Note : Make sure complete the Setup before continuing with this section.
In this section, we will use Amazon EventBridge to monitor and alert when an IAM policy is attached to an IAM user. The example is simple and it helps to depict the level of visility that can be gained from using this type of process. The EventBridge Rule created will monitor for a specific event name in CloudTrail, and will use an SNS message to notify regarding and event, when it occurs.
Configure the Rule using the following settings:
Enter a Name for the rule (e.g. AttachUserPolicy_Event).
Event Pattern:
- Targets: SNS topic
- Topic: CloudWatchAlarmsForCloudTrail-AlarmNotificationTopic-XXXXXXXXX
Click Create and you will see the rule created.
Now that we have an event we are monitoring, we will create an IAM user and attach a user policy to this user to trigger the notification.
On the Set permissions page, we will select:
Click on Next: Tags.
Click Next: Review on the Add tags page.
Click Create user and Close
Once the user is created and the policy has been set, the CloudWatch Event pattern will be triggered and an e-mail will be sent to the e-mail address defined in the setup (i.e. Create CloudWatch Alarms for Security and Network related API activity).
Go to IAM Dashboard in your account and copy the Sign-in URL such as (https://123456789XXX.signin.aws.amazon.com/console)
Open a different browser or Incognito window in your current browser and navigate to this Sign-in URL.
Click Sign in to generate login failures. Repeat this step various a few times.
We will use these login failures in Logs Insights section.
As part of sending CloudTrail events to CloudWatch Logs, we also deployed a set of pre-defined CloudWatch Alarms to monitor Network and Security related API activity. In this section, we will trigger one of the network related alarms. Optionally, you can trigger the other CloudWatch Alarms)) created as part of launching the CloudFormation template in the setup.
Click Actions and select Edit inbound rules.
Add a rule with the following settings:
Click on Save rules.
Once the alarm is processed, a notification will be sent to the email address configured in the setup. Review the notification to understand what is logged.
End of Lab Exercises
Thank you for using this lab.