3

I am trying to configure a Cloudwatch Event Rule (to trigger an SNS notification) for whenever someone assumes a particular role:

{
  "detail": {
    "eventName": [
      "AssumeRole"
    ],
    "eventSource": [
      "sts.amazonaws.com"
    ],
    "requestParameters": {
      "roleArn": [
        "arn:aws:iam::0000:role/the_role_name"
      ]
    }
  },
  "detail-type": [
    "AWS API Call via CloudTrail"
  ]
}

Where 0000 is the account id and the_role_name is the role I want to alert on.

This is failing to trigger any notification, however when I search in Cloudtrail Insights for the events:

filter eventName = 'AssumeRole'
| filter requestParameters.roleArn =~ 'the_role_name'
| sort @timestamp desc
| display @timestamp, requestParameters.roleSessionName, eventName, requestParameters.roleArn, userAgent, sourceIPAddress

I DO get results that SHOULD have triggered the rule:

requestParameters.roleSessionName eventName   requestParameters.roleArn
my_username                       AssumeRole  arn:aws:iam::0000:role/the_role_name
...

For the sake of trying to dumb things down and catch a broader set of events, I also tried the following Rule (which would catch all AssumeRole events to any role):

{
  "detail": {
    "eventName": [
      "AssumeRole"
    ]
  },
  "detail-type": [
    "AWS API Call via CloudTrail"
  ]
}

This rule also is failing to trigger.

Does anyone have ideas on how to configure Cloudwatch Event Rules to trigger on AssumeRole events?

I read through this related question (which is trying to achieve something similar), but it did not have a solution: AWS CloudWatch Events trigger SNS on STS role assuming for cross account

kortina
  • 5,821
  • 4
  • 24
  • 28
  • Have you configured a trail that sends events to CloudWatch Logs? – Vikyol Feb 05 '20 at 20:18
  • Yes, and when I query the logs in Cloudwatch I DO see a bunch of `AssumeRole` events: screenshot: https://s3.amazonaws.com/4rk/screen-shot-2020-02-05-13.41.27-j7rs0u2c.png – kortina Feb 05 '20 at 21:41
  • Hi I'm wondering if you could find a solution for this issue? as I'm facing with the same issue. – Matrix Oct 27 '20 at 12:35

2 Answers2

0

First of all make sure whether the event is invoked or not by checking the monitoring metrics for the rule. It is possible that it is triggered, but it fails to invoke the target. In this case, you should check your IAM policies.

If it is not triggered, there could be issues with trail delivery to Cloudwatch Logs. Make sure that you created a trail in the same region, which delivers events to Cloudwatch Logs.

I've the following rule in us-east-1 region, which works fine:

{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "sts.amazonaws.com"
    ],
    "eventName": [
      "AssumeRole"
    ]
  },
  "source": [
    "aws.sts"
  ]
}
Vikyol
  • 5,051
  • 23
  • 24
  • When I view the Trail under CloudTrail, I see `Home Region` = `US East (N. Virginia)` (which is `us-east-1`. When I view the Log Group under CloudWatch I see under `Log Streams` `000_CloudTrail_us-east-1` which is also `us-east-1`. The S3 bucket which contains the logs is also in `us-east-1`. When I view the Rule under CloudWatch, it is also under `us-east-1`. Is there anything else you are suggesting I check the region of? – kortina Feb 06 '20 at 18:59
  • Also, I DO see AssumeRole events that SHOULD trigger the Rule both in CloudTrail Events History and in CloudWatch Logs Insights, when I query each.... I do NOT, however, see any Metrics about the Rule triggering (so the problem is NOT a successful trigger / failed invocation) – kortina Feb 06 '20 at 19:18
  • Sounds like you set everything correctly. I'd try creating another trail and see if it helps. I know that AssumeRoleWith* events are not supported by CWE but AssumeRole should work. – Vikyol Feb 07 '20 at 00:23
0

According an an AWS Support agent I was speaking with yesterday, and also indicated by the linked documents, Eventbridge Rules (formerly Cloudwatch Event Rules) unfortunately do not support STS events.

What's perplexing about this and might lead you down a wrong path, as it did me, is that the sts test-event-pattern api will in fact validate your event against a valid pattern and give no indication that it's an unsupported service.

Hopefully AWS adds STS event support in the future.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html

Andrew Lockhart
  • 164
  • 2
  • 3