How can I get notified when IAM changes are made to my AWS account?

Short description

Create an Amazon EventBridge rule with an event pattern that matches a specific IAM API call or multiple IAM API calls. Then, associate the rule with an Amazon Simple Notification Service (Amazon SNS) topic. When the rule runs, an SNS notification is sent to the corresponding subscriptions.

Resolution

If you haven't created an Amazon SNS topic, then complete the following steps to get started with Amazon SNS.

Important:

• The IAM service and the related AWS API calls are available only in the US East (N. Virginia) Region. This means that the EventBridge rule must be in the US East (N. Virginia) Region.
• This resolution uses AWS CloudTrail. For CloudTrail to send API calls to EventBridge, a trail must exist in the same Region as the EventBridge rule. Make sure that you configured the trail's management events as Write-only or All. For more information, see Read-only and write-only events.

The following example custom event pattern starts a notification when CreateUser and DeleteUser API calls are made in your account. Complete the following steps:

1. Open the EventBridge console in the US East (N. Virginia) Region.
2. In the navigation pane, choose Rules, and then select Create rule.
3. Enter a Name and Description for the rule.
4. For Event bus, select the default AWS event bus. When IAM emits an event, it goes to your account's default event bus.
5. For Rule type, choose Rule with an event pattern, and then select Next.
6. For Event source, choose AWS events or EventBridge partner events.
7. Under Event pattern, complete the following steps:
   In the Event source dropdown list, choose AWS services.
   In the AWS service dropdown list, choose IAM.
   In the Event type dropdown list, choose AWS API Call via CloudTrail.
   To start the rule for specific API calls, choose Specific operation(s).
   In the text box, enter the name of an API call that you want to receive a notification for. For example, CreateUser.
   To add more API calls, select Add.
8. Under the Event pattern preview box, choose Edit pattern.
9. Copy and paste the following example template into the event pattern preview pane:

   {  
     "source": [
       "aws.iam"
     ],
     "detail-type": [
       "AWS API Call via CloudTrail"
     ],
     "detail": {
       "eventSource": [
         "iam.amazonaws.com"
       ],
       "eventName": [
         "CreateUser",
         "DeleteUser"
       ]
     }
   }

   Choose Save
10. Select Next.
11. For Target types, choose AWS service.
12. For Select a target, choose SNS topic.
13. In the Topic dropdown list, choose your SNS topic.
14. (Optional) To add another target for this rule, choose Add another target.
15. Select Next.
16. (Optional) Enter one or more tags for the rule. For more information, see Amazon EventBridge tags.
17. Select Next.
18. Review the details of the rule, and then select Create rule.

Related information

How can I be notified when changes are made to Route 53 hosted zone records?

How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications for specific AWS service event types?

My rule matches AWS global service API calls but it didn't run