There is an option when creating a CloudTrail trail to enable CloudWatch Logs. The description states "You can enable Sns notifications in CloudWatch Logs for specific API actions. Standard CloudWatch and CloudWatch Logs charges apply." This description makes it seem like you would enable CloudWatch Logs to use Sns specifically.
If CloudTrail can interface with Sns on its own just fine, what would be the purpose of going through CloudWatch Logs to get there? Is it just organizational?
It is referring to the fact the you can filter specific API calls in CloudTrail trails by creating metric filters on the log entries.
CloudTrail has integration with SNS by default, but it will create a notification for every event in the trail. You need CloudWatch if you want something specific.
Related
I'm pretty new to AWS but I did some research about my issue and I couldn't find an answer anywhere so hopefully someone can help me with this.
I would like to be notified on Slack whenever someone logs in with a Root account on any of my AWS accounts. I have set up Cloudtrail at the Organisation level to monitor cloudtrail logs on all my AWS account. I have set up a Cloudwatch alarm to trigger whenever a root account is used, the alarm is then sent to a SNS topic that sends it to a Lambda that triggers a message to Slack.
All of this is working fine. However, the message I receive from SNS is basically the following: The alarm (root_login) has been trigerred
Ideally I would want to receive the Cloudwatch event that shows me more information like the IP Address of the user, the AWS account where it occured, etc...
Basically I would like to receive the Cloudwatch event log to the lambda instead of the Cloudwatch alarm trigger. Is that something that is possible?
Thanks
Yes that is possible. Here are some instructions from the AWS site on the aws-sns-to-slack-publisher. The page contains the steps you need to take to deploy .
Here is an example of publishing a health event to slack.
You will ofcourse need to modify the code to meet your requirements.
I have to monitor CloudWatch logs for particular lambda. When the specific error message such as HTTP-50X is logged to CloudWatch, then we need to send an email notification to alert that the something is wrong.
We need help to create alert email in AWS to monitor manually the logs to see if there is any such error logged.
This is exactly what metric filter is for. Create a metric filter that monitors your log group for specific pattern. Then create a CloudWatch alarm based on a new metric and configure it with an SNS action. Then simply subscribe your email to that SNS topic.
All of this can be easily done via CloudFormation(Metric filter, Alarm, SNS). You can also use CDK.
You can process/monitor logs in real-time using lambda functions. Checkout Using AWS Lambda with Amazon CloudWatch Logs and Real-time Processing of Log Data with Subscriptions for details.
Is there a way to find out if there is a change made to any of the IAM resources(policies, users, roles) and trigger an SNS topic other than AWS Config recording. AWS config recording is already configured to send SNS alarm to security team, and i want to have another recording just for IAM resources. please let me know.
Amazon CloudWatch Events can send notifications when particular API calls are made, and it can send Amazon SNS messages.
See: Creating a CloudWatch Events Rule That Triggers on an Event - Amazon CloudWatch Events
In AWS, I am trying to detect Critical alerts in Guardduty and configure cloudwatch which will trigger mails when there is a critical alert in guardduty.
I found a link http://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html which uses Lambda to create fuctions which will do that but I was looking for more simpler ways without AWS lamda.
Is there is a way to directly configure a cloudwatch alarm which will keep an eye on Guardduty and can use SNS notifications to send mails to desired team.
I implemented the CloudWatch event as described in the link you posted. I get alerts via SNS. No Lambda required (although you COULD trigger a Lambda function instead of SNS if you wanted).
I've setup some aws cloudwatch agents to send logs to a cloudwatch log group and what I want to do now is get those into an elasticsearch cluster (on ec2). Ideally, what I want to do is write a lambda function that parses it and then sends it to elasticsearch, but also have the lambda function be triggered anytime a message is written to the log group. Is it possible to trigger lambda from a cloudwatch log group?
Subscribing AWS Lambda functions to CloudWatch Logs is documented here. Also, streaming CloudWatch Logs to the AWS ElasticSearch service is documented here.
Here you can find the documentation about adding a subscription to CloudWatch logs for Lambda.
For streaming to AWS ElasticSearch see this (as mentioned before).