Is there a way to find out if there is a change made to any of the IAM resources(policies, users, roles) and trigger an SNS topic other than AWS Config recording. AWS config recording is already configured to send SNS alarm to security team, and i want to have another recording just for IAM resources. please let me know.
Amazon CloudWatch Events can send notifications when particular API calls are made, and it can send Amazon SNS messages.
See: Creating a CloudWatch Events Rule That Triggers on an Event - Amazon CloudWatch Events
Related
I've set up an SNS topic that notifies through an email. It's working when I ask to test it through the AWS console. It sends a test email.
I've set up an EventBridge rule that should trigger when security group related actions are executed. I've set the target for that rule to be the SNS topic i described above. But when I make changes to my security groups (through the AWS console or through API calls), no emails are sent.
Can someone look into my configuration and tell me what else I can look into?
Thanks in advance!
You need to have trail enabled for EB to detect API events. From docs:
To record events with a detail-type value of AWS API Call via CloudTrail, a CloudTrail trail with logging enabled is required.
There is an option when creating a CloudTrail trail to enable CloudWatch Logs. The description states "You can enable Sns notifications in CloudWatch Logs for specific API actions. Standard CloudWatch and CloudWatch Logs charges apply." This description makes it seem like you would enable CloudWatch Logs to use Sns specifically.
If CloudTrail can interface with Sns on its own just fine, what would be the purpose of going through CloudWatch Logs to get there? Is it just organizational?
It is referring to the fact the you can filter specific API calls in CloudTrail trails by creating metric filters on the log entries.
CloudTrail has integration with SNS by default, but it will create a notification for every event in the trail. You need CloudWatch if you want something specific.
Suppose multiple aws services are running (like EC2,S3) and If someone changes the configuration of these services , I want to know immediately and want to pull the updated configuration. So how can i listen to these services to pull configuration immediately . I went through couple of options like aws SNS and all. But i don't want to implement this using any aws services for this.
I am using spring boot application. Any help is appreciated , Thanks in advance.
The two services you should be interested in are:
AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
AWS Config:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
You can also configure Amazon CloudWatch Events rules that trigger when a particular API call is made (eg when a user changes some configuration). This could trigger a notification, a Lambda function, etc.
See:
Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail - Amazon CloudWatch Events
How to monitor AWS account activity with Cloudtrail, Cloudwatch Events and Serverless
I am trying to create CloudWatch alarms in N. California region because that is where my EC2s are.
I want to send a notification to an SNS topic that supports both email and SMS, which n. california does not, so I created an SNS topic in Oregon instead which supports both.
The topic does not appear in the "Send Notification To:" dropdown, reading online it seems like i'm supposed to be able to click 'enter list' and put in an ARN from another region, however when I do this I get an error saying:
Error:
There was an error saving the alarm. Please try again.
Cross region SNS will not be available to be configured for CloudWatch alarm notifications.
Alternatively, the following steps will help you achieve the same though not a fancy way of doing.
Configure a SNS in the same region and configure CloudWatch to send alarm notifications to this SNS in the same region
Subscribe a Lambda as a consumer for this SNS to listen and process the events sent from CloudWatch
The Lambda will reside in the same region which will receive the event from local SNS and publish (literally forward) the message (using SNS publish method) to the SNS in a different region.
The SNS in other region can have SMS and/or email subscriptions.
In AWS, I am trying to detect Critical alerts in Guardduty and configure cloudwatch which will trigger mails when there is a critical alert in guardduty.
I found a link http://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html which uses Lambda to create fuctions which will do that but I was looking for more simpler ways without AWS lamda.
Is there is a way to directly configure a cloudwatch alarm which will keep an eye on Guardduty and can use SNS notifications to send mails to desired team.
I implemented the CloudWatch event as described in the link you posted. I get alerts via SNS. No Lambda required (although you COULD trigger a Lambda function instead of SNS if you wanted).