How to create a cloudwatch rule for new security group creation?

Question

I would like to create a cloudwatch rule that monitors and alerts on the creation of new security groups. I thought that the CreateSecurityGroup event is what I was looking for but no metrics are being created when I create a new security group. Below is the json for this cloudwatch rule:

{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "CreateSecurityGroup"
    ]
  }
}

What do I need to change in order to get this working?

Side-comment: Metrics from Amazon CloudTrail can take 10+ minutes to arrive. — John Rotenstein, Aug 07 '17 at 22:35
Its been a day since I created the rule. I have made several security groups to test this out and have not received any metrics yet. — Alex Cohen, Aug 08 '17 at 17:50

score 2 · Accepted Answer · answered Aug 09 '17 at 00:44

It works for me!

Here's what I did:

Already existing: CloudTrail trail running in the Region
Went to Amazon CloudWatch Events in the management console
Created a new rule:
- Service: EC2
- Event Type: API call via CloudTrail
- Specific Operation: CreateSecurityGroup
- Target: Existing SQS queue with appropriate permissions
Created a new Security Group in the EC2 management console
Went to SQS, found a message in the queue that was sent about a minute after the Security Group was created

Here's an extract:

"eventName":"CreateSecurityGroup","awsRegion":"ap-southeast-2","sourceIPAddress":"54.222.111.1","userAgent":"signin.amazonaws.com","requestParameters":{"groupName":"stackSG3","groupDescription":"trail notify","vpcId":"vpc-12347014"}

It took about 10 minutes for the event to appear in the CloudTrail console, but the event was CloudWatch Events rule activated within a couple of minutes.

The event pattern in the rule shows as:

{
  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "CreateSecurityGroup"
    ]
  }
}

hmm ok ill give it a try ive had mixed results with `"source": ["aws.ec2"],` I have a similar cloudwatch rule for new instance creation which only works without that. — Alex Cohen, Aug 09 '17 at 16:44
Nope that didn't work. The only difference is that I have it connected to an SNS instead of SQS. Is there something I need to enable in cloudtrail to begin monitoring for this event? — Alex Cohen, Aug 09 '17 at 17:49
Ok so it only works when a security group is created through the aws cli and does not respond when it is created through the console. — Alex Cohen, Aug 09 '17 at 19:07

How to create a cloudwatch rule for new security group creation?

1 Answers1