I created an Amazon EventBridge rule to notify me when changes are made to AWS Identity and Access Management (IAM) identities or API calls. However, the event rule isn't initiating when changes are made to IAM.
Short description
Create an Amazon EventBridge rule with an event pattern that matches a specific IAM API call or multiple IAM API calls. Then, associate the rule with an Amazon Simple Notification Service (Amazon SNS) topic. When the rule runs, an SNS notification is sent to the corresponding subscriptions.
Resolution
If you haven't created an Amazon SNS topic, then complete the following steps to get started with Amazon SNS.
Important:
- The IAM service and the related AWS API calls are available only in the US East (N. Virginia) Region. This means that the EventBridge rule must be in the US East (N. Virginia) Region.
- This resolution uses AWS CloudTrail. For CloudTrail to send API calls to EventBridge, a trail must exist in the same Region as the EventBridge rule. Make sure that you configured the trail's management events as Write-only or All. For more information, see Read-only and write-only events.
The following example custom event pattern starts a notification when CreateUser and DeleteUser API calls are made in your account. Complete the following steps:
- Open the EventBridge console in the US East (N. Virginia) Region.
- In the navigation pane, choose Rules, and then select Create rule.
- Enter a Name and Description for the rule.
- For Event bus, select the default AWS event bus. When IAM emits an event, it goes to your account's default event bus.
- For Rule type, choose Rule with an event pattern, and then select Next.
- For Event source, choose AWS events or EventBridge partner events.
- Under Event pattern, complete the following steps:
In the Event source dropdown list, choose AWS services.
In the AWS service dropdown list, choose IAM.
In the Event type dropdown list, choose AWS API Call via CloudTrail.
To start the rule for specific API calls, choose Specific operation(s).
In the text box, enter the name of an API call that you want to receive a notification for. For example, CreateUser.
To add more API calls, select Add.
- Under the Event pattern preview box, choose Edit pattern.
- Copy and paste the following example template into the event pattern preview pane:
{
"source": [
"aws.iam"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"iam.amazonaws.com"
],
"eventName": [
"CreateUser",
"DeleteUser"
]
}
}
Choose Save
- Select Next.
- For Target types, choose AWS service.
- For Select a target, choose SNS topic.
- In the Topic dropdown list, choose your SNS topic.
- (Optional) To add another target for this rule, choose Add another target.
- Select Next.
- (Optional) Enter one or more tags for the rule. For more information, see Amazon EventBridge tags.
- Select Next.
- Review the details of the rule, and then select Create rule.
Related information
How can I be notified when changes are made to Route 53 hosted zone records?
How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications for specific AWS service event types?
My rule matches AWS global service API calls but it didn't run