How can I set up alerts to see when an IAM access key is used?

2 minute read
0

I want to set up notifications to see when a specific AWS Identity and Access Management (IAM) credential or access key is used.

Resolution

There are no predefined rules to track and send notifications about the use of IAM credentials. However, you can use a custom rule that combines AWS CloudTrail and Amazon EventBridge. This lets you send a notification to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon Simple Queue Service (Amazon SQS) queue.

EventBridge rules are represented as JSON objects. A rule has a simple match or no match logic that applies to events. Based on the structure of events, you can build custom patterns for the specific criteria that you want to match.

The following example rule tracks a single access key in the same AWS Region where the rule is configured.

Important:

1.    Open the EventBridge console, and then choose Rules.

2.    Choose Create rule.

3.    Enter a Name for the rule. You can optionally enter a Description. Then, choose Next.

4.    For Event source, choose Other.

5.    For Creation method, choose Custom pattern (JSON editor).

6.    For Event pattern, enter a JSON template that's similar to the following:

Note: You can modify this template to track notifications for a range of criteria, such as access keys, login types, or specific identities.

{
    "detail-type": [
        "AWS API Call via CloudTrail"
    ],
    "detail": {
        "userIdentity": {
            "accessKeyId": [
                "AKIAIOSFODNN7EXAMPLE"
            ]
        }
    }
}

7.    Choose Next.

8.    For Target types, choose AWS service. Then, complete the following fields:
For Select a target, select SNS topic or SQS queue.
For Topic, select the topic that you want to respond to the event. Then, choose Next.

9.    (Optional) Choose tags for your rule, if desired.

10.    Choose Next to review your rule. Then, choose Create rule.


Related information

Amazon EventBridge event patterns

Getting credential reports for your AWS account

AWS OFFICIAL
AWS OFFICIALUpdated a year ago