Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Is is possible to alter the email notifications sent via SNS from Cloudwatch alarms?

1

Customer has used the prescriptive CIS benchmarks document to set up some Cloudwatch alarms:

https://www.cisecurity.org/benchmark/amazon_web_services/

The issue they are having is that the alarm emails that are sent out via SNS are not particuarly useful. They'd like to include more context about the event so they don't have to go hunting for details manually. Here's an example alert (truncated):

    Alarm Details:
    - Name:                       IAM Policy Changes
    - Description:                Amazon CloudWatch alarm that is triggered when an API call is made to change an IAM policy.
    - State Change:               INSUFFICIENT_DATA -> ALARM
    - Reason for State Change:    Threshold Crossed: 1 out of the last 1 datapoints [2.0 (17/12/19 03:24:00)] was greater than or equal to the threshold (1.0) (minimum 1 datapoint for OK -> ALARM transition).
    - Timestamp:                  Tuesday 17 December, 2019 03:29:42 UTC
    - AWS Account:                XXXXXXXXXXXX

The alert shows that an IAM policy changed, but doesn't show:

  • which policy changed, or
  • what the change was.

Is there a way to change the alert or notification to include more data?

Argomenti
Gestione e amministrazioneFront-end web e dispositivi mobiliApplicazioni aziendali
Tag
Amazon CloudWatchAmazon Simple Email Service
Lingua
English
profile pictureAWS
CameronTod-aws
posta 4 anni fa738 visualizzazioni
1 Risposta
1
Risposta accettata

Can you confirm the customer is taking the approach outline here? Essentially the solution to the question you're posing is alarm enrichment and typically that happens by additional plumbing that queries the resource(s) in question. As a CloudWatch alarm is just that (an alarm) based off a predefined metric, getting enrichment data directly would be challenging. The metric is simply counting how many times specific eventNames occur in your log group.

To get more detail (without doing enrichment), it seems like a Config rule sending data via a Event Bridge/CloudWatch Event Rule that triggers a Lambda function and/or SNS topic may yield the information the customer wants? There is a slightly dated by still useful walk-through here.

AWS
ESPERTO
Frank_P
con risposta 4 anni fa
profile picture
ESPERTO
Giovanni Lauria
verificato 23 giorni fa
  • SlowLearner
    2 anni fa

    Adding a host of links to read defeats the whole purpose of the Q&A forum. Adding an example will surely help.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente