How can I set up alerts to see when an IAM access key is used?

Last updated: 2019-10-21

How do I set up notifications to see when a specific AWS Identity and Access Management (IAM) credential or access key is used?

Resolution

There are no predefined rules to track and send notifications about the use of IAM credentials. However, by using a combination of AWS CloudTrail and Amazon CloudWatch Events with a custom rule, you can send a notification to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon Simple Queue Service (Amazon SQS) queue.

CloudWatch Events and rules are represented as JSON objects. A rule has a simple match or no match logic applied to events. Based on the structure of events, you can build custom patterns for the specific criteria that you want to match.

The following example rule tracks a single access key:

Note: You must have a trail enabled to send notifications to an SNS topic or SQS queue. Your trail's management events must be configured as Write-only or All. For more information, see Read-only and Write-only Events.

1.    Open the CloudWatch console, and then choose Rules.

2.    Choose Create rule.

3.    For Targets, choose Add Target, and choose the AWS service you want to respond to the event, such as an SNS topic or SQS queue.

4.    For Event Source, choose Event Pattern.

5.    For Event Pattern Preview, choose Edit to edit the JSON version.

6.    Enter a template similar to the following, and then choose Save.

Note: This template can be modified to track notifications for a range of criteria, such as access keys, login types, or specific user identities.

{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"userIdentity": {
"accessKeyId": [
"AKIAIOSFODNN7EXAMPLE"
        ]
      }
   }
}

7.    Choose Configure details.

8.    For Name, enter a name for the rule, and then choose Create rule.