Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to detect resource changes from outside your trusted sources across Organization accounts ?

3 minute read
Content level: Intermediate
8

Discover how to detect resource changes across organization accounts from outside your trusted sources.

How to detect resource changes from outside your trusted sources across Organization accounts ?

Architecture Overview

If we have multiple accounts using AWS Organizations, each member account forwards relevant events to a central account using a custom EventBridge event bus. The central account receives all forwarded events and applies EventBridge rule-level filtering to identify changes that originate from principals or sources outside your recognized operational baseline, triggering notifications through an SNS topic.

Central Account Architecture

Key Considerations and Preparation

Before implementing this solution, ensure the following prerequisites are in place:

  1. AWS CloudTrail must be enabled and configured across all accounts.
  2. Cross-account event forwarding setup — refer to the EventBridge documentation for step-by-step guidance on sending and receiving events between AWS accounts in Amazon EventBridge.

Filtering at EventBridge Rule Level

The following EventBridge rule filters for security group creation and deletion events, and matches only when the change is performed by an IAM identity other than the allowed principal.

{
    "source": ["aws.ec2"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
        "eventSource": ["ec2.amazonaws.com"],
        "eventName": [ "CreateSecurityGroup", "DeleteSecurityGroup"],
        "userIdentity": {
            "arn": [{
                "anything-but": {
                    "wildcard": ["arn:aws:sts::*:assumed-role/*-test"]
                }
            }]
        }
    }
}

You can also combine filtering based on both the IAM identity and the User-Agent, so that the rule triggers when either the calling principal or the request origin falls outside your recognized operational baseline.

{
    "source": ["aws.ec2"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
        "eventSource": ["ec2.amazonaws.com"],
        "eventName": ["CreateSecurityGroup", "DeleteSecurityGroup"],
        "$or": [{
            "userAgent": [{
                "anything-but": {
                    "prefix": ["APN/1.0 HashiCorp/1.0 Terraform"]
                }
            }]
        }, {
            "userIdentity": {
                "arn": [{
                    "anything-but": {
                        "wildcard": ["arn:aws:sts::*:assumed-role/*-test"]
                    }
                }]
            }
        }]
    }
}

By default, Amazon SNS notifications generated from Amazon EventBridge rules deliver the raw JSON event payload, which can be difficult to interpret. The Amazon EventBridge Input Transformer addresses this by allowing you to extract only the relevant fields from the event and compose a clean, human-readable message before it is delivered to the SNS topic.

It is recommended to validate the EventBridge filter patterns and Input Transformer configuration against your specific use cases to confirm the expected behavior.

Related Information

Amazon EventBridge event patterns

Tutorial: Create an EventBridge rule that reacts to AWS API calls via CloudTrail

Event structure

Topics
Application IntegrationServerlessManagement & GovernanceArchitecture Strategy
Tags
Management & GovernanceArchitecture StrategyAmazon EventBridge
Language
English
AWS
EXPERT
published 2 months ago139 views
No comments

Relevant content