By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

CloudWatch Alarms and Event Rules

Detect and Notify on Security Group Changes

A CloudWatch Event Rule that detects changes to security groups and publishes change events to an SNS topic for notification.

AWS Quickstart
Items
3
Size
2.1 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  EventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-security-group-changes"
      Description: "A CloudWatch Event Rule that detects changes to security groups and publishes change events to an SNS topic for notification."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopicEventRule"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventSource:
            - "ec2.amazonaws.com"
          eventName:
            - "AuthorizeSecurityGroupIngress"
            - "AuthorizeSecurityGroupEgress"
            - "RevokeSecurityGroupIngress"
            - "RevokeSecurityGroupEgress"
            - "CreateSecurityGroup"
            - "DeleteSecurityGroup"
  SnsTopicEventRule:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "email@example.com"
          Protocol: "email"
      TopicName: "event-rule-action"
  SnsTopicPolicyEventRule:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopicEventRule"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopicEventRule"
      Topics:
        - Ref: "SnsTopicEventRule"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Configuration

Target Details


* Required field