Customize notification settings in IAM Roles Anywhere - IAM Roles Anywhere
Notification eventsNotification channelsIAM Roles Anywhere default notification settingsNotification evaluation criteriaConfiguring custom notification threshold (console)Disabling a notification setting (console)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Customize notification settings in IAM Roles Anywhere

You can customize notification settings based on your public key infrastructure. These settings are attached to your trust anchor and allow you to define custom thresholds for a notification event. IAM Roles Anywhere will consume these settings while evaluating for a notification event to send metrics/events/notifications through their respective notification channels.

Notification events

  • CA certificate expiry: IAM Roles Anywhere sends notification when a certificate authority (CA) in your trust anchor is approaching expiry.

  • End-entity certificate expiry: IAM Roles Anywhere sends notification when your end-entity certificate used to vend temporary session credentials is expiring soon.

Notification channels

Note

Notification channel with a value of ALL will apply the custom settings to all the channels listed below.

IAM Roles Anywhere default notification settings

Following are the default notification settings IAM Roles Anywhere has defined. These values are applied in the absense of custom notification settings.

Event Channel Threshold Enabled
CA certificate expiry CloudWatch, EventBridge and Amazon Health 45 days before expiry True
End entity certificate expiry EventBridge and Amazon Health 45 days before expiry True

Notification evaluation criteria

Following are the evaluation criteria used to send notification events.

These criterias do not apply if your notification setting is in a disabled state.

Event Channel Starts when Ends at
CA certificate expiry CloudWatch Number of days until certificate expiry ≤ threshold Day of certificate expiry
CA certificate expiry EventBridge and Amazon Health Number of days until certificate expiry ≤ threshold 14 days after certificate expires
End-entity certificate expiry EventBridge and Amazon Health Number of days until certificate expiry ≤ threshold Day of certificate expiry

Configuring custom notification threshold (console)

  1. Sign in to IAM Roles Anywhere console.

  2. Scroll to find trust anchor table and choose the trust anchor to apply custom notification settings.

  3. Within trust anchor detail page scroll towards Notification settings section and choose Manage settings.

  4. Customize threshold for the notification event. IAM Roles Anywhere will start sending metrics/events/notifications when number of days until your X.509 certificate expires is less than or equal this threshold. See IAM Roles Anywhere notification evaluation criteria.

  5. Choose Save changes to apply custom notification threshold.

Disabling a notification setting (console)

  1. Sign in to IAM Roles Anywhere console.

  2. Scroll to find trust anchor table and choose the trust anchor to apply custom notification settings.

  3. Within trust anchor detail page scroll towards Notification settings section and choose Manage settings.

  4. Choose the table cell from Status column for notification event name End entity certificate expiry.

  5. From the options displayed in the selection pane choose the Disable option.

  6. Choose Save changes to apply to disable notification settings for end-entity certificate expiry event.