How do I monitor changes to security groups set up on my EC2 Linux instance using CloudWatch Events and Amazon SNS?

Last updated: 2020-05-12

I have a security group set up for my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance. How can I use Amazon CloudWatch Events and Amazon Simple Notification Service (Amazon SNS) to monitor changes to my security groups?

Short Description

Create a CloudWatch Events rule to trigger when an API call is made to modify your security groups. Then, configure an Amazon SNS notification for events that match your rule.

Resolution

Create and subscribe to an Amazon SNS topic

1.    Open the Amazon SNS console.

2.    On the SNS dashboard, select Topics, and then choose Create Topic.

3.    Enter a name for the topic (for example, my-topic).

4.    Choose Create topic.

5.    Make a note of the topic's Amazon Resource Name (ARN) (for example, arn:aws:sns:us-east-1:123123123123:my-topic).

6.    Choose Create subscription.

7.    For Topic ARN, enter the ARN that you made a note of in step 5.

8.    For Protocol, choose Email.

9.    For Endpoint, enter an email address to receive the notifications, and then choose Create subscription.

You'll receive an email confirming the subscription. After you confirm the subscription, the email address receives notifications when the SNS topic is triggered.

Create a CloudWatch Events rule that triggers on an event using the CloudWatch console

1.    Open the CloudWatch console.

2.    In the navigation pane, choose Rules under Events, and then choose Create rule.

3.    Select the Event Pattern.

4.    For Service Name, choose EC2.

5.    For Event Type, choose AWS API Call via CloudTrail.

6.    Choose Specific Operation and provide the following API calls. These API calls are used to add or remove security group rules.

      AuthorizeSecurityGroupIngress
      AuthorizeSecurityGroupEgress
      RevokeSecurityGroupIngress
      RevokeSecurityGroupEgress

These settings create the following event pattern.

{
  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "AuthorizeSecurityGroupIngress",
      "AuthorizeSecurityGroupEgress",
      "RevokeSecurityGroupIngress",
      "RevokeSecurityGroupEgress"
    ]
  }
}

7.    Choose Add target.

8.    In the list of targets, choose SNS topic.

9.    For Topic, enter the topic that you created.

Note: By default, Matched event is selected under Configure inputMatched event passes the entire JSON output of the event to the SNS topic. If you don't want to pass the entire JSON output, select Input Transformer to filter the event information. Use the input transformer to customize text from an event to create an easy-to-read message, rather than sending the entire JSON output to your target. For example, you can use the following key-value pairs for the Input Path.

{"name":"$.detail.requestParameters.groupId","source":"$.detail.eventName","time":"$.time","value":"$.detail"}

In Input Template, enter the text and variables you want to appear in the message:

"A <source> API call was made against the security group <name> on <time> with the below details"
" <value> "

For more information on using the input transformer option, see Tutorial: Use Input Transformer to Customize What is Passed to the Event Target.

11.    Choose Configure details.

12.    On the Configure rule details page, enter a name and an optional description. For State, leave the Enabled box selected.

13.    Choose Create rule.