Guides and Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

By Service Protected

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

Configuration Packages

Strategy Guides

Other

CloudWatch Alarms and Event Rules

Detect and Notify on IAM User Changes

A CloudWatch Event Rule that detects changes to IAM users and groups and publishes change events to an SNS topic for notification. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups.

AWS Quickstart
Items
3
Size
2.4 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  EventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-iam-user-changes"
      Description: "A CloudWatch Event Rule that detects changes to IAM users and groups and publishes change events to an SNS topic for notification. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopicEventRule"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventSource:
            - "iam.amazonaws.com"
          eventName:
            - "AddUserToGroup"
            - "ChangePassword"
            - "CreateAccessKey"
            - "CreateUser"
            - "DeleteUser"
            - "UpdateAccessKey"
            - "UpdateGroup"
            - "UpdateUser"
            - "AttachGroupPolicy"
            - "AttachUserPolicy"
            - "DeleteUserPolicy"
            - "DetachGroupPolicy"
            - "DetachUserPolicy"
            - "PutUserPolicy"
  SnsTopicEventRule:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "email@example.com"
          Protocol: "email"
      TopicName: "event-rule-action"
  SnsTopicPolicyEventRule:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopicEventRule"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopicEventRule"
      Topics:
        - Ref: "SnsTopicEventRule"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Configuration

Target Details


* Required field

Related Configuration Items

Enable AWS Logging Services
A configuration package to enable AWS security logging and activity monitoring services: AWS CloudTrail, AWS Config, and Amazon GuardDuty. The package also includes an S3 bucket to store CloudTrail and Config history logs, as well as an optional CloudWatch log group to receive CloudTrail logs.
Configuration Package
AWS IAM Monitoring Package
A configuration package to monitor IAM related API activity as well as configuration compliance rules to ensure the security of Amazon IAM configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups.
Configuration Package