By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I create an EventBridge event rule to notify me that my AWS root user account was used?

4 minute read
3

I want to receive notifications when someone uses my AWS root user account.

Resolution

Launch an AWS CloudFormation stack to create an Amazon Simple Notification Service (Amazon SNS) topic. Then, create an Amazon EventBridge event rule to monitor userIdentity root logins from the AWS Management Console.

Important: Before you begin, make sure that you set your AWS CloudTrail Management read and write events to All or Write-only. This allows the EventBridge events to initiate the log-in event notification. For more information, see Read and write events.

  1. Copy and paste this YAML template into your favorite editor tool, and then save it:

    # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
    # Permission is hereby granted, free of charge, to any person obtaining a copy of this
    # software and associated documentation files (the "Software"), to deal in the Software
    # without restriction, including without limitation the rights to use, copy, modify,
    # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
    # permit persons to whom the Software is furnished to do so.
    #
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
    # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
    # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
    # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
    # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
    # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
    
    AWSTemplateFormatVersion: '2010-09-09'
    Description: ROOT-AWS-Console-Sign-In-via-CloudTrail
    Metadata:
      AWS::CloudFormation::Interface:
        ParameterGroups:
        - Label:
            default: Amazon SNS parameters
          Parameters:
          - Email Address
    Parameters:
      EmailAddress:
        Type: String
        ConstraintDescription: Email address required.
        Description: Enter an email address you want to subscribe to the Amazon SNS topic
          that will send notifications if your account's AWS root user logs in.
    Resources:
      RootActivitySNSTopic:
        Type: AWS::SNS::Topic
        Properties:
          DisplayName: ROOT-AWS-Console-Sign-In-via-CloudTrail
          Subscription:
          - Endpoint:
              Ref: EmailAddress
            Protocol: email
          TopicName: ROOT-AWS-Console-Sign-In-via-CloudTrail
      EventsRule:
        Type: AWS::Events::Rule
        Properties:
          Description: Events rule for monitoring root AWS Console Sign In activity
          EventPattern:
            detail-type:
            - AWS Console Sign In via CloudTrail
            detail:
              userIdentity:
                type:
                - Root
          Name:
            Fn::Sub: "${AWS::StackName}-RootActivityRule"
          State: ENABLED
          Targets:
          - Arn:
              Ref: RootActivitySNSTopic
            Id: RootActivitySNSTopic
        DependsOn:
        - RootActivitySNSTopic
      RootPolicyDocument:
        Type: AWS::SNS::TopicPolicy
        Properties:
          PolicyDocument:
            Id: RootPolicyDocument
            Version: '2012-10-17'
            Statement:
            - Sid: RootPolicyDocument
              Effect: Allow
              Principal:
                Service: events.amazonaws.com
              Action: sns:Publish
              Resource:
              - Ref: RootActivitySNSTopic
          Topics:
          - Ref: RootActivitySNSTopic
    Outputs:
      EventsRule:
        Value:
          Ref: EventsRule
        Export:
          Name:
            Fn::Sub: "${AWS::StackName}-RootAPIMonitorEventsRule"
        Description: Event Rule ID.
  2. Open the CloudFormation console in the US East (N. Virginia) Region, and then choose Create Stack.

    Note: You must create the CloudFormation stack in the US East (N. Virginia) Region.

  3. Choose Create stack, and then choose With new resources (standard).

  4. Choose Upload a template file, Next, and then Choose file.

  5. Choose the template that you saved in step 1, and then choose Next.

  6. In Stack name, enter a name that is meaningful to you, such as Root-AWS-Console-Sign-In-CloudTrail.

  7. In EmailAddress, enter your email address, and then choose Next.
    Note: AWS sends the confirmation email to this email address.

  8. In Options, choose Next, and then choose Create.

  9. Check your email inbox for the AWS confirmation email, and then choose Confirm subscription to confirm the SNS subscription request. You'll receive a Subscription confirmed! message.

  10. To test notifications, sign out of the AWS Management Console. Then, sign in to the AWS Management Console with your AWS root user account.

  11. Check your email inbox for an AWS notification message. Note the CloudTrail records userIdentity, sourceIPAddress, and MFAUsed that contain details for the log-in event.

If you don't want to receive notifications, then delete the CloudFormation stack that you created in step 2.

Related information

Creating a stack on the AWS CloudFormation console

How to receive notifications when your AWS account's root access keys are used

Monitor and notify on AWS account root user activity

AWS::CloudWatch::Alarm

AWS OFFICIAL
AWS OFFICIALUpdated a year ago