How to configure Cloudwatch events to trigger on IAM API calls

amazon-cloudwatchamazon-iamamazon-lambdaamazon-web-services

So I'm having trouble setting up Cloudwatch events to trigger a Lambda function. In the current scenario I want to trigger a Lambda when anyone/thing changes anything in IAM.

Currently I have a global Cloudtrail in N. Virginia which is logging all IAM events and I can see them very clearly.

I then have a Cloudwatch event with its trigger set up to Lambda. When testing the trigger on any other service, say EC2, the lambda is triggered correctly. When using IAM however it will always fail.

Here is the event pattern I'm using which seems to be the only thing that could be wrong at this point:

{
   "detail-type": [
     "AWS API Call via CloudTrail"
   ],
   "detail": {
     "eventSource": [
       "iam.amazonaws.com"
     ]
   }
}

If anyone has tried to set this up before, please help. It's doing my nut in.

Best Answer

To monitor changes to IAM you will need to use a combination of CloudWatch, CloudWatch Logs and CloudTrail. Make sure that CloudTrail is enabled for each region that you wish to monitor.

CloudTrail will record calls to IAM and store in your CloudTrail logs. CloudTrail will publish events to CloudWatch logs. You setup a filter in CloudWatch to generate CloudWatch metrics from the CloudTrail events. These metrics are used to trigger alarms.

Your CloudWach filter looks like this:

{ ($.eventSource = "iam.amazonaws.com") }

This article will help you understand the process. Step-by-step with screenshots.

How to Receive Alerts When Your IAM Configuration Changes

Related Topic