How can I get notified when IAM changes are made to my AWS account?

Last updated: 2022-08-24

I created an Amazon EventBridge rule to notify me when changes are made to AWS Identity and Access Management (IAM) identities or API calls. However, the event rule isn't initiating when changes are made to IAM.

Short description

Create an EventBridge rule with an event pattern that matches a specific IAM API call or multiple IAM API calls. Then, associate the rule with an Amazon Simple Notification Service (Amazon SNS) topic. When the rule runs, an SNS notification is sent to the corresponding subscriptions.

Resolution

If you haven't already created an Amazon SNS topic, then follow the instructions for getting started with Amazon SNS.

Important:

  • The IAM service and the related AWS API calls are available only in the US East (N. Virginia) Region. This means that the EventBridge rule must be in the US East (N. Virginia) Region.
  • This resolution uses AWS CloudTrail. For CloudTrail to send API calls to EventBridge, a trail must exist in the same Region as the EventBridge rule. Make sure that you configured the trail's management events as Write-only or All. For more information, see Read-only and write-only events.

The following example custom event pattern starts a notification when CreateUser and DeleteUser API calls are made in your account.

1.    Open the EventBridge console in the US East (N. Virginia) Region.

2.    In the navigation pane, choose Rules, and then select Create rule.

3.    Enter a Name and Description for the rule.

4.    For Event bus, select the default AWS event bus. When IAM emits an event, it always goes to your account’s default event bus.

5.    For Rule type, choose Rule with an event pattern, and the select Next.

6.    For Event source, choose AWS events or EventBridge partner events.

7.    Under Event pattern, do the following:

        In the Event source dropdown list, choose AWS services.

        In the AWS service dropdown list, choose IAM.

        In the Event type dropdown list, choose AWS API Call via CloudTrail.

        To start the rule for specific API calls, choose Specific operation(s).

        In the text box, enter the name of an API call that you want to receive a notification for. For example, CreateUser.

        To add more API calls, select Add.

8.    Choose Edit pattern below the Event pattern preview box.

9.    Copy and paste the following example template into the event pattern preview pane, and then choose Save.

{
  "source": [
    "aws.iam"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "iam.amazonaws.com"
    ],
    "eventName": [
      "CreateUser",
      "DeleteUser"
    ]
  }
}

10.    Select Next.

11.    For Target types, choose AWS service.

13.    For Select a target, choose SNS topic.

14.    In the Topic dropdown list, choose your SNS topic.

        (Optional) Choose Add another target to add another target for this rule.

15.    Select Next.

         (Optional) Enter one or more tags for the rule. For more information, see Amazon EventBridge tags.

16.    Select Next.

17.    Review the details of the rule, and then select Create rule.