By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use EventBridge and Amazon SNS to monitor changes to my EC2 Linux instance security groups?

2 minute read
1

I set up a security group for my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance. I want to use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to monitor changes to my security groups.

Short description

To monitor changes to your security groups, create an EventBridge rule that runs when an application makes an API call to modify your security groups. Then, configure an Amazon SNS notification for events that match your rule.

Resolution

Prerequisites: Create an AWS CloudTrail trail to record API calls.

Create and subscribe to an SNS topic

Create an SNS topic. Then, subscribe to the topic and select Email for Protocol. Amazon SNS sends you a confirmation email for the subscription.

Create an EventBridge rule

Configure an EventBridge rule, and then complete the following steps to configure a rule pattern:

  1. Select Pre-defined pattern by service.

  2. For Service provider, choose AWS.

  3. For Service name, choose EC2.

  4. For Event type, choose AWS API call via CloudTrail.

  5. Choose Specific operation, and then enter the following API calls one at a time:

    AuthorizeSecurityGroupIngressAuthorizeSecurityGroupEgress
    RevokeSecurityGroupIngress
    RevokeSecurityGroupEgress

    Note: Choose Add after you enter each API call. These API calls add or remove security group rules.
    The preceding settings create the following event pattern:

    {  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "AuthorizeSecurityGroupIngress",
      "AuthorizeSecurityGroupEgress",
      "RevokeSecurityGroupIngress",
      "RevokeSecurityGroupEgress"
    ]
  }
}

  6. Under Select targets, select SNS topic from the Target list.

  7. For Topic, enter the topic that you created.

  8. (Optional) By default, Matched event is selected under Configure input Matched event. This configuration passes the entire JSON output of the event to the SNS topic. To filter the event information, select Input transformer. Use the input transformer to customize text from an event to create a readable message. For example, use the following key-value pairs for the Input Path:

    {"name":"$.detail.requestParameters.groupId","source":"$.detail.eventName","time":"$.time","value":"$.detail"}

    For Input Template, enter the text and variables that you want to appear in the message.
    Example input template:

    "A source API call was made against the security group name on time with the below details"" value "

  9. Choose Create.

Topics
Compute
Tags
Amazon EC2Linux
Language
English
AWS OFFICIALUpdated 3 months ago
2 Comments

This tutorial does not work without enabling Cloudtrail trail first which is confusing. The missed step 1 can be found in the Eventbridge tutorial https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-log-api-call.html

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 10 months ago

Relevant content