CloudWatch Logs for subscription/authorization exceptions.

Troubleshooting

Common issues and fixes:

1) “SubscriptionRequiredException” / access denied when calling AWS Health – Cause: Your account may not be eligible for AWS Health API access with the current AWS Support plan. – Fix: Verify AWS Health API eligibility in official docs and your AWS Support plan. If required, upgrade the plan or run this in an eligible account.

2) No emails received – Cause: SNS email subscription not confirmed. – Fix: Re-check the subscription status in SNS console and confirm the email.

3) Lambda logs show AccessDenied for SNS Publish – Cause: The Lambda role policy doesn’t include sns:Publish to your topic ARN. – Fix: Verify the inline policy and the topic ARN string interpolation.

4) EventBridge rule not invoking Lambda – Cause: Missing Lambda permission for EventBridge principal or wrong source ARN. – Fix: Re-run add-permission with correct rule ARN; ensure region/account ID are correct.

5) Throttling – Cause: Too-frequent polling or large org queries. – Fix: Increase polling interval, reduce time windows, implement exponential backoff, and paginate carefully.

Cleanup

Delete resources to avoid ongoing charges:

1) Remove EventBridge targets and delete rule:

aws events remove-targets --rule aws-health-notifier-schedule --ids "1" --region us-east-1
aws events delete-rule --name aws-health-notifier-schedule --region us-east-1

2) Delete Lambda:

aws lambda delete-function --function-name aws-health-notifier --region us-east-1

3) Delete SNS topic (this also deletes subscriptions):

aws sns delete-topic --topic-arn "$TOPIC_ARN"

4) Delete IAM role policy and role:

aws iam delete-role-policy --role-name AwsHealthNotifierLambdaRole --policy-name AwsHealthReadAndSnsPublish
aws iam detach-role-policy --role-name AwsHealthNotifierLambdaRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
aws iam delete-role --role-name AwsHealthNotifierLambdaRole

5) (Optional) Delete CloudWatch log group:

aws logs delete-log-group --log-group-name "/aws/lambda/aws-health-notifier" --region us-east-1

11. Best Practices

Architecture best practices

Prefer centralized ingestion in multi-account environments:
Use AWS Organizations and a delegated admin/central account where appropriate.
Design for both push and pull:
Use event-driven routing (EventBridge) where available.
Use scheduled polling as a reliable baseline.
Separate detection from response:
One component collects and normalizes AWS Health events.
Downstream components route to teams, create tickets, or run automation.

IAM/security best practices

Use least privilege:
Limit Lambda role to required health:Describe* actions and only the SNS topic it needs.
Use separate roles for humans and automation.
Require MFA and use SSO (IAM Identity Center) for console access where possible.
Use resource-level restrictions where supported (note: many AWS Health actions use Resource: *).

Cost best practices

Poll at sane intervals (e.g., hourly) unless you have a specific need.
Avoid excessive CloudWatch Logs by:
Logging summaries, not full payloads
Setting log retention (e.g., 30–90 days)
Batch low-severity notifications into digest emails.

Performance best practices

Use pagination and bounded time windows.
Cache and reuse event type mappings (eventTypeCode → team/runbook) outside the hot path.

Reliability best practices

Use retries with exponential backoff for API calls.
Ensure notification pipelines are redundant:
Multiple SNS subscriptions
Fallback routing for failed webhooks
Treat AWS Health ingestion as part of your incident response system:
alarms on Lambda errors
dead-letter handling if you add async processing

Operations best practices

Maintain a routing map:
service → owner team
region → on-call group
event category/type → severity/runbook
Create runbooks for common AWS event categories:
scheduled changes
service issues
account notifications

Governance/tagging/naming best practices

Use consistent names, e.g.:
aws-health-notifier
aws-health-alerts
Tag resources with:
Owner, Environment, CostCenter, DataClassification
Document event handling SLAs and escalation policies.

12. Security Considerations

Identity and access model

AWS Health uses IAM authorization.
For organizational view, additional permissions and organization-level controls apply.
Recommended controls:
Restrict health:* actions to an operations role
Use read-only access for most users; restrict configuration changes to admins

Encryption

AWS Health data is accessed via AWS APIs over TLS.
For your pipeline:
SNS supports encryption at rest with AWS KMS (optional).
CloudWatch Logs can be encrypted with KMS (optional).
If storing event history in S3/DynamoDB, encrypt at rest and apply least privilege.

Network exposure

API endpoints are public AWS endpoints; control access via IAM.
If you forward events externally, treat event payloads as potentially sensitive operational data:
Limit what you include in outbound notifications
Use secure webhooks (TLS, authentication)

Secrets handling

This tutorial uses no secrets.
If integrating with ticketing systems (ServiceNow/Jira) or chat tools:
Store tokens in AWS Secrets Manager or SSM Parameter Store (SecureString)
Never hard-code secrets in Lambda environment variables without encryption and rotation

Audit/logging

Enable AWS CloudTrail organization-wide (recommended) to audit:
IAM changes
Lambda/Events/SNS changes
AWS Health API calls made by your automation (your requests)

Compliance considerations

AWS Health data can support change management and incident response evidence.
Ensure notifications do not leak sensitive metadata to unauthorized channels.

Common security mistakes

Overly broad IAM permissions (e.g., sns:* or iam:* for Lambda role).
Sending all AWS Health events to public chat channels.
No review process for notification routing (leading to misdelivery).

Secure deployment recommendations

Use infrastructure as code (CloudFormation/CDK/Terraform) for repeatable, reviewed deployments.
Implement approval workflows for changes to routing/severity maps.
Separate environments (dev/prod) with distinct topics and rules.

13. Limitations and Gotchas

Support plan eligibility: AWS Health API access may depend on your AWS Support plan. Confirm early to avoid rework.
Not all events include affected entities: Entity-level impacted resource IDs may be unavailable for some services/event types.
Event coverage varies: AWS Health does not necessarily provide every operational nuance; treat it as an authoritative provider signal, not a full observability solution.
API throttling: Large organizations can hit rate limits; implement backoff, caching, and efficient queries.
Global vs regional confusion: Events can reference many regions; the API endpoint region usage can be non-intuitive (often us-east-1).
You can’t publish custom events into AWS Health: It’s AWS-generated. Use EventBridge custom events or your observability stack for app-level health.
Noise management is essential: Without filtering/routing, AWS Health notifications can overwhelm teams.
Historical retention: The amount of event history accessible and how long it persists can vary; verify retention behavior in docs.
Organizational configuration complexity: Delegated admin and cross-account access must be managed carefully.

14. Comparison with Alternatives

AWS Health is best viewed as AWS’s account-aware provider event feed. Alternatives and complements include status pages, monitoring tools, and incident platforms.

Option	Best For	Strengths	Weaknesses	When to Choose
AWS Health	Account-specific AWS event visibility and automation	Authoritative AWS events; can include affected resources; API automation; org-wide view (where enabled)	May require support plan eligibility; not app-level health; event/entity coverage varies	You need provider-originated, account-aware events integrated into ops
AWS Service Health Dashboard (public status page)	Broad awareness of AWS service issues	Public, easy, no setup	Not account-specific; not resource-specific	You just need general AWS status without automation
Amazon EventBridge (custom events)	Application/event-driven architectures	Flexible routing; you can publish your own events	Not provider health by itself	You want to model your own operational events and workflows
AWS Trusted Advisor	Best-practice checks, cost/security recommendations	Actionable checks across security/cost/performance	Not an event feed; different purpose	You want periodic optimization checks, not incident notices
AWS Systems Manager Incident Manager / OpsCenter	Incident workflow management	Tracks incidents, response plans, escalation	Not a provider event source; needs inputs	You want structured incident response and runbooks fed by AWS Health/monitoring
Azure Service Health	Azure environments	Azure-equivalent provider event tooling	Not AWS	You operate primarily in Azure
Google Cloud Service Health / status dashboards	GCP environments	Provider status visibility	Not AWS	You operate primarily in GCP
PagerDuty / Opsgenie / ServiceNow	Enterprise alerting and ITSM	Mature escalation, on-call, IT workflows	Needs event sources; cost	You need enterprise incident operations with AWS Health as one input
Datadog/New Relic/Prometheus	App + infrastructure observability	Deep metrics/logs/traces; alerting	Not authoritative AWS provider event feed	You need end-to-end monitoring; use AWS Health as correlation input

15. Real-World Example

Enterprise example (multi-account regulated environment)

Problem: A financial services company runs 300+ AWS accounts. Teams miss scheduled maintenance and AWS incidents, leading to delayed response and audit findings.
Proposed architecture:
Enable AWS Organizations and configure AWS Health organizational visibility (delegated admin).
Central poller (Lambda or container) queries org-wide events and affected entities.
Route by service and account tags:
- SNS topics per domain (payments, analytics, IAM)
- Incident Manager for high-severity “issue” events
Store event history in S3 (encrypted) for reporting and audits.
Why AWS Health was chosen: It provides authoritative AWS-originated events with account-aware context and supports multi-account operations.
Expected outcomes:
Faster identification of provider-impact vs internal issues
Documented awareness and response evidence for audits
Reduced unplanned downtime from missed maintenance

Startup/small-team example (single account, lean ops)

Problem: A small SaaS team runs production on AWS with minimal on-call capacity. They want to avoid learning about AWS incidents too late.
Proposed architecture:
Lambda runs every 6 hours, queries AWS Health for open/upcoming events.
SNS sends email to on-call mailbox and Slack via a webhook bridge (optional).
Basic filtering: only production-critical services.
Why AWS Health was chosen: Lowest-effort way to receive official AWS notifications relevant to their account (assuming plan eligibility).
Expected outcomes:
Fewer surprises during incidents
Better customer communication during provider events
Minimal operational overhead and cost

16. FAQ

1) Is AWS Health the same as the public AWS status page?
No. The public status page is broad and not account-specific. AWS Health focuses on events that may affect your account and resources.

2) Do I need a paid AWS Support plan to use AWS Health?
AWS Health dashboard visibility may be broadly available, but AWS Health API and some features have historically been tied to support plan eligibility. Verify current requirements in official docs and your support plan.

3) Is AWS Health regional or global?
The service is effectively global in scope, but the AWS Health API is commonly accessed via us-east-1. Events can relate to any region.

4) Can I publish my own application events into AWS Health?
No. AWS Health is for AWS-published events. Use EventBridge custom events or your observability platform for app-defined events.

5) What kinds of events does AWS Health include?
Common categories include issues, scheduled changes, and account notifications. Exact categories and availability can evolve—verify in AWS docs.

6) Will AWS Health tell me exactly which EC2 instances are affected?
Sometimes. AWS Health can provide affected entities, but entity-level detail is not guaranteed for all event types/services.

7) How do I automate responses to AWS Health events?
Common patterns: – EventBridge rule → Lambda → ticketing/ChatOps – Scheduled Lambda polling → SNS digest – Create OpsItems/Incidents in Systems Manager tools

8) How often should I poll the AWS Health API?
Most teams start with hourly polling and adjust based on needs and API limits. Use backoff and bounded windows.

9) How do I avoid alert fatigue?
Route events by: – category (page only on critical “issue” events) – service ownership (notify only relevant teams) – environment (production vs dev)

10) Does AWS Health replace CloudWatch alarms?
No. CloudWatch monitors your resources and applications. AWS Health reports provider-originated events. They complement each other.

11) Can a central team see AWS Health events for all accounts?
Yes, using AWS Organizations and organizational view features (where enabled). You must configure delegated admin and permissions.

12) Are AWS Health API calls logged?
Yes—your API calls can be captured by AWS CloudTrail, which is useful for auditing access and changes.

13) Can I store AWS Health events for long-term reporting?
Yes. Use a scheduled poller to write results to S3/DynamoDB/OpenSearch, respecting data governance requirements.

14) What happens if AWS Health has no events?
That’s normal. Your automation should handle zero events gracefully (as shown in the lab).

15) What’s the simplest production-ready setup?
A scheduled Lambda polling the AWS Health API, filtering events, publishing to SNS/ChatOps, and creating tickets for high-severity categories—plus alarms on Lambda errors and log retention controls.

17. Top Online Resources to Learn AWS Health

Resource Type	Name	Why It Is Useful
Official documentation	AWS Health User Guide – What is AWS Health? https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html	Canonical description, concepts, and setup guidance
Official API reference	AWS Health API Reference (via docs) https://docs.aws.amazon.com/health/latest/APIReference/Welcome.html (Verify in official docs)	Full list of API operations, request/response fields
Official overview	AWS Health product page https://aws.amazon.com/premiumsupport/technology/aws-health/	Explains positioning and key capabilities
Official pricing	AWS Support Pricing https://aws.amazon.com/premiumsupport/pricing/	Support plan costs can be a key dependency for AWS Health API access
Official tool	AWS Pricing Calculator https://calculator.aws/#/	Estimate Lambda/SNS/EventBridge/log costs in your automation
Official event routing	Amazon EventBridge User Guide https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html	Patterns for routing AWS service events to targets
SDK docs	Boto3 documentation (Health client) https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/health.html	Practical code-level reference for Python automation
CLI docs	AWS CLI Command Reference (Health) https://docs.aws.amazon.com/cli/latest/reference/health/index.html	CLI commands for quick testing and scripting
Samples/tools	AWS Health Tools (GitHub) https://github.com/awslabs/aws-health-tools	Community-supported (AWS Labs) scripts and examples (review before production use)
Video learning	AWS YouTube channel https://www.youtube.com/@amazonwebservices	Official talks and webinars (search “AWS Health”)

18. Training and Certification Providers

DevOpsSchool.com
– Suitable audience: DevOps engineers, SREs, cloud engineers, beginners to advanced
– Likely learning focus: AWS operations, automation, monitoring/governance patterns, incident workflows
– Mode: check website
– Website: https://www.devopsschool.com/
ScmGalaxy.com
– Suitable audience: DevOps practitioners, toolchain learners, students
– Likely learning focus: DevOps/SCM practices, automation, cloud fundamentals
– Mode: check website
– Website: https://www.scmgalaxy.com/
CLoudOpsNow.in
– Suitable audience: Cloud operations teams, cloud engineers, platform engineers
– Likely learning focus: CloudOps practices, operational readiness, governance/monitoring
– Mode: check website
– Website: https://www.cloudopsnow.in/
SreSchool.com
– Suitable audience: SREs, reliability engineers, operations leaders
– Likely learning focus: SRE principles, incident management, reliability practices
– Mode: check website
– Website: https://www.sreschool.com/
AiOpsSchool.com
– Suitable audience: Ops teams exploring AIOps, monitoring automation, alerting workflows
– Likely learning focus: AIOps concepts, event correlation, automation strategies
– Mode: check website
– Website: https://www.aiopsschool.com/

19. Top Trainers

RajeshKumar.xyz
– Likely specialization: DevOps/cloud training content (verify offerings on site)
– Suitable audience: Students, engineers seeking practical DevOps/cloud guidance
– Website: https://rajeshkumar.xyz/
devopstrainer.in
– Likely specialization: DevOps tools and cloud training (verify course catalog)
– Suitable audience: Beginners to intermediate DevOps practitioners
– Website: https://www.devopstrainer.in/
devopsfreelancer.com
– Likely specialization: Freelance DevOps consulting/training resources (verify services)
– Suitable audience: Teams/individuals seeking project-based guidance
– Website: https://www.devopsfreelancer.com/
devopssupport.in
– Likely specialization: DevOps support and training resources (verify scope)
– Suitable audience: Ops teams needing hands-on troubleshooting help
– Website: https://www.devopssupport.in/

20. Top Consulting Companies

cotocus.com
– Likely service area: Cloud/DevOps consulting (verify current offerings on site)
– Where they may help: AWS operations setup, automation, governance patterns
– Consulting use case examples:
- Implement AWS Health-based incident notifications
- Build centralized event routing and ticketing integration
- Review IAM and security posture for ops tooling
- Website: https://cotocus.com/
DevOpsSchool.com
– Likely service area: DevOps and cloud consulting, training-aligned implementation
– Where they may help: Operational readiness, monitoring/governance pipelines, best practices implementation
– Consulting use case examples:
- Multi-account AWS Health organizational visibility design
- Incident automation using Lambda/SNS/EventBridge
- Governance and auditing patterns around ops tooling
- Website: https://www.devopsschool.com/
DEVOPSCONSULTING.IN
– Likely service area: DevOps consulting services (verify offerings on site)
– Where they may help: CI/CD, operations automation, cloud governance integrations
– Consulting use case examples:
- Integrate AWS Health signals into enterprise ITSM
- Build ChatOps notifications and on-call workflows
- Create operational dashboards and reporting pipelines
- Website: https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before AWS Health

AWS fundamentals: IAM, Regions/AZs, core services (EC2, S3, RDS, VPC)
Monitoring basics: metrics vs logs vs traces
Incident response basics: severity, escalation, postmortems
AWS Organizations basics (for multi-account setups)

What to learn after AWS Health

Amazon EventBridge advanced routing and multi-account event buses
AWS Systems Manager OpsCenter and Incident Manager (if using AWS-native incident tooling)
ChatOps patterns (AWS Chatbot + Slack/Chime)
ITSM integrations (webhooks, ServiceNow/Jira patterns)
Reliability engineering: error budgets, SLOs, resilience testing

Job roles that use it

Site Reliability Engineer (SRE)
Cloud/Platform Engineer
DevOps Engineer
Cloud Operations / NOC Engineer
Security Engineer (for provider security notifications)
Solutions Architect (designing operational governance)

Certification path (AWS)

AWS Health is not usually a standalone certification topic, but it appears in operational excellence and governance contexts: – AWS Certified Cloud Practitioner (foundations) – AWS Certified SysOps Administrator – Associate (operations) – AWS Certified Solutions Architect – Associate/Professional (architecture + operational excellence) – AWS Certified DevOps Engineer – Professional (automation and operations)

Project ideas for practice

Build a multi-team router: AWS Health event → map service to owner → notify team-specific SNS topic.
Add ticket creation: Lambda creates a ticket in an internal tracker for “issue” category events.
Store event history to S3 and create a monthly report by service/region/category.
Add correlation: link AWS Health event windows to CloudWatch alarms to reduce MTTR.

22. Glossary

AWS Health: AWS service providing account-aware notifications and visibility into AWS events that may affect your environment.
AWS Health Dashboard: Console view for AWS Health events.
AWS Health API: Programmatic interface to query events, details, and affected entities.
Event type: Definition/category of an event (e.g., a particular maintenance or issue type).
Event: An instance of an event type occurring at a specific time, with status and metadata.
Affected entity: A specific AWS resource impacted by an event (when available).
AWS Organizations: Service for managing multiple AWS accounts centrally.
Delegated administrator: An account designated to manage a supported AWS service across an organization.
SNS (Amazon Simple Notification Service): Pub/sub messaging service used for email, SMS, and webhook notifications.
EventBridge: Event bus and routing service for AWS service events and custom events.
Lambda: Serverless compute used to run code on schedules or in response to events.
CloudTrail: Service that records API calls for audit and governance.
OpsCenter/OpsItem: Systems Manager capability for tracking and managing operational issues.
Incident Manager: Systems Manager capability for managing incidents, response plans, and escalation.
Alert fatigue: Reduced responsiveness caused by excessive or low-signal alerts.

23. Summary

AWS Health is an AWS Management and governance service that delivers official AWS events with account-aware impact, accessible via a dashboard and API. It matters because it shortens incident detection and triage, improves change awareness (especially scheduled maintenance), and enables consistent automation across teams and accounts.

Cost-wise, AWS Health is generally presented as no additional charge, but your AWS Support plan eligibility can be a major dependency—verify this early. Most ongoing costs come from the automation you build around it (Lambda, EventBridge schedules, SNS, and logging). Security-wise, the critical controls are least-privilege IAM, careful routing of operational notifications, and auditability via CloudTrail.

Use AWS Health when you want authoritative provider event intelligence integrated into incident response. Next, expand your lab into a production pattern: add team-based routing, incident/ticket creation, and (for enterprises) AWS Organizations organizational visibility with centralized governance.