I want to monitor the change in security group of an EC2 instance using CloudWatch Events. So, used API call via CloudTrail as the event type.
Typically, CloudTrail delivers an event within 15 minutes of the API call which would hinder the near real-time Security group change monitor?
How can I improve this?
You're correct that there is a delay for CloudTrail events, some API calls are now integrated directly to hook into CloudWatch events whenever there is that action to get around this.
I believe you can use AWS config rules to validate in near-real time, there are rules such as ec2-security-group-attached-to-eni to monitor when a new security group is appended and restricted-common-ports to check if ports are open to the world.
If that solution does not work, you would need to develop your own solution to scan your resources unfortunately. Hopefully AWS will add more hooks over time for native integration vs CloudTrail integration.