A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

A CloudWatch Alarm that triggers when the traffic outgoing over a managed AWS VPN tunnel hits a certain threshold (Default: Less than 1,000,000 bytes in 15 minutes).

A CloudWatch Alarm that triggers when the traffic incoming over a managed AWS VPN tunnel hits a certain threshold (Default: Over 5,000,000 bytes in 15 minutes).

A CloudWatch Alarm that triggers when the state of both VPN tunnels in an AWS VPN connection are down.

A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC.

A CloudWatch Alarm that triggers when changes are made to a VPC.

A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table.

A CloudWatch Alarm that triggers when changes are made to a Network ACL (NACL).

Detect changes to network ACLs and publishes change events to an SNS topic for notification.

Detect changes to network configuration and publishes change events to an SNS topic for notification.

A CloudWatch Alarm that triggers the AWS bill reaches the specified threshold (default: 100 USD). (Note: Should be deployed in N. Virgina Region - us-east-1)

Alarm if Multiple unauthorized actions or logins attempted.

A CloudWatch Event Rule that triggers on changes in the status of AWS Trusted Advisor checks, and forwards the events to an SNS topic

A CloudWatch Event Rule that triggers on changes in the status of AWS Personal Health Dashboard (AWS Health) and forwards the events to an SNS topic

Alarm if there are AWS Management Console authentication failures.

Alarm if a root user uses the account

A CloudWatch Alarm that triggers if there is API activity in the account without MFA (Multi-Factor Authentication).

Alarm if there is a Management Console sign-in without MFA.

A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups.

A CloudWatch Alarm that triggers when changes are made to IAM users. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups.

A CloudWatch Alarm that triggers when changes are made to IAM MFA devices (Virtual or Hardware). Events include enabling/disabling/updating MFA virtual and hardware devices in an AWS account.

A CloudWatch Event Rule that detects IAM policy changes and publishes change events to an SNS topic for notification. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups.

A CloudWatch Event Rule that detects changes to IAM users and groups and publishes change events to an SNS topic for notification. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups.

A CloudWatch Event Rule that detects changes to IAM MFA devices (Virtual and Hardware) and publishes change events to an SNS topic for notification. Events include enabling/disabling/updating MFA virtual and hardware devices in an AWS account.

A CloudWatch Event Rule that triggers on IAM Access Analyzer Findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

A CloudWatch Alarm that triggers when changes are made to CloudTrail.

Detect changes to CloudTrail configutation and publishes change events to an SNS topic for notification.

A CloudWatch Alarm that triggers when changes are made to AWS Config.

Detect changes to AWS Config and publishes change events to an SNS topic for notification.

A CloudWatch Alarm that triggers when changes are made to Security Groups.

A CloudWatch Alarm that triggers when changes are made to large size EC2 Instances.

A CloudWatch Alarm that triggers when changes are made to EC2 Instances.

A CloudWatch Alarm that triggers when new AMIs (Amazon Machine Images) are created or registered in the account.

A CloudWatch Alarm that triggers when existing AMIs (Amazon Machine Images) are modified, deleted, copied or shared with other AWS accounts.

Detect changes to security groups and publishes change events to an SNS topic for notification.

Detect changes to EC2 Instances and publishes change events to an SNS topic for notification.

A CloudWatch Alarm that triggers when changes are made to an S3 Bucket.

A CloudWatch Alarm that triggers when an S3 Bucket is created or deleted.

Detect changes to S3 bucket policies and publishes change events to an SNS topic for notification.

Alarm if customer created CMKs get disabled or scheduled for deletion.

A CloudWatch Alarm that triggers on changes to customer created CMKs: Key creation, deletion, or enabling/disabling operations, as well as updates to CMK Key policies.

A CloudWatch Event Rule that detects KMS Customer Master Key (CMK) changes and publishes change events to an SNS topic for notification.

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) deletion events.

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) rotation events.

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) imported material expiration events.

A CloudWatch Alarm that triggers when changes are made EMR Security Configurations or Public Access Settings for EMR

A CloudWatch Alarm that triggers when a new CloudFormation stack is created

A CloudWatch Alarm that triggers when an existing CloudFormation stack is updated

A CloudWatch Alarm that triggers when an existing CloudFormation stack is deleted

A CloudWatch Alarm that triggers when changes are made to AWS Organizations.

This template creates an alarm that is based on an anomaly detector. It creates an AWS::CloudWatch::AnomalyDetector resource with the specified properties, including the MetricName, Namespace, and Stat. It then creates an AWS::CloudWatch::Alarm resource with the specified properties, including the AlarmDescription, AlarmName, ComparisonOperator, EvaluationPeriods, Metrics, ThresholdMetricId, and TreatMissingData.

A CloudWatch Event Rule that detects changes to AWS Config Rule compliance status and publishes change events to an SNS topic for notification.

A CloudWatch Event Rule that triggers on Amazon GuardDuty findings and publishes findings to an SNS topic. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

A CloudWatch Event Rule that triggers on Amazon Inspector findings and publishes findings to an SNS topic. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

A CloudWatch Event Rule that triggers on AWS Security Hub findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

A CloudWatch Event Rule that triggers on Amazon Macie findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

A CloudWatch Event Rule that triggers when each ECR vulnerability image scan is completed. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

A CloudWatch Event Rule that sends a notification to provide notice of approaching expiration of an ACM certificate. and forwards the events to an SNS topic.

A CloudWatch Event Rule that detects changes to AWS Organizations and publishes change events to an SNS topic for notification.