如何创建 CloudWatch 事件规则以告知我的 AWS 根用户账户已被使用?

上次更新时间:2019 年 4 月 19 日

当我的 AWS 账户根用户被使用时如何接收通知?

解决方法

启动 AWS CloudFormation 堆栈创建 Amazon Simple Notification Service (Amazon SNS) 主题。然后,创建 Amazon CloudWatch 事件规则以从 AWS 管理控制台监控 userIdentity 根登录。

重要提示:开始之前,请确保您的 CloudTrail 管理读/写事件必须针对 CloudWatch 事件设置为 AllWrite-only以触发登录事件通知。有关详细信息,请参阅只读和只写事件

1.    在您喜爱的编辑器中复制并粘贴此 YAML 模板工具,然后将其保存。

# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AWSTemplateFormatVersion: '2010-09-09'
Description: ROOT-AWS-Console-Sign-In-via-CloudTrail
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Amazon SNS parameters
      Parameters:
      - Email Address
Parameters:
  EmailAddress:
    Type: String
    AllowedPattern: "^[\\x20-\\x45]?[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-z]{2,})$"
    ConstraintDescription: Email address required.
    Description: Enter an email address you want to subscribe to the Amazon SNS topic
      that will send notifications if your account's AWS root user logs in.
Resources:
  RootActivitySNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: ROOT-AWS-Console-Sign-In-via-CloudTrail
      Subscription:
      - Endpoint:
          Ref: EmailAddress
        Protocol: email
      TopicName: ROOT-AWS-Console-Sign-In-via-CloudTrail
  EventsRule:
    Type: AWS::Events::Rule
    Properties:
      Description: Events rule for monitoring root AWS Console Sign In activity
      EventPattern:
        detail-type:
        - AWS Console Sign In via CloudTrail
        detail:
          userIdentity:
            type:
            - Root
      Name:
        Fn::Sub: "${AWS::StackName}-RootActivityRule"
      State: ENABLED
      Targets:
      - Arn:
          Ref: RootActivitySNSTopic
        Id: RootActivitySNSTopic
    DependsOn:
    - RootActivitySNSTopic
  RootPolicyDocument:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: RootPolicyDocument
        Version: '2012-10-17'
        Statement:
        - Sid: RootPolicyDocument
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sns:Publish
          Resource:
          - Ref: RootActivitySNSTopic
      Topics:
      - Ref: RootActivitySNSTopic
Outputs:
  EventsRule:
    Value:
      Ref: EventsRule
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-RootAPIMonitorEventsRule"
    Description: Event Rule ID.

2.    打开 CloudFormation 控制台,然后选择创建堆栈

3.    选择将模板上传到 Amazon S3,再选择浏览,然后选择您在第 1 步中保存的模板。

4.    选择下一步

5.    在堆栈名称中,输入对您有意义的名称,例如 Root-AWS-Console-Sign-In-CloudTrail

6.    在电子邮件地址中,输入您的电子邮件地址,然后选择下一步

注意:AWS 将向该电子邮件地址发送确认电子邮件。

7.    在选项中,选择下一步,然后选择创建

8.    请检查您的电子邮件收件箱中有无 AWS 确认电子邮件,然后选择确认订阅确认 SNS 订阅。您将会收到 Subscription confirmed! 邮件。

9.    要测试通知,请注销 AWS 管理控制台。然后,使用您的 AWS 根用户账户登录 AWS 管理控制台

10.   检查您的电子邮件收件箱中有无 AWS 通知消息。记下 CloudTrail 记录 UseridentitysourceIPAddressMFAUsed,其中包含登录事件的详细信息。

要停止接收通知,删除您在第 2 步中创建的 CloudFormation 堆栈