1

So I'm having trouble setting up Cloudwatch events to trigger a Lambda function. In the current scenario I want to trigger a Lambda when anyone/thing changes anything in IAM.

Currently I have a global Cloudtrail in N. Virginia which is logging all IAM events and I can see them very clearly.

I then have a Cloudwatch event with its trigger set up to Lambda. When testing the trigger on any other service, say EC2, the lambda is triggered correctly. When using IAM however it will always fail.

Here is the event pattern I'm using which seems to be the only thing that could be wrong at this point:

{
   "detail-type": [
     "AWS API Call via CloudTrail"
   ],
   "detail": {
     "eventSource": [
       "iam.amazonaws.com"
     ]
   }
}

If anyone has tried to set this up before, please help. It's doing my nut in.

Briansbum
  • 121
  • 1
  • 5

2 Answers2

0

To monitor changes to IAM you will need to use a combination of CloudWatch, CloudWatch Logs and CloudTrail. Make sure that CloudTrail is enabled for each region that you wish to monitor.

CloudTrail will record calls to IAM and store in your CloudTrail logs. CloudTrail will publish events to CloudWatch logs. You setup a filter in CloudWatch to generate CloudWatch metrics from the CloudTrail events. These metrics are used to trigger alarms.

Your CloudWach filter looks like this:

{ ($.eventSource = "iam.amazonaws.com") }

This article will help you understand the process. Step-by-step with screenshots.

How to Receive Alerts When Your IAM Configuration Changes

John Hanley
  • 4,287
  • 1
  • 9
  • 20
  • Thanks for taking the time to reply, I currently have that set up but using that method doesn't provide any information about WHAT happened. Using [this](https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-revoke-unintended-iam-access-with-amazon-cloudwatch-events/) method, only with a different Lambda, I should be able to receive them as events instead of using a log filter? – Briansbum Dec 14 '17 at 08:47
  • The techniques are the same for both examples. I would go back to your first problem and figure out what you did wrong. – John Hanley Dec 14 '17 at 15:41
0

So I found out what the issue was, the patterns that I was attempting to use did either not provide a small or large enough scope. Monitoring IAM in this way requires following this guide and when it tells you the event pattern to input as a Cloudwatch Event pattern you need to specify EXACTLY the event names that you require.

It's fairly long but demonstrates how thorough you need to be and that no globbing is supported, here is the pattern I ended up with:

{
  "source": [
    "aws.iam"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "iam.amazonaws.com"
    ],
    "eventName": [
      "AddClientIDToOpenIDConnectProvider",
      "AddRoleToInstanceProfile",
      "AddUserToGroup",
      "ChangePassword",
      "CreateAccessKey",
      "CreateAccountAlias",
      "CreateInstanceProfile",
      "CreateLoginProfile",
      "CreateOpenIDConnectProvider",
      "CreateRole",
      "CreateSAMLProvider",
      "CreateServiceLinkedRole",
      "CreateServiceSpecificCredential",
      "CreateUser",
      "CreateVirtualMFADevice",
      "DeactivateMFADevice",
      "DeleteVirtualMFADevice",
      "EnableMFADevice",
      "ResyncMFADevice",
      "UpdateAccessKey",
      "UpdateAccountPasswordPolicy",
      "UpdateGroup",
      "UpdateLoginProfile",
      "UpdateOpenIDConnectProviderThumbprint",
      "UpdateRoleDescription",
      "UpdateSAMLProvider",
      "UpdateServerCertificate",
      "UpdateServiceSpecificCredential",
      "UpdateSigningCertificate",
      "UpdateSSHPublicKey",
      "UpdateUser",
      "UploadServerCertificate",
      "UploadSigningCertificate",
      "UploadSSHPublicKey",
      "AttachGroupPolicy",
      "AttachRolePolicy",
      "AttachUserPolicy",
      "CreatePolicy",
      "CreatePolicyVersion",
      "DeleteAccountPasswordPolicy",
      "DeleteGroupPolicy",
      "DeletePolicy",
      "DeletePolicyVersion",
      "DeleteRolePolicy",
      "DeleteUserPolicy",
      "DetachGroupPolicy",
      "DetachRolePolicy",
      "DetachUserPolicy",
      "PutGroupPolicy",
      "PutRolePolicy",
      "PutUserPolicy",
      "SetDefaultPolicyVersion",
      "UpdateAssumeRolePolicy"
    ]
  }
}
Briansbum
  • 121
  • 1
  • 5
  • I am still struggling with it. Not sure where am i going wrong. I am not getting any IAM related events to my target lambda at all. Any suggestions ? – qre0ct Apr 02 '19 at 10:57