如何创建 EventBridge 事件规则来通知我使用了 AWS 根用户账户?
上次更新日期:2021 年 12 月 8 日
当我的 AWS 根用户账户被使用时如何接收通知?
解决方法
启动 AWS CloudFormation 堆栈创建 Amazon Simple Notification Service (Amazon SNS) 主题。然后,创建 Amazon EventBridge 事件规则以从 AWS 管理控制台监控 userIdentity 根登录。
重要提示:开始之前,请确保您的 AWS CloudTrail 管理读/写事件已针对 EventBridge 事件设置为全部或只写以触发登录事件通知。有关详细信息,请参阅读取和写入事件。
1. 在您喜爱的编辑器中复制并粘贴此 YAML 模板工具,然后将其保存。
# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
AWSTemplateFormatVersion: '2010-09-09'
Description: ROOT-AWS-Console-Sign-In-via-CloudTrail
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Amazon SNS parameters
Parameters:
- Email Address
Parameters:
EmailAddress:
Type: String
AllowedPattern: "^[\\x20-\\x45]?[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-z]{2,})$"
ConstraintDescription: Email address required.
Description: Enter an email address you want to subscribe to the Amazon SNS topic
that will send notifications if your account's AWS root user logs in.
Resources:
RootActivitySNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: ROOT-AWS-Console-Sign-In-via-CloudTrail
Subscription:
- Endpoint:
Ref: EmailAddress
Protocol: email
TopicName: ROOT-AWS-Console-Sign-In-via-CloudTrail
EventsRule:
Type: AWS::Events::Rule
Properties:
Description: Events rule for monitoring root AWS Console Sign In activity
EventPattern:
detail-type:
- AWS Console Sign In via CloudTrail
detail:
userIdentity:
type:
- Root
Name:
Fn::Sub: "${AWS::StackName}-RootActivityRule"
State: ENABLED
Targets:
- Arn:
Ref: RootActivitySNSTopic
Id: RootActivitySNSTopic
DependsOn:
- RootActivitySNSTopic
RootPolicyDocument:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: RootPolicyDocument
Version: '2012-10-17'
Statement:
- Sid: RootPolicyDocument
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sns:Publish
Resource:
- Ref: RootActivitySNSTopic
Topics:
- Ref: RootActivitySNSTopic
Outputs:
EventsRule:
Value:
Ref: EventsRule
Export:
Name:
Fn::Sub: "${AWS::StackName}-RootAPIMonitorEventsRule"
Description: Event Rule ID.2. 在美国东部(弗吉尼亚北部)区域打开 CloudFormation 控制台,然后选择创建堆栈。
注意:必须在美国东部(弗吉尼亚北部)区域创建 CloudFormation 堆栈。
3. 选择 Create stack(创建堆栈),然后选择 With new resources (standard)(使用新资源(标准))。
4. 依次选择上传模板文件、下一步和选择文件。
5. 选择您在步骤 1 中保存的模板,然后选择下一步。
6. 在堆栈名称中,输入对您有意义的名称,例如 Root-AWS-Console-Sign-In-CloudTrail。
7. 在电子邮件地址中,输入您的电子邮件地址,然后选择下一步。
注意:AWS 将向该电子邮件地址发送确认电子邮件。
8. 在选项中,选择下一步,然后选择创建。
9. 请检查您的电子邮件收件箱中有无 AWS 确认电子邮件,然后选择确认订阅以确认 SNS 订阅请求。您将会收到“已确认订阅!”邮件。
10. 要测试通知,请注销 AWS 管理控制台。然后,使用您的 AWS 根用户账户登录 AWS 管理控制台。
11. 检查您的电子邮件收件箱中有无 AWS 通知消息。记下 CloudTrail 记录 userIdentity、sourceIPAddress 和 MFAUsed,其中包含登录事件的详细信息。
要停止接收通知,请删除 CloudFormation 堆栈(您在第 2 步中创建的堆栈)。