0

I have a cross-account architecture and I'm setting up a CloudWatch event for the STS role assuming into another account. I have CloudTrail enabled on the account, the logs from CloudTrail are stored in a separate accounts s3 bucket. The SNS feeds into SES to send an email upon assumption.

For some reason, this event pattern won't trigger when the role is assumed! Any ideas?

{
  "source": [
    "aws.sts"
  ],
   "detail-type": [
     "AWS API Call via CloudTrail"
   ],
   "detail": {
     "eventSource": ["sts.amazonaws.com"],
     "eventName": ["AssumeRole"],
     "requestParameters": {
       "roleArn": ["arn:aws:iam::1111111111:role/RoleName"]
     }
   }
}
Joshua G. Edwards
  • 101
  • 3

1 Answers1

0

For anyone looking at this in the future..

IAM lives in the N. Virginia region! Make sure to audit the logs there for STS

Joshua G. Edwards
  • 101
  • 3
  • 1
    Is this supposed to answer the question? – Sven Apr 25 '18 at 16:46
  • @balent points out [in this comment](https://stackoverflow.com/questions/50004568/aws-cloudwatch-events-trigger-sns-on-sts-role-assuming-for-cross-account#comment87128354_50024965) on this same question at stackoverflow that "if you have enabled [regional STS endpoints](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html), you need to create a rule in each region. " – gene_wood Dec 27 '18 at 01:28