Overview

A CloudWatch Event Rule that detects KMS Customer Master Key (CMK) changes and publishes change events to an SNS topic for notification. Events include key creation, deletion, or key enabling/disabling operations, imported key material operations, as well as updates to CMK key policies.

Configuration Templates

Items
3
Size
2.2 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  EventRule:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-kms-cmk-operations
      Description: >-
        A CloudWatch Event Rule that detects KMS Customer Master Key (CMK)
        changes and publishes change events to an SNS topic for notification.
        Events include key creation, deletion, or key enabling/disabling
        operations, imported key material operations, as well as updates to CMK
        key policies.
      State: ENABLED
      Targets:
        - Arn:
            Ref: SnsTopic
          Id: target-id1
      EventPattern:
        detail-type:
          - AWS API Call via CloudTrail
        detail:
          eventSource:
            - kms.amazonaws.com
          eventName:
            - DisableKey
            - ScheduleKeyDeletion
            - CancelKeyDeletion
            - CreateKey
            - CreateAlias
            - EnableKey
            - PutKeyPolicy
            - ImportKeyMaterial
            - DeleteImportedKeyMaterial
  SnsTopic:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: event-rule-action
  SnsTopicPolicy:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
              - 'SNS:Receive'
            Resource:
              Ref: SnsTopic
            Condition:
              StringEquals:
                'AWS:SourceOwner':
                  Ref: 'AWS::AccountId'
          - Sid: TrustCWEToPublishEventsToMyTopic
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              Ref: SnsTopic
      Topics:
        - Ref: SnsTopic
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Cf Template

Rule Configuration

Target Details


* Required field

Sources and Documentation

Configuration Source: AWS Quickstart

Additional Documentation: