This chapter covers the CloudWatch Embedded Metric Format (EMF), a powerful feature that allows you to emit custom metrics from your application logs without needing separate API calls or metric filters. For the DVA-C02 exam, understanding EMF is critical for questions about cost optimization, operational excellence, and efficient monitoring—roughly 5-8% of exam questions touch on custom metrics, logging, or monitoring patterns that involve EMF. You will learn the exact JSON schema, how EMF integrates with CloudWatch Logs and Metrics, and how to use it to reduce costs and latency in your monitoring pipeline.
Jump to a section
Imagine a restaurant kitchen where the head chef needs to track how many steaks, salads, and desserts are prepared each hour. Traditionally, each cook would shout out every single ingredient they use—'One tomato! One onion! One steak!'—and a scribe would write each one down, creating a massive log of individual events. Later, the chef would have to read through thousands of lines to count totals. This is like sending individual CloudWatch Logs events and then running metric filters to extract counts.
Now, consider a better system: each cook has a pre-printed recipe packet. At the end of each hour, the cook fills in a small card: 'Steaks: 15, Salads: 10, Desserts: 8.' The card also includes a unique timestamp and the cook's station ID. The chef can instantly see the totals without reading a single log line. This is EMF. The application (cook) constructs a structured JSON object (recipe card) that contains the metrics (counts) and dimensions (station ID). It sends this object to CloudWatch Logs in a single log event. CloudWatch automatically parses the JSON, extracts the metrics, and sends them to CloudWatch Metrics. The chef (developer) can now create alarms and dashboards directly from these metrics, without any log filters or additional processing. The key is that EMF requires the application to format the data in a specific JSON schema—just like the recipe card must have the right boxes filled in. If the cook writes 'fifteen' instead of '15', the system fails. EMF is efficient because it batches metric data into a single structured payload, reducing log volume and eliminating the need for metric filters.
What is CloudWatch Embedded Metric Format (EMF)?
CloudWatch Embedded Metric Format (EMF) is a JSON specification that enables you to embed custom metrics inside log events sent to CloudWatch Logs. Instead of making separate PutMetricData API calls to publish custom metrics, your application writes structured JSON log messages that CloudWatch automatically parses to extract metrics. This approach reduces the number of API calls, lowers latency, and simplifies your code—you only need to write logs, and metrics are derived from them.
Why EMF Exists
Before EMF, developers had two choices for custom metrics:
- Option A: Use the PutMetricData API directly. This requires explicit API calls, adds latency, and incurs costs per metric data point.
- Option B: Log metric values as plain text and then create metric filters to extract them. Metric filters are processed asynchronously, incur additional costs, and have a limit of 100 metric filters per log group.
EMF eliminates these trade-offs. By embedding metrics in a structured log event, you get the simplicity of logging (no extra API calls) and the real-time availability of metrics (no filter delay). The metrics are extracted at ingestion time, so they appear in CloudWatch Metrics within seconds.
How EMF Works Internally
When your application sends a log event that conforms to the EMF schema, the CloudWatch Logs ingestion pipeline detects the special JSON structure and performs the following steps:
Schema Detection: The pipeline looks for a "_aws" key at the root of the JSON object. If present, it knows this is an EMF payload.
Metric Extraction: The pipeline reads the "CloudWatchMetrics" array inside "_aws". This array defines the metric definitions, including namespace, metric name, unit, and dimensions.
Dimension Resolution: For each metric definition, the pipeline extracts the dimension values from the root-level keys specified in the "Dimensions" array. If a dimension key is missing, the metric is still published but without that dimension.
Metric Value Collection: The metric value is taken from the root-level key that matches the metric name. If the metric name is "ProcessingTime", the pipeline looks for "ProcessingTime" at the root.
Timestamp Handling: If the root contains a "Timestamp" key (in Unix epoch milliseconds), that timestamp is used for the metric. Otherwise, the log event's timestamp is used.
Publishing: The extracted metrics are sent to CloudWatch Metrics as individual data points. The original log event remains in CloudWatch Logs for search and analysis.
Key Components and Values
An EMF payload is a JSON object with the following required and optional keys:
- `_aws` (required): An object containing metadata.
- `Timestamp` (optional): Integer in Unix epoch milliseconds. Defaults to log event timestamp.
- `CloudWatchMetrics` (required): Array of metric definition objects. Each object has:
- `Namespace` (required): String, the CloudWatch Metrics namespace. Must be non-empty and <= 255 characters.
- `Dimensions` (required): Array of arrays of strings. Each inner array is a dimension set. For example, [["Service", "Region"], ["Service"]]. The first set defines two dimensions, the second defines one. Maximum 9 dimension sets, each with up to 10 dimensions.
- `Metrics` (required): Array of metric objects. Each object has:
- `Name` (required): String, the metric name. Must match a root-level key.
- `Unit` (optional): String, the unit of the metric. Default is "None". Valid values include "Seconds", "Count", "Bytes", "Percent", etc.
- `StorageResolution` (optional): Integer, either 1 (high resolution) or 60 (standard). Default is 60.
Root-level metric keys (required): For each metric defined in CloudWatchMetrics, there must be a corresponding key at the root with a numeric value.
Root-level dimension keys (required if referenced): For each dimension listed in Dimensions, there must be a corresponding key at the root with a string value.
`Timestamp` (optional at root): If provided, overrides the _aws.Timestamp and log timestamp.
Example EMF Payload
{
"_aws": {
"Timestamp": 1625443200000,
"CloudWatchMetrics": [
{
"Namespace": "MyApp",
"Dimensions": [["Service", "Region"], ["Service"]],
"Metrics": [
{ "Name": "ProcessingTime", "Unit": "Milliseconds", "StorageResolution": 1 },
{ "Name": "ErrorCount", "Unit": "Count" }
]
}
]
},
"Service": "OrderService",
"Region": "us-east-1",
"ProcessingTime": 150.5,
"ErrorCount": 0
}This payload publishes two metrics (ProcessingTime and ErrorCount) in the MyApp namespace. The first dimension set is Service and Region; the second is only Service. So you get data points for:
- Service=OrderService, Region=us-east-1
- Service=OrderService (aggregated over all regions)
Configuration and Verification
EMF is enabled by default for all log groups. There is no explicit toggle. To verify that EMF metrics are being published:
Check CloudWatch Metrics: Navigate to the MyApp namespace (or your custom namespace) in the CloudWatch console. You should see the metrics appear within seconds of the log event being ingested.
Check Logs: The log event itself is stored in CloudWatch Logs. You can search for { $.Service = "OrderService" } using CloudWatch Logs Insights.
AWS CLI: Use aws logs describe-log-groups to list log groups. Use aws cloudwatch list-metrics --namespace MyApp to see published metrics.
Interaction with Related Technologies
CloudWatch Logs: EMF payloads are sent to CloudWatch Logs via any supported method (SDK, CloudWatch agent, Lambda, etc.). The log event must be a single line of valid JSON. Multi-line payloads are not supported.
CloudWatch Metrics: The extracted metrics are stored in CloudWatch Metrics with the specified namespace, dimensions, and unit. You can create alarms and dashboards on these metrics.
CloudWatch Logs Insights: You can query the raw EMF log events using CloudWatch Logs Insights. For example, to find all EMF events for a specific service: fields @timestamp, @message | filter @message like "OrderService".
AWS Lambda: Lambda supports EMF natively. You can use the AWS Lambda Powertools for Python or Node.js to easily generate EMF metrics. The Powertools library automatically handles the JSON construction and sends the log event to CloudWatch Logs.
X-Ray: EMF does not directly integrate with X-Ray, but you can include trace IDs in the log event for correlation.
Limitations and Quotas
Maximum payload size: 256 KB (the same as a CloudWatch Logs log event).
Maximum metrics per payload: 100.
Maximum dimensions per metric: 10 (across all dimension sets).
Maximum dimension sets: 9.
Metric value range: -2^63 to 2^63-1.
Metric name length: 1-255 characters (must match regex [a-zA-Z0-9_\-\.#]*).
Namespace length: 1-255 characters.
Unit: Must be one of the predefined unit strings (e.g., "Seconds", "Bytes", "Count").
Performance Considerations
EMF is designed for high throughput. Since metrics are extracted at ingestion time, there is no additional latency for metric processing. However, the log event must be a single line of JSON. If your application generates large JSON objects, ensure they stay under 256 KB. Also, be mindful of CloudWatch Metrics quotas: you can have up to 10,000 metrics per account per region. Each unique combination of namespace, metric name, and dimension values counts as a separate metric.
Define Metric Schema in Code
In your application code, you define the metrics you want to emit. For example, using the AWS Lambda Powertools for Python, you create a `MetricUnit` object with a name, unit, and optional storage resolution. Under the hood, this step prepares the JSON structure that will be logged. You must decide the namespace, dimensions, and metric names. For EMF, dimensions are specified as a list of lists—each inner list defines a set of dimensions that will be combined. This step is critical because the schema cannot be changed after the log event is sent; if you omit a dimension, you cannot add it later without re-emitting the metric.
Construct EMF JSON Payload
The application constructs a JSON object conforming to the EMF schema. The root must contain the `_aws` key with the `CloudWatchMetrics` array. Each metric definition includes the namespace, dimensions, and metric metadata. The root also contains the actual metric values and dimension values as separate keys. For example, if you have a metric named `"Latency"` and a dimension `"Service"`, the root will have `"Latency": 123.4` and `"Service": "AuthService"`. The timestamp can be included in `_aws` or at the root. The payload must be a single line of JSON (no newlines) because CloudWatch Logs treats each line as a separate log event.
Send Payload to CloudWatch Logs
The application sends the JSON string as a log event to CloudWatch Logs. This can be done using the AWS SDK (e.g., `PutLogEvents`), the CloudWatch agent, or automatically via Lambda's logging system. For Lambda, any `console.log` or `print` statement that outputs the EMF JSON will be captured. The log event must be sent to a log group and log stream. The log group does not need any special configuration—EMF is processed automatically. The log event's timestamp (or the embedded timestamp) determines when the metric data point is recorded.
CloudWatch Ingestion Parses EMF
When CloudWatch Logs receives the log event, the ingestion pipeline checks for the `_aws` key. If present, it parses the `CloudWatchMetrics` array to extract metric definitions. For each metric, it reads the dimension values from the root-level keys and the metric value from the root-level key matching the metric name. It then creates a metric data point in CloudWatch Metrics. This extraction happens synchronously during ingestion, so the metric becomes available almost immediately (within seconds). The original log event is still stored in CloudWatch Logs for searching.
View Metrics and Create Alarms
Once the metric data points are published to CloudWatch Metrics, you can view them in the CloudWatch console under the specified namespace. You can create dashboards and alarms based on these metrics. For example, you can set an alarm on `ProcessingTime` to trigger when the average exceeds 500 ms over 5 minutes. Because the metrics are stored in CloudWatch Metrics, you can also use them with CloudWatch Synthetics, ServiceLens, and other AWS monitoring services. The metrics remain available for 15 months (depending on the period).
Enterprise Scenario 1: E-commerce Order Processing Pipeline
A large e-commerce company processes millions of orders daily using a microservices architecture. Each service (Order Service, Payment Service, Inventory Service) needs to emit metrics like processing time, error count, and throughput. Previously, each service made separate PutMetricData calls, resulting in thousands of API calls per second, high costs, and added latency. The team adopted EMF by integrating the AWS Lambda Powertools library into their Lambda functions. Now, each function logs a single EMF payload per invocation. For example, the Order Service logs:
{
"_aws": {
"CloudWatchMetrics": [
{
"Namespace": "ECommerce",
"Dimensions": [["Service", "Stage"]],
"Metrics": [
{ "Name": "ProcessingTime", "Unit": "Milliseconds" },
{ "Name": "OrderCount", "Unit": "Count" }
]
}
]
},
"Service": "OrderService",
"Stage": "prod",
"ProcessingTime": 234,
"OrderCount": 1
}This reduced API costs by 90% and eliminated the need for metric filters. The team now has real-time dashboards showing order processing times across services. The main challenge was ensuring all services used the same namespace and dimension naming conventions to avoid metric fragmentation.
Enterprise Scenario 2: IoT Sensor Data Aggregation
A smart building company collects temperature, humidity, and occupancy data from thousands of sensors. Each sensor sends data every minute. Using traditional PutMetricData would exceed API rate limits and incur high costs. The company uses an AWS IoT Core rule to forward sensor data to a Lambda function, which aggregates readings over 5-minute windows and logs an EMF payload. For example:
{
"_aws": {
"CloudWatchMetrics": [
{
"Namespace": "SmartBuilding",
"Dimensions": [["Building", "Floor", "SensorType"]],
"Metrics": [
{ "Name": "Temperature", "Unit": "Celsius" },
{ "Name": "Humidity", "Unit": "Percent" }
]
}
]
},
"Building": "TowerA",
"Floor": "5",
"SensorType": "temperature",
"Temperature": 22.5,
"Humidity": 45
}This approach allows them to publish hundreds of metrics per log event, staying well within CloudWatch Logs limits. However, they had to be careful about the 256 KB payload limit—aggregating too many sensors in one payload could exceed it. They also learned that if a dimension value is missing, the metric is still published but without that dimension, which can cause unexpected aggregation in dashboards.
Performance Considerations
In production, EMF payloads should be constructed efficiently. Avoid including unnecessary keys or large string dimensions. Use short dimension names and values to reduce payload size. For high-throughput systems, consider batching metrics into a single payload (up to 100 metrics) to minimize log events. Monitor CloudWatch Logs ingestion rate limits (5,000 requests per second per account per region by default) to avoid throttling.
What DVA-C02 Tests on EMF
The DVA-C02 exam covers EMF primarily in the context of monitoring and observability (Objective 4.2). You should expect questions that ask:
How to emit custom metrics with minimal cost and latency.
The difference between EMF and traditional metrics (PutMetricData vs. embedded metrics).
The exact JSON schema required for EMF.
How to use EMF with AWS Lambda and the Powertools library.
How to troubleshoot when metrics do not appear (common issues).
Common Wrong Answers and Why Candidates Choose Them
1. "You need to create a metric filter to extract metrics from EMF log events."
This is false. EMF metrics are extracted automatically at ingestion time. Metric filters are for extracting metrics from unstructured logs. Candidates confuse EMF with metric filters because both can produce metrics from logs. Remember: EMF uses a special _aws key; metric filters use patterns.
2. "EMF requires the CloudWatch agent to be installed." False. EMF works with any method of sending logs to CloudWatch Logs, including the AWS SDK, Lambda, and the CloudWatch agent. The agent is not required. Candidates may associate custom metrics with the agent because the agent can collect system metrics.
3. "EMF metrics are only available in CloudWatch Logs Insights, not in CloudWatch Metrics." False. EMF metrics are published to CloudWatch Metrics and can be used for alarms and dashboards. The log event also remains in CloudWatch Logs. Candidates may think metrics stay only in logs because the data originates there.
4. "You can emit up to 150 metrics per EMF payload." False. The limit is 100 metrics per payload. Some candidates confuse this with the 100 metric filter limit per log group.
Specific Numbers and Terms on the Exam
Maximum metrics per payload: 100
Maximum dimensions per metric: 10
Maximum dimension sets: 9
Payload size limit: 256 KB
EMF key: _aws
Required array: CloudWatchMetrics
Default storage resolution: 60 (standard) or 1 (high)
Default unit: "None"
Namespace length limit: 255 characters
Edge Cases and Exceptions
Missing dimension values: If a dimension key is missing from the root, the metric is still published but without that dimension. This can cause the metric to appear in an aggregated form that may be unexpected.
Invalid metric values (non-numeric): If the root value for a metric is not a number (e.g., a string), the metric is silently dropped—no error is logged. This is a common debugging challenge.
Timestamp in the future: If the embedded timestamp is more than 2 hours in the future, the metric is rejected.
Timestamp too old: Metrics with timestamps older than 14 days are rejected.
How to Eliminate Wrong Answers
For any question about EMF, ask yourself: "Does this involve the _aws key in a JSON log event?" If yes, it's EMF. If the question mentions "metric filter" or "filter pattern," it is NOT EMF. Also, remember that EMF reduces API calls and cost—so if a question asks for the most cost-effective way to emit custom metrics from Lambda, EMF is likely the answer. If the question mentions "real-time" or "sub-minute" metrics, EMF supports high-resolution metrics (1-second resolution) via StorageResolution: 1.
EMF allows embedding up to 100 custom metrics in a single structured JSON log event.
The EMF payload must include a `_aws` key with a `CloudWatchMetrics` array.
Metrics are automatically extracted at ingestion time—no metric filters needed.
EMF reduces cost and latency compared to separate PutMetricData API calls.
Maximum payload size is 256 KB; metric values must be numeric.
Dimensions are specified as arrays of arrays; up to 9 dimension sets with 10 dimensions each.
Use StorageResolution: 1 for high-resolution metrics (1-second granularity).
Common exam trap: confusing EMF with metric filters—EMF uses structured JSON, not filter patterns.
These come up on the exam all the time. Here's how to tell them apart.
CloudWatch Embedded Metric Format (EMF)
Metrics extracted automatically at ingestion time—no filter pattern needed.
Structured JSON payload with `_aws` key required.
Up to 100 metrics per log event.
Supports high-resolution metrics (1-second) via StorageResolution.
No additional cost for metric extraction (only standard log ingestion cost).
CloudWatch Metric Filters
Requires creation of a metric filter with a pattern to extract numeric values.
Works with any log format (structured or unstructured).
One metric per filter pattern (can create up to 100 filters per log group).
Standard resolution only (60 seconds).
Incur additional cost per metric filter and per metric data point.
Mistake
EMF requires the CloudWatch agent to be installed on EC2 instances.
Correct
EMF works with any log delivery method—SDK, Lambda, or CloudWatch agent. The agent is not required. EMF is processed by the CloudWatch Logs ingestion pipeline, which detects the `_aws` key in any log event.
Mistake
EMF metrics are only visible in CloudWatch Logs, not in CloudWatch Metrics.
Correct
EMF metrics are automatically extracted and published to CloudWatch Metrics. They appear in the specified namespace and can be used for alarms and dashboards. The log event remains in CloudWatch Logs for search.
Mistake
You must create a metric filter to extract metrics from EMF log events.
Correct
EMF metrics are extracted automatically at ingestion time without any metric filter. Metric filters are used for unstructured logs. EMF uses a structured JSON schema with the `_aws` key.
Mistake
EMF can only be used with AWS Lambda.
Correct
EMF can be used with any application that sends logs to CloudWatch Logs, including EC2, on-premises servers, and containerized applications. Lambda is a common use case but not the only one.
Mistake
EMF supports multi-line JSON payloads.
Correct
EMF requires the payload to be a single line of JSON. Multi-line JSON is not parsed correctly because CloudWatch Logs treats each line as a separate log event.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The EMF JSON structure requires a root-level `_aws` object containing a `CloudWatchMetrics` array. Each element in the array defines a metric set with `Namespace`, `Dimensions`, and `Metrics` arrays. The root also contains keys for each metric name (numeric value) and each dimension name (string value). An optional `Timestamp` key can be at root or inside `_aws`. Example: `{"_aws":{"CloudWatchMetrics":[{"Namespace":"MyApp","Dimensions":[["Service"]],"Metrics":[{"Name":"Latency","Unit":"Milliseconds"}]}]},"Service":"Auth","Latency":123}`.
You can emit EMF metrics from Lambda by logging a JSON string that conforms to the EMF schema. The easiest way is to use the AWS Lambda Powertools library for Python or Node.js, which provides helper functions to create and log the EMF payload. For example, in Python: `from aws_lambda_powertools import Metrics; metrics = Metrics(); metrics.add_metric(name="ProcessingTime", unit="Milliseconds", value=150); metrics.flush()`. This logs the EMF payload automatically.
Yes. In the metric definition, set `"StorageResolution": 1`. This publishes the metric with high resolution, meaning data points can be as granular as 1 second. The default is 60 (standard resolution). Note that high-resolution metrics incur higher costs.
CloudWatch Logs rejects log events larger than 256 KB. The log event will not be ingested, and no metrics will be extracted. You must ensure your EMF payload stays under this limit. You can reduce size by using shorter dimension names or emitting fewer metrics per payload.
No, EMF is automatically enabled for all log groups. There is no toggle. As long as your log event contains a valid `_aws` key, the metrics will be extracted. However, the log group must exist and be in the same region as your application.
First, verify that the log event is actually sent to CloudWatch Logs by checking the log group. Then, check that the JSON is valid and contains the `_aws` key. Ensure metric values are numeric (not strings). Also, confirm that the metric name matches a root-level key. If the timestamp is too old (more than 14 days) or too far in the future (more than 2 hours), the metric is rejected. Finally, check CloudWatch Metrics quotas—you may have exceeded the limit of 10,000 metrics per account.
Yes. In the `Dimensions` array, you can specify multiple dimension sets. For example, `[["Service", "Region"], ["Service"]]` creates two dimension combinations: one with both Service and Region, and one with only Service. Each dimension set must have corresponding root-level keys. Up to 9 dimension sets are allowed.
You've just covered CloudWatch Embedded Metric Format (EMF) — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?