how to get detailed alarm for IAM policy changes

Question

Hi,

i followed this documentation to get notification whenever any changes in IAM policies has been made.

[https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4]()

was able to received an email notification, but stating only that the particular Amazon CloudWatch Alarm has entered the ALARM state, no further detail as to what particular identity or policies has been modified.

would like to seek an assistance on how to create metric filter and alarm that can pass specific info for changes made to IAM policies

Didier Durand · Answer

Hi,

I guess that you want to read to post to obtain the kind of alarms that you want re. IAM policy changes: https://aws.amazon.com/blogs/security/how-to-receive-alerts-when-your-iam-configuration-changes/

Best,

Didier

Mac Stevens · Answer

Thanks for reaching out.

Getting detailed information about IAM changes will require more than just a CloudWatch Alarm. As with many AWS services, there are multiple ways to approach this.

I'm assuming that you are alarming on the SQS queue size being greater than 1. If you want to keep the CloudWatch Alarm in place, then you will need to add a Lambda action that dequeues the SQS event. The SQS event will have the relevant data in the detail.requestParameters field. The Lambda replaces the SNS notification from CloudWatch, and instead, the Lambda will send the SNS notification with the enriched alert information.

Another option, if you don't need the CloudWatch alarm, is to simply have the Lambda trigger off the SQS queue and send the SNS notification.

how to get detailed alarm for IAM policy changes

Add your answer

Relevant content