By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS IAM Identity Center - EventBridge Rules

0

Hi all,

as a Security Requirement we need to setup a notification system using SNS to notify our Security Team when someone access an AWS Account using a specific SSO PermissionSet "for example : AdministratorAccess " as shown in the image below :

Inserisci qui la descrizione dell'immagine

I'm trying to setup a simple EventBridge Rule based on the IAM Identity Center Federate Event on Cloudtrail with an SNS topic as a target but I can't get it working.

CloudTrail Event :

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "xxxx-43ce-996a-0530772c083a",
        "accountId": "xxxxxxxxxxx",
        "userName": "userName"
    },
    "eventTime": "2023-03-23T00:07:29Z",
    "eventSource": "sso.amazonaws.com",
    "eventName": "Federate",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.1.1.1",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "c99b-48ea-a9e4-fc2194bc0f27",
    "eventID": "415e-b57e-99764a0f0fdf",
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxx",
    "serviceEventDetails": {
        "role_name": "AWSAdministratorAccess",
        "account_id": "xxxxxxxx"
    },
    "eventCategory": "Management"
}

EventBridge Event Pattern is the Following :

{
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["sso.amazonaws.com"],
    "eventName": ["Federate"]
  }
}

anyone could help on how to get this working ?

Thanks in advance

Topics
Security, Identity, & ComplianceServerlessApplication IntegrationManagement & Governance
Tags
Security, Identity, & ComplianceAmazon EventBridgeAmazon Simple Notification Service (SNS)AWS OrganizationsAWS IAM Identity Center
Language
English
profile picture
Peter Eskandar
asked a year ago901 views
2 Answers
0
Accepted Answer

I managed to get it working, the problem was related to the detail-type in the eventBridge Rule as in this case we are not talking about a direct API Call but about an AWS Service Event.

The Correct EventBridge Rule

{
  "source": ["aws.sso"],
  "detail-type": ["AWS Service Event via CloudTrail"],
  "detail": {
    "eventSource": ["sso.amazonaws.com"],
    "eventName": ["Federate"],
    "serviceEventDetails": {
      "role_name": ["AWSAdministratorAccess"]
    }
  }
}
profile picture
Peter Eskandar
answered a year ago
0

I do not see 'detail' & 'detail-type' objects defined in the sample event which you shared. Can you just try with this ?

{
  "eventSource": ["sso.amazonaws.com"],
  "eventName": ["Federate"]
}
Aritro Sen
answered a year ago
  • Peter Eskandar
    a year ago

    I tried as suggested but unfortunately it didn't work

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content