How can I get notified when IAM changes are made to my AWS account?

Last updated: 2020-04-27

I created an Amazon CloudWatch Events rule to notify me when changes are made to AWS Identity and Access Management (IAM) identities or API calls. However, the event rule isn't triggering when changes are made to IAM.

Short Description

Create a custom event pattern with a CloudWatch Events rule that triggers a notification when changes are made to a specific IAM API call. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic to receive a notification.

Resolution

If you haven't already created an Amazon SNS topic, follow the instructions for getting started with Amazon SNS.

Important:

  • The CloudWatch Events rule must be in the US East (N. Virginia) Region.
  • You must have an AWS CloudTrail trail enabled in the same Region as the CloudWatch Events rule to send notifications to an SNS topic or Amazon Simple Queue Service (Amazon SQS) queue. Be sure you've configured your trail's management events as Write-only or All. For more information, see Read-only and Write-only Events.

The following example custom event pattern triggers a notification when CreateUser and DeleteUser API calls are made in your account.

1.    Open the CloudWatch console in the US East (N. Virginia) Region.

2.    In the navigation pane, choose Rules, and then choose Create rule.

3.    In the Service Name drop-down menu, choose IAM.

4.    In the Event Type drop-down menu, choose AWS API Call via CloudTrail.

5.    To trigger the rule for specific API calls, choose Specific operation(s).

6.    In the text box, enter the name for an IAM operation. For example, CreateUser.

7.    To add more operations, choose the + icon.

8.    In Event Pattern Preview, choose Edit.

9.    Copy and paste the following example template into the event pattern preview pane, and then choose Save.

{
    "source": [
        "aws.iam"
    ],
    "detail-type": [
        "AWS API Call via CloudTrail"
    ],
    "detail": {
        "eventSource": [
            "iam.amazonaws.com"
        ],
        "eventName": [
            "CreateUser",
            "DeleteUser"
        ]
    }
}
10 .     In Targets , choose Add target .
11.     In Select Target , choose SNS topic .
12.    In the Topic drop-down menu, choose your SNS topic.
13.    Choose Configure details.

14.    In Configure rule details, enter a name and description for the rule, and then choose Create rule.