How can I set up alerts to see when an IAM access key is used?

Last updated: 2022-01-13

How do I set up notifications to see when a specific AWS Identity and Access Management (IAM) credential or access key is used?

Resolution

There are no predefined rules to track and send notifications about the use of IAM credentials. However, by using a combination of AWS CloudTrail and Amazon EventBridge with a custom rule, you can send a notification to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon Simple Queue Service (Amazon SQS) queue.

EventBridge rules are represented as JSON objects. A rule has a simple match or no match logic applied to events. Based on the structure of events, you can build custom patterns for the specific criteria that you want to match.

The following example rule tracks a single access key in the same Region where the rule is configured.

Important:

1.    Open the Evenbridge console, and then choose Rules.

2.    Choose Create rule.

3.    Enter a Name for the rule. You can optionally enter a Description.

4.    For Define Pattern, choose Event Pattern.

5.    For Event matching pattern, choose Custom pattern.

6.    For Event pattern, select Edit, enter a JSON template similar to the following, and then select Save.

Note: This template can be modified to track notifications for a range of criteria, such as access keys, login types, or specific identities.

{
    "detail-type": [
        "AWS API Call via CloudTrail"
    ],
    "detail": {
        "userIdentity": {
            "accessKeyId": [
                "AKIAIOSFODNN7EXAMPLE"
            ]
        }
    }
}

7.    For Select targets, choose the AWS service that you want to respond to the event, such as an SNS topic name or SQS queue name.

8.    Select Create.


Did this article help? 


Do you need billing or technical support?