Creating CloudWatch alarms for CloudTrail events: examples
This topic describes how to configure alarms for CloudTrail events, and includes examples.
Topics
Prerequisites
Before you can use the examples in this topic, you must:
-
Create a trail with the console or CLI.
-
Create a log group, which you can do as part of creating a trail. For more information about creating a trail, see Creating a trail with the CloudTrail console.
-
Specify or create an IAM role that grants CloudTrail the permissions to create a CloudWatch Logs log stream in the log group that you specify and to deliver CloudTrail events to that log stream. The default
CloudTrail_CloudWatchLogs_Role
does this for you.
For more information, see Sending events to CloudWatch Logs. Examples in this section are performed in the Amazon CloudWatch Logs console. For more information about how to create metric filters and alarms, see Creating metrics from log events using filters and Using Amazon CloudWatch alarms in the Amazon CloudWatch User Guide.
Create a metric filter and create an alarm
To create an alarm, you must first create a metric filter, and then configure an alarm based on the filter. The procedures are shown for all examples. For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and pattern syntax in the Amazon CloudWatch Logs User Guide.
Example security group configuration changes
Follow this procedure to create an Amazon CloudWatch alarm that is triggered when configuration changes occur on security groups.
Create a metric filter
Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/
. -
In the navigation pane, under Logs, choose Log groups.
-
In the list of log groups, choose the log group that you created for your trail.
-
From the Metric filters or Actions menu, choose Create metric filter.
-
On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.
{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
-
In Test pattern, leave defaults. Choose Next.
-
On the Assign metric page, for Filter name, enter
SecurityGroupEvents
. -
In Metric details, turn on Create new, and then enter
CloudTrailMetrics
for Metric namespace. -
For Metric name, type
SecurityGroupEventCount
. -
For Metric value, type
1
. -
Leave Default value blank.
-
Choose Next.
-
On the Review and create page, review your choices. Choose Create metric filter to create the filter, or choose Edit to go back and change values.
Create an alarm
After you create the metric filter, the CloudWatch Logs log group details page for your CloudTrail trail log group opens. Follow this procedure to create an alarm.
-
On the Metric filters tab, find the metric filter you created in Create a metric filter. Fill the check box for the metric filter. In the Metric filters bar, choose Create alarm.
-
For Specify metric and conditions, enter the following.
-
For Graph, the line is set at
1
based on other settings you make when you create your alarm. -
For Metric name, keep the current metric name,
SecurityGroupEventCount
. -
For Statistic, keep the default,
Sum
. -
For Period, keep the default,
5 minutes
. -
In Conditions, for Threshold type, choose Static.
-
For Whenever
metric_name
is, choose Greater/Equal. -
For the threshold value, enter
1
. -
In Additional configuration, leave defaults. Choose Next.
-
-
On the Configure actions page, choose Notification, and then choose In alarm, which indicates that the action is taken when the threshold of 1 change event in 5 minutes is crossed, and SecurityGroupEventCount is in an alarm state.
-
For Send a notification to the following SNS topic, choose Create new topic.
-
Enter
SecurityGroupChanges_CloudWatch_Alarms_Topic
as the name for the new Amazon SNS topic. -
In Email endpoints that will receive the notification, enter the email addresses of users whom you want to receive notifications if this alarm is raised. Separate email addresses with commas.
Each email recipient will receive an email asking them to confirm that they want to be subscribed to the Amazon SNS topic.
-
Choose Create topic.
-
-
For this example, skip the other action types. Choose Next.
-
On the Add name and description page, enter a friendly name for the alarm, and a description. For this example, enter
Security group configuration changes
for the name, andRaises alarms if security group configuration changes occur
for the description. Choose Next. -
On the Preview and create page, review your choices. Choose Edit to make changes, or choose Create alarm to create the alarm.
After you create the alarm, CloudWatch opens the Alarms page. The alarm's Actions column shows Pending confirmation until all email recipients on the SNS topic have confirmed that they want to subscribe to SNS notifications.
Example Amazon Web Services Management Console sign-in failures
Follow this procedure to create an Amazon CloudWatch alarm that is triggered when there are three or more Amazon Web Services Management Console sign-in failures during a five minute period.
Create a metric filter
Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/
. -
In the navigation pane, under Logs, choose Log groups.
-
In the list of log groups, choose the log group that you created for your trail.
-
From the Metric filters or Actions menu, choose Create metric filter.
-
On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
-
In Test pattern, leave defaults. Choose Next.
-
On the Assign metric page, for Filter name, enter
ConsoleSignInFailures
. -
In Metric details, turn on Create new, and then enter
CloudTrailMetrics
for Metric namespace. -
For Metric name, type
ConsoleSigninFailureCount
. -
For Metric value, type
1
. -
Leave Default value blank.
-
Choose Next.
-
On the Review and create page, review your choices. Choose Create metric filter to create the filter, or choose Edit to go back and change values.
Create an alarm
After you create the metric filter, the CloudWatch Logs log group details page for your CloudTrail trail log group opens. Follow this procedure to create an alarm.
-
On the Metric filters tab, find the metric filter you created in Create a metric filter. Fill the check box for the metric filter. In the Metric filters bar, choose Create alarm.
-
On the Create Alarm page, in Specify metric and conditions, enter the following.
-
For Graph, the line is set at
3
based on other settings you make when you create your alarm. -
For Metric name, keep the current metric name,
ConsoleSigninFailureCount
. -
For Statistic, keep the default,
Sum
. -
For Period, keep the default,
5 minutes
. -
In Conditions, for Threshold type, choose Static.
-
For Whenever
metric_name
is, choose Greater/Equal. -
For the threshold value, enter
3
. -
In Additional configuration, leave defaults. Choose Next.
-
-
On the Configure actions page, for Notification, choose In alarm, which indicates that the action is taken when the threshold of 3 change events in 5 minutes is crossed, and ConsoleSigninFailureCount is in an alarm state.
-
For Send a notification to the following SNS topic, choose Create new topic.
-
Enter
ConsoleSignInFailures_CloudWatch_Alarms_Topic
as the name for the new Amazon SNS topic. -
In Email endpoints that will receive the notification, enter the email addresses of users whom you want to receive notifications if this alarm is raised. Separate email addresses with commas.
Each email recipient will receive an email asking them to confirm that they want to be subscribed to the Amazon SNS topic.
-
Choose Create topic.
-
-
For this example, skip the other action types. Choose Next.
-
On the Add name and description page, enter a friendly name for the alarm, and a description. For this example, enter
Console sign-in failures
for the name, andRaises alarms if more than 3 console sign-in failures occur in 5 minutes
for the description. Choose Next. -
On the Preview and create page, review your choices. Choose Edit to make changes, or choose Create alarm to create the alarm.
After you create the alarm, CloudWatch opens the Alarms page. The alarm's Actions column shows Pending confirmation until all email recipients on the SNS topic have confirmed that they want to subscribe to SNS notifications.
Example: IAM policy changes
Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to change an IAM policy.
Create a metric filter
Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/
. -
In the navigation pane, choose Logs.
-
In the list of log groups, choose the log group that you created for your trail.
-
Choose Actions, and then choose Create metric filter.
-
On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.
{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}
-
In Test pattern, leave defaults. Choose Next.
-
On the Assign metric page, for Filter name, enter
IAMPolicyChanges
. -
In Metric details, turn on Create new, and then enter
CloudTrailMetrics
for Metric namespace. -
For Metric name, type
IAMPolicyEventCount
. -
For Metric value, type
1
. -
Leave Default value blank.
-
Choose Next.
-
On the Review and create page, review your choices. Choose Create metric filter to create the filter, or choose Edit to go back and change values.
Create an alarm
After you create the metric filter, the CloudWatch Logs log group details page for your CloudTrail trail log group opens. Follow this procedure to create an alarm.
-
On the Metric filters tab, find the metric filter you created in Create a metric filter. Fill the check box for the metric filter. In the Metric filters bar, choose Create alarm.
-
On the Create Alarm page, in Specify metric and conditions, enter the following.
-
For Graph, the line is set at
1
based on other settings you make when you create your alarm. -
For Metric name, keep the current metric name,
IAMPolicyEventCount
. -
For Statistic, keep the default,
Sum
. -
For Period, keep the default,
5 minutes
. -
In Conditions, for Threshold type, choose Static.
-
For Whenever
metric_name
is, choose Greater/Equal. -
For the threshold value, enter
1
. -
In Additional configuration, leave defaults. Choose Next.
-
-
On the Configure actions page, for Notification, choose In alarm, which indicates that the action is taken when the threshold of 1 change event in 5 minutes is crossed, and IAMPolicyEventCount is in an alarm state.
-
For Send a notification to the following SNS topic, choose Create new topic.
-
Enter
IAM_Policy_Changes_CloudWatch_Alarms_Topic
as the name for the new Amazon SNS topic. -
In Email endpoints that will receive the notification, enter the email addresses of users whom you want to receive notifications if this alarm is raised. Separate email addresses with commas.
Each email recipient will receive an email asking them to confirm that they want to be subscribed to the Amazon SNS topic.
-
Choose Create topic.
-
-
For this example, skip the other action types. Choose Next.
-
On the Add name and description page, enter a friendly name for the alarm, and a description. For this example, enter
IAM Policy Changes
for the name, andRaises alarms if IAM policy changes occur
for the description. Choose Next. -
On the Preview and create page, review your choices. Choose Edit to make changes, or choose Create alarm to create the alarm.
After you create the alarm, CloudWatch opens the Alarms page. The alarm's Actions column shows Pending confirmation until all email recipients on the SNS topic have confirmed that they want to subscribe to SNS notifications.
Configuring notifications for CloudWatch Logs alarms
You can configure CloudWatch Logs to send a notification whenever an alarm is triggered for CloudTrail. Doing so enables you to respond quickly to critical operational events captured in CloudTrail events and detected by CloudWatch Logs. CloudWatch uses Amazon Simple Notification Service (SNS) to send email. For more information, see Setting up Amazon SNS notifications in the CloudWatch User Guide.