How do I set up notifications to see when a specific credential or access key is being used?

There are no predefined rules to track and send notifications about the use of IAM credentials. However, by using a combination of AWS CloudTrail and Amazon CloudWatch Events with a custom rule, you can send a notification to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon Simple Queue Service (Amazon SQS) queue.

Start by making sure you have set up the necessary prerequisites for CloudWatch Events and have CloudTrail enabled before creating a custom CloudWatch Events rule.

  1. Open the AWS CloudWatch Console, and then from the left navigation pane, choose Rules.
  2. Choose Create rule.
  3. Under Event selector, select your Event Source options, and choose Edit to edit the JSON version.
  4. For Targets, choose Add Target, and choose the AWS service you want to respond to the event, such as an SNS topic or SQS queue.

Note: Setting up CloudWatch Logs is optional.

CloudWatch Events and rules are represented as JSON objects. A rule has a simple match or no match logic that is applied to events. Based on the structure of events, we can build custom patterns for the specific criteria we want to match. For example, to track a single access key, you can use this template:

{
    "detail": {
        "userIdentity": {
            "accessKeyId": [
                "AKIAIOSFODNN7EXAMPLE"
            ]
        }
    }
}

This can be adapted to match any field or combination of fields, and it can track notifications for a range of criteria, such as access keys, login types, and specific user identities. It's also a security best practice to remove unused IAM credentials from your account. See Finding Unused Credentials for more information.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-09-02

Updated: 2017-11-13