Manual changes alerts

Question

Using IaC in our accounts, we want to set up alerts for manual resource changes. We tried the EventBridge option. It does not suit us because the "anything-but" option only supports one prefix (in our case there are three of them such as "terraform", "aws-sdk-nodejs", "packer") and does not support regex.
The CloudWatch option is not suitable because we want to receive detailed information in an alert (resource ID, address in case of changes in security groups).
Any other solutions?

Answer

I meant not tracking drift status

terraform was introduced relatively recently in our infrastructure, before that it was deployed through a self-written platform on nodejs

Right now we want to monitor security group and vpc for manual changes (someone went into the console and changed it manually)
in the eventbridge solution, we tracked userAgent through exclusions (we excluded terraform, our deployment platform)

as I wrote above, the solutions of eventbridge and cloudwatch alarm are not suitable for us

Answer

For CloudFormation based stacks, you could run a [drift-detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/detect-drift-stack.html) and emit a [custom metric and alert](https://docs.aws.amazon.com/managedservices/latest/userguide/custom-cloudwatch-events.html) should drift be found. To automate the process, you could set up a custom [AWS Config](https://aws.amazon.com/config/) rule to [run the drift detection](https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html).

Manual changes alerts

Relevanter Inhalt