By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Identity Centre Cloudwatch events

0

I want to be able to trigger a Lambda function whenever there is any update to the Permissionsets or to the attached customer managed policy in the IAM IC. I would also like to trigger the lambda if there are any changes in the groups in the IAM IC. There is nothing much mentioned about these things in the documentation.

https://docs.aws.amazon.com/singlesignon/latest/userguide/cloudwatch-integration.html

Also, in the cloudwatch event rules, there is no option to select IAM IC as the AWS service in the event pattern. How can I capture those things in the above scenarios?

Topics
ServerlessComputeSecurity, Identity, & ComplianceApplication IntegrationManagement & Governance
Tags
AWS LambdaAWS Identity and Access ManagementAmazon EventBridgeAmazon CloudWatch
Language
English
DevS
asked a year ago464 views
1 Answer
0
Accepted Answer

Hey there! Good question and I agree it can be hard to dig around the mass of documentation but I tried my best to break down your problem and work backwards to get a step by step potential solution. Try this out and see if it works! Any further questions please feel free to reply. If it helps you it would be much appreciated if you can accept my answer :)

The simple answer to your question is yes, you can trigger a Lambda function whenever there is any update to the permission sets or to the attached customer managed policy in the IAM Identity Center. You can also trigger the Lambda function if there are any changes in the groups in the IAM Identity Center. You can do this by using CloudWatch Events and IAM Identity Center API calls.

CloudWatch Events can work with IAM Identity Center to raise events when administrator-specified actions occur in an organization. For example, you can create a rule that matches the CreatePermissionSet, UpdatePermissionSet, AttachManagedPolicyToPermissionSet, DetachManagedPolicyFromPermissionSet, CreateGroup, UpdateGroup, or DeleteGroup API calls. You can then specify a Lambda function as the target for these events and write your custom logic to handle them.

Try this out:

1.Create a Lambda function that performs the desired action when triggered by a CloudWatch event. For example, you can log the details of the event, send a notification, or perform some remediation action.

2.Create a CloudWatch Events rule that matches the IAM Identity Center API calls that you want to monitor. You can use the aws:sourceIPAddress condition key to filter the events by source IP address.

3.Add the Lambda function as the target for the CloudWatch Events rule and configure the input for the target. You can pass the entire event or part of it as input to the Lambda function.

4.Test your CloudWatch Events rule and Lambda function by performing some of the IAM Identity Center API calls that you want to monitor and verify that the Lambda function is invoked and executed correctly.

again please let me know if this works for you! Good luck! Here is some of the docs I used for your reference:

https://docs.aws.amazon.com/singlesignon/latest/userguide/cloudwatch-integration.html https://docs.aws.amazon.com/singlesignon/latest/userguide/security-logging-and-monitoring.html https://docs.aws.amazon.com/singlesignon/latest/userguide/understanding-sign-in-events.html

AWS
rePost-User-1144959
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content