Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS IAM Identity Center - EventBridge Rules

0

Hi all,

as a Security Requirement we need to setup a notification system using SNS to notify our Security Team when someone access an AWS Account using a specific SSO PermissionSet "for example : AdministratorAccess " as shown in the image below :

Inserisci qui la descrizione dell'immagine

I'm trying to setup a simple EventBridge Rule based on the IAM Identity Center Federate Event on Cloudtrail with an SNS topic as a target but I can't get it working.

CloudTrail Event :

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "xxxx-43ce-996a-0530772c083a",
        "accountId": "xxxxxxxxxxx",
        "userName": "userName"
    },
    "eventTime": "2023-03-23T00:07:29Z",
    "eventSource": "sso.amazonaws.com",
    "eventName": "Federate",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.1.1.1",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "c99b-48ea-a9e4-fc2194bc0f27",
    "eventID": "415e-b57e-99764a0f0fdf",
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxx",
    "serviceEventDetails": {
        "role_name": "AWSAdministratorAccess",
        "account_id": "xxxxxxxx"
    },
    "eventCategory": "Management"
}

EventBridge Event Pattern is the Following :

{
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["sso.amazonaws.com"],
    "eventName": ["Federate"]
  }
}

anyone could help on how to get this working ?

Thanks in advance

Themen
Sicherheit, Identität & KonformitätServerlosAnwendungsintegrationManagement & Unternehmensführung
Tags
Sicherheit, Identität & KonformitätAmazon EventBridgeAmazon Simple Notification Service (SNS)AWS OrganisationenAWS IAM Identitätszentrum
Sprache
English
profile picture
Peter Eskandar
gefragt vor einem Jahr936 Aufrufe
2 Antworten
0
Akzeptierte Antwort

I managed to get it working, the problem was related to the detail-type in the eventBridge Rule as in this case we are not talking about a direct API Call but about an AWS Service Event.

The Correct EventBridge Rule

{
  "source": ["aws.sso"],
  "detail-type": ["AWS Service Event via CloudTrail"],
  "detail": {
    "eventSource": ["sso.amazonaws.com"],
    "eventName": ["Federate"],
    "serviceEventDetails": {
      "role_name": ["AWSAdministratorAccess"]
    }
  }
}
profile picture
Peter Eskandar
beantwortet vor einem Jahr
0

I do not see 'detail' & 'detail-type' objects defined in the sample event which you shared. Can you just try with this ?

{
  "eventSource": ["sso.amazonaws.com"],
  "eventName": ["Federate"]
}
Aritro Sen
beantwortet vor einem Jahr
  • Peter Eskandar
    vor einem Jahr

    I tried as suggested but unfortunately it didn't work

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt