How can I set up alerts to see when an IAM access key is used?
Last updated: 2022-01-13
Resolution
There are no predefined rules to track and send notifications about the use of IAM credentials. However, by using a combination of AWS CloudTrail and Amazon EventBridge with a custom rule, you can send a notification to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon Simple Queue Service (Amazon SQS) queue.
EventBridge rules are represented as JSON objects. A rule has a simple match or no match logic applied to events. Based on the structure of events, you can build custom patterns for the specific criteria that you want to match.
The following example rule tracks a single access key in the same Region where the rule is configured.
Important:
- You must have a trail enabled to send events for EventBridge to trigger notification to SNS topic or SQS queue.
- Your trail's management events must be configured as Write-only or All. Trail management events configured as Read-only will not trigger the EventBridge rule. For more information, see Read and write events, Events from AWS services, and CloudTrail supported services and integrations.
1. Open the Evenbridge console, and then choose Rules.
2. Choose Create rule.
3. Enter a Name for the rule. You can optionally enter a Description.
4. For Define Pattern, choose Event Pattern.
5. For Event matching pattern, choose Custom pattern.
6. For Event pattern, select Edit, enter a JSON template similar to the following, and then select Save.
Note: This template can be modified to track notifications for a range of criteria, such as access keys, login types, or specific identities.
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"userIdentity": {
"accessKeyId": [
"AKIAIOSFODNN7EXAMPLE"
]
}
}
}7. For Select targets, choose the AWS service that you want to respond to the event, such as an SNS topic name or SQS queue name.
8. Select Create.
Related information
Did this article help?
Do you need billing or technical support?