Alerting
Be sure complete the Setup before continuing with this section.
In this section, we will use Amazon EventBridge to monitor and alert when an IAM policy is attached to an IAM user. The example is simple, and it helps to depict the level of visility that can be gained from using this type of process. The EventBridge Rule created will monitor for a specific event name in CloudTrail, and will use an SNS message to notify regarding and event, when it occurs.
- Go to the Amazon EventBridge console.
- Once in the EventBridge Console, click on Rules on the Left Side of the screen.
- Click on the Create rule button.
- Configure the Rule using the following settings:
- Enter a Name for the rule (e.g. AttachUserPolicy_Event).
- Event Pattern:
- Pre-defined pattern by service
- Service provider: AWS
- Service Name: IAM
- Event Type: AWS API Call via CloudTrail
- Specific operation(s): AttachUserPolicy
- Targets: SNS topic
- Topic: CloudWatchAlarmsForCloudTrail-AlarmNotificationTopic-XXXXXXXXX
- Click Create and you will see the rule created.
Triggering AttachUserPolicy Notification
Now that we have an event we are monitoring, we will create an IAM user and attach a user policy to this user to trigger the notification.
- Go to the IAM Console
- Click on Add user
- Set the following values for the user:
- Username:
workshopuser
- Select AWS access type: AWS Management Console access
- Console password: Auto-generated password
- Require password reset: Check the checkbox
- Click Next: Permissions
- On the Set permissions page, we will select:
- Attach existing policies directly
- Check the checkbox for the AdministratorAccess policy
- Click on Next: Tags
- Click Next: Review on the Add tags page
- Click Create user and Close
Once the user is created and the policy has been set, the CloudWatch Event pattern will be triggered and an e-mail will be sent to the e-mail address defined in the setup (i.e. Create CloudWatch Alarms for Security and Network related API activity).
Generating ConsoleLogin Failures
- Go to IAM Dashboard in your account and copy the Sign-in URL such as (https://123456789XXX.signin.aws.amazon.com/console)
- Open a different browser or Incognito window in your current browser and navigate to this Sign-in URL.
- Account ID: Leave as it is
- IAM user name:
workshopuser
- Password: Use any wrong password that will force a login failure (don’t use the correct password as we are trying to generate Login Failures)
- Click Sign in to generate login failures. Repeat this step various a few times.
- We will use these login failures in Logs Insights section.
As part of sending CloudTrail events to CloudWatch Logs, we also deployed a set of pre-defined CloudWatch Alarms to monitor Network and Security related API activity. In this section, we will trigger one of the network related alarms. Optionally, you can trigger the other CloudWatch Alarms created as part of launching the CloudFormation template in the setup.
- Go to the VPC console.
- Select the default security group.
- Click Actions and select Edit inbound rules.
- Add a rule with the following settings:
- Type: All ICMP - IPv4
- Source: Custom
- Network: 0.0.0.0/0
- Click on Save rules.
Once the alarm is processed, a notification will be sent to the email address configured in the setup. Review the notification to understand what is logged.