How do I monitor changes to security groups set up on my EC2 Linux instance using EventBridge and Amazon SNS?

Last updated: 2022-01-06

I have a security group set up for my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance. How can I use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to monitor changes to my security groups?

Short description

Create an EventsBridge rule to trigger when an API call is made to modify your security groups. Then, configure an Amazon SNS notification for events that match your rule.

Resolution

Create and subscribe to an Amazon SNS topic

1.    Open the Amazon SNS console.

2.    On the SNS dashboard, select Topics, and then choose Create Topic.

3.    Enter a name for the topic (for example, my-topic).

4.    Choose Create topic.

5.    Note the topic's Amazon Resource Name (ARN) (for example, arn:aws:sns:us-east-1:123123123123:my-topic).

6.    Choose Create subscription.

7.    For Topic ARN, enter the ARN that you made a note of in step 5.

8.    For Protocol, choose Email.

9.    For Endpoint, enter an email address to receive the notifications, and then choose Create subscription.

You'll receive an email confirming the subscription. After you confirm the subscription, the email address receives notifications when the SNS topic is triggered.

Create an EventBridge rule that triggers on an event using the EventBridge console

1.    Open the EventBridge console.

2.    Select Create rule.

3.    Enter a Name for your rule. You can optionally enter a Description.

4.    In Define pattern, select Event pattern.

5.    Select Pre-defined pattern by service.

6.    For Service provider, choose AWS.

7.    For Service name, choose EC2.

8.    For Event Type, choose AWS API Call via CloudTrail.

9.    Choose Specific Operation, and then copy and paste the following API calls into the text box one at a time. Select Add after each addition. These API calls are used to add or remove security group rules.

AuthorizeSecurityGroupIngress
AuthorizeSecurityGroupEgress
RevokeSecurityGroupIngress
RevokeSecurityGroupEgress

These settings create the following event pattern:

{
  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "AuthorizeSecurityGroupIngress",
      "AuthorizeSecurityGroupEgress",
      "RevokeSecurityGroupIngress",
      "RevokeSecurityGroupEgress"
    ]
  }
}

10.    In Select targets, choose SNS topic from the Target dropdown list.

11.    For Topic, enter the topic that you previously created.

Note: By default, Matched event is selected under Configure input. Matched event passes the entire JSON output of the event to the SNS topic. If you don't want to pass the entire JSON output, select Input transformer to filter the event information. Use the input transformer to customize text from an event to create an easy-to-read message, rather than sending the entire JSON output to your target. For example, you can use the following key-value pairs for the Input Path.

{"name":"$.detail.requestParameters.groupId","source":"$.detail.eventName","time":"$.time","value":"$.detail"}

In Input Template, enter the text and variables you want to appear in the message:

"A <source> API call was made against the security group <name> on <time> with the below details"
" <value> "

For more information on using the input transformer option, see Tutorial: Use input transformer to customize what EventBridge passes to the event target.

12.    Select Create.