1

I set an SNS notification to send me an email whenever there is a change regarding the IAM policies. When a change occurs, CloudTrail sends a Log to CloudWatch which triggers an alarm attached to an SNS topic. More details in this link.

Here is an example of what I get by mail:

Alarm Details:
- Name:                       PolicyAlarm
- Description:                This alarm is to monitor IAM Changes
- State Change:               INSUFFICIENT_DATA -> ALARM
- Reason for State Change:    Threshold Crossed: 1 datapoint [1.0 (31/08/17 09:15:00)] was greater than or equal to the threshold (1.0).
- Timestamp:                  Thursday 31 August, 2017 09:20:39 UTC
- AWS Account:                00011100000

Threshold:
- The alarm is in the ALARM state when the metric is GreaterThanOrEqualToThreshold 1.0 for 300 seconds.

The only relevant information here is the AWS Account ID. Is there a way to also include the change? Who made it, when and where? Or maybe send little information from the cloudwatch log like the "eventName" ?

Pouya Samie
  • 3,718
  • 1
  • 21
  • 34
Souad
  • 4,856
  • 15
  • 80
  • 140
  • Evaluate AWS Config. It would give you the current configuration. Write a logic to determine the change. Regarding who made the change, you need to look at CloudTrail logs. – krishna_mee2004 Aug 31 '17 at 12:19

1 Answers1

3

There are two ways to trigger notifications from an AWS CloudTrail:

  1. Configure Amazon CloudWatch Logs to look for specific strings. When found, it increments a metric. Then, create an alarm that triggers when the metric exceeds a particular value over a particular period of time. When the notification is sent, only information about the alarm is sent. OR...

  2. Create a rule in Amazon CloudWatch Events to look for the event. Set an Amazon SNS topic as the target. When the notification is sent, full details of the event are passed through.

You should use # 2, since it provides full details of the event.

Here's what I did to test:

  • Created an Amazon SQS queue in us-east-1 (where all IAM events take place)
  • Created an Amazon CloudWatch Events rule in us-east-1 with:
    • Service Name: IAM
    • Event Type: AWS API Call via CloudTrail
    • Specific Operations: PutUserPolicy
  • Edited an IAM policy

Within a short time, the event appeared in SQS:

Here's the relevant bits of the policy that came through:

{
  "detail-type": "AWS API Call via CloudTrail",
  "source": "aws.iam",
  "region": "us-east-1",
  "detail": {
    "eventSource": "iam.amazonaws.com",
    "eventName": "PutUserPolicy",
    "awsRegion": "us-east-1",
    "requestParameters": {
      "policyDocument": "{\n    \"Version\": \"2012-10-17\",\n  ...  }",
      "policyName": "my-policy",
      "userName": "my-user"
    },
    "eventType": "AwsApiCall"
  }
}

I sent the message to SQS, but you could also send it to SNS to then forward via email.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I'm trying that, and I see that IAM is not available in the list of **Service Name**. Could you please tell me which to select? Thank you – Souad Sep 01 '17 at 14:56
  • Are you doing it in `us-east-1` (N.Virginia)? – John Rotenstein Sep 01 '17 at 23:23
  • No. In eu-west-1 (Irlande) – Souad Sep 04 '17 at 06:55
  • Also, I tried doing what you did, but I don't get more information in the email. the Event rule is not targeting the SNS – Souad Sep 04 '17 at 06:58
  • 1
    You must use us-east-1 to configure IAM in CloudWatch Events. You must configure the Event Rule (eg in the console) to configure a target. Oh, you also have to **adjust the permissions on the SQS queue to allow messages to be received**. I just allowed all actions from anywhere, but for real usage you should lock it down further. – John Rotenstein Sep 04 '17 at 07:01
  • that is unfortunate if I can't use irland region ... Thank you I'll look further. – Souad Sep 05 '17 at 07:50
  • So I should have the CloudWatch rule in N. Virginia – Souad Sep 05 '17 at 08:04
  • The Topic field does not take the ARN of the other region. I paste it and it goes blank – Souad Sep 05 '17 at 08:06
  • Oops. I was mistaken. It *cannot* send to a different region. My apologies. – John Rotenstein Sep 05 '17 at 08:10
  • That's alright. Is it possible to set the service Name to CloudWatch Logs or Events ? Since CloudTrail sends the IAM change to it? – Souad Sep 05 '17 at 08:11
  • @JohnRotenstein Thanks fa lot for us-east-1 for IAM, input! Saved my day. – amitchhajer Jul 07 '20 at 18:16