A CloudWatch Event Rule that detects changes to IAM users and groups and publishes change events to an SNS topic for notification. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
EventRule:
Type: 'AWS::Events::Rule'
Properties:
Name: detect-iam-user-changes
Description: >-
A CloudWatch Event Rule that detects changes to IAM users and groups and
publishes change events to an SNS topic for notification. Events include
IAM user creation/deletion/update operations, updating IAM user
passwords or Access Keys, as well as attaching/detaching policies from
IAM users or groups.
State: ENABLED
Targets:
- Arn:
Ref: SnsTopic
Id: target-id1
EventPattern:
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- iam.amazonaws.com
eventName:
- AddUserToGroup
- ChangePassword
- CreateAccessKey
- CreateUser
- DeleteUser
- UpdateAccessKey
- UpdateGroup
- UpdateUser
- AttachGroupPolicy
- AttachUserPolicy
- DeleteUserPolicy
- DetachGroupPolicy
- DetachUserPolicy
- PutUserPolicy
SnsTopic:
Type: 'AWS::SNS::Topic'
Properties:
Subscription:
- Endpoint: email@example.com
Protocol: email
TopicName: event-rule-action
SnsTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: '*'
Action:
- 'SNS:GetTopicAttributes'
- 'SNS:SetTopicAttributes'
- 'SNS:AddPermission'
- 'SNS:RemovePermission'
- 'SNS:DeleteTopic'
- 'SNS:Subscribe'
- 'SNS:ListSubscriptionsByTopic'
- 'SNS:Publish'
- 'SNS:Receive'
Resource:
Ref: SnsTopic
Condition:
StringEquals:
'AWS:SourceOwner':
Ref: 'AWS::AccountId'
- Sid: TrustCWEToPublishEventsToMyTopic
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource:
Ref: SnsTopic
Topics:
- Ref: SnsTopic
Parameters: {}
Metadata: {}
Conditions: {}
Configuration Source: AWS Quickstart
Additional Documentation: