How can I get notified when IAM changes are made to my AWS account?

Last updated: 2022-01-11

I created an Amazon EventBridge rule to notify me when changes are made to AWS Identity and Access Management (IAM) identities or API calls. However, the event rule isn't initiating when changes are made to IAM.

Short description

Create an EventBridge rule with an event pattern that matches a specific IAM API call or multiple IAM API calls. Then, associate the rule with an Amazon Simple Notification Service (Amazon SNS) topic. When the rule runs, an SNS notification is sent to the corresponding subscriptions.

Resolution

If you haven't already created an Amazon SNS topic, then follow the instructions for getting started with Amazon SNS.

Important:

  • The IAM service and the related AWS API calls are available only in the US East (N. Virginia) Region. This means that the EventBridge rule must be in the US East (N. Virginia) Region.
  • This resolution uses CloudTrail. For CloudTrail to send API calls to EventBridge, a trail must exist in the same Region as the EventBridge rule. Make sure that you configured the trail's management events as Write-only or All. For more information, see Read-only and write-only events.

The following example custom event pattern starts a notification when CreateUser and DeleteUser API calls are made in your account.

1.    Open the EventBridge console in the US East (N. Virginia) Region.

2.    In the navigation pane, choose Rules, and then choose Create rule.

3.    In Define pattern, choose Event pattern.

4.    In Event pattern matching, choose Pre-defined pattern by service.

5.    In the Service Name dropdown list, choose IAM.

6.    In the Event Type dropdown list, choose AWS API Call via CloudTrail.

7.    To start the rule for specific API calls, choose Specific operation(s).

8.    In the text box, enter the name for an IAM operation. For example, CreateUser.

9.    To add more operations, choose the + icon.

10.    In Event Pattern preview, choose Edit.

11.    Copy and paste the following example template into the event pattern preview pane, and then choose Save.

{
    "source": [
        "aws.iam"
    ],
    "detail-type": [
        "AWS API Call via CloudTrail"
    ],
    "detail": {
        "eventSource": [
            "iam.amazonaws.com"
        ],
        "eventName": [
            "CreateUser",
            "DeleteUser"
        ]
    }
}

12.    In Targets, choose Add target.

13.    In Select Target, choose SNS topic.

14.    In the Topic dropdown list, choose your SNS topic.

15.    Choose Configure details.

16.    In Configure rule details, enter a name and description for the rule, and then choose Create rule.