Lets say , You have an EC2 instance with a security group attached with it.
We won’t be able to track who made the changes to the security group unless we setup some monitoring such as Cloudtrail , AWS config , Cloudwatch etc.
So , In this guide We are going to setup a monitoring for security groups so whenever a change happens in the security group It will trigger the cloudwatch event and then we will be alerted on a specific channel such as Email , SMS using SNS.
Services Used
- Cloudwatch Event
- SNS
Step 1: Add SNS topic with Subscriber
First we need to setup a SNS topic with the subscriber , So whenever the cloudwatch event is triggered with a particular event eg: RevokeSecurityGroupIngress , It will let the SNS topic to send us the message.
To setup the SNS topic , Login to SNS Console.
In the left navigation pane , Choose Topics
You will get the following screen.
Click Create topic , to create a new SNS topic.
I have explained in detail on How to setup SNS topic with subscriber
Once the SNS topic with the subscriber is configured , We are ready to get notifications.
Step 2 : Create Cloudwatch Events rule
To create a cloudwatch event rule , Open the Cloudwatch console.
In the Left navigation pane , Under Events , Choose Rules
You will see the following screen , Click Create rule
The first step is to create a rule for the event pattern.
Under Event Source , Select the Event pattern
For Service Name , Choose EC2 from the drop down menu.
For Event Type , Choose AWS API Call via Cloudtrail
Choose Specific operations and then select the following API calls.
The below API calls are used to add or remove a rule from the security groups.
Copy paste the each events in the box below.
AuthorizeSecurityGroupIngress
AuthorizeSecurityGroupEgress
RevokeSecurityGroupIngress
RevokeSecurityGroupEgress
The above setting will create a following event pattern.
{
"source": [
"aws.ec2"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"AuthorizeSecurityGroupIngress",
"AuthorizeSecurityGroupEgress",
"RevokeSecurityGroupIngress",
"RevokeSecurityGroupEgress"
]
}
}
And then for Targets , Click Add target
From the drop down menu , Choose SNS topic
and then select the SNS topic which you have created in Step 1.
and then click Configure details
Here we need to configure the details for the rule.
Provide a name for the rule and a short description.
Make sure the State is Enabled (Checked)
and then click Create Rule.
Going forward ,If anyone makes any changes in the security group ,
The event will be matched and it will trigger the cloudwatch event rule and then it trigggers the SNS topic to send message to the subscribers.
Hope you find it helpful.Please check out my other publications.