如何建立 EventBridge 事件規則來通知我,我的 AWS 根使用者帳戶已遭到使用?

上次更新日期:2021 年 12 月 8 日

使用 AWS 根使用者帳戶時,如何接收通知?

解決方案

啟動 AWS CloudFormation 堆疊以建立 Amazon Simple Notification Service (Amazon SNS) 主題。然後,建立 Amazon EventBridge 事件規則,以便從 AWS 管理主控台監控 userIdentity 根登入。

重要提示:在開始之前,請確保將您的 AWS CloudTrail 管理讀取/寫入事件設定為 All (所有) 或 Write-only (僅限寫入) EventBridge 事件以觸發登入事件通知。如需更多資訊,請參閲讀取和寫入事件

1.    將此 YAML 範本複製並貼上至您最喜愛的編輯器工具中,然後將其儲存。

# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AWSTemplateFormatVersion: '2010-09-09'
Description: ROOT-AWS-Console-Sign-In-via-CloudTrail
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Amazon SNS parameters
      Parameters:
      - Email Address
Parameters:
  EmailAddress:
    Type: String
    AllowedPattern: "^[\\x20-\\x45]?[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-z]{2,})$"
    ConstraintDescription: Email address required.
    Description: Enter an email address you want to subscribe to the Amazon SNS topic
      that will send notifications if your account's AWS root user logs in.
Resources:
  RootActivitySNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: ROOT-AWS-Console-Sign-In-via-CloudTrail
      Subscription:
      - Endpoint:
          Ref: EmailAddress
        Protocol: email
      TopicName: ROOT-AWS-Console-Sign-In-via-CloudTrail
  EventsRule:
    Type: AWS::Events::Rule
    Properties:
      Description: Events rule for monitoring root AWS Console Sign In activity
      EventPattern:
        detail-type:
        - AWS Console Sign In via CloudTrail
        detail:
          userIdentity:
            type:
            - Root
      Name:
        Fn::Sub: "${AWS::StackName}-RootActivityRule"
      State: ENABLED
      Targets:
      - Arn:
          Ref: RootActivitySNSTopic
        Id: RootActivitySNSTopic
    DependsOn:
    - RootActivitySNSTopic
  RootPolicyDocument:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: RootPolicyDocument
        Version: '2012-10-17'
        Statement:
        - Sid: RootPolicyDocument
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sns:Publish
          Resource:
          - Ref: RootActivitySNSTopic
      Topics:
      - Ref: RootActivitySNSTopic
Outputs:
  EventsRule:
    Value:
      Ref: EventsRule
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-RootAPIMonitorEventsRule"
    Description: Event Rule ID.

2.    在美國東部 (維吉尼亞北部) 區域開啟 CloudFormation 主控台,然後選擇 Create Stack (建立堆疊)。

注意:必須在美國東部 (維吉尼亞北部) 區域建立 CloudFormation 堆疊。

3.    選擇 Create Stack (建立堆疊),然後選擇 With new resources (standard) (使用新資源 (標準))。

4.    選擇 Upload a template file (上傳範本檔案),Next (下一步),然後選擇 Choose file (選擇檔案)。

5.    選擇您在步驟 1 中儲存的範本,然後選擇 Next (下一步)。

6.    在 Stack name (堆疊名稱) 中,輸入對您有意義的名稱,如 Root-AWS-Console-Sign-In-CloudTrail

7.    在 EmailAddress (電子郵件地址) 中,輸入您的電子郵件地址,然後選擇 Next (下一步)。

注意:AWS 將確認電子郵件傳送至此電子郵件地址。

8.    在 Options (選項) 中,選擇 Next (下一步),然後選擇 Create (建立)。

9.    檢查您的電子郵件收件匣中的 AWS 確認電子郵件,然後選擇 Confirm subscription (確認訂閲) 以確認 SNS 訂閲請求。您將收到已確認訂閲!的訊息。

10.    若要測試通知,請登出 AWS 管理主控台。然後,使用您的 AWS 根使用者帳戶登入 AWS 管理主控台

11.    檢查您的電子郵件收件匣中的 AWS 通知訊息。請注意,CloudTrail 會記錄 userIdentitysourceIPAddressMFAUsed,其中包含登入事件的詳細資訊。

若要停止接收通知,請刪除您在步驟 2 中建立的 CloudFormation 堆疊