Monitor Security Group Changes Using Cloudwatch And SNS

Lets say , You have an EC2 instance with a security group attached with it.

We won’t be able to track who made the changes to the security group unless we setup some monitoring such as Cloudtrail , AWS config , Cloudwatch etc.

So , In this guide We are going to setup a monitoring for security groups so whenever a change happens in the security group It will trigger the cloudwatch event and then we will be alerted on a specific channel such as Email , SMS using SNS.

Services Used

• Cloudwatch Event
• SNS

Step 1: Add SNS Topic With Subscriber

First we need to setup a SNS topic with the subscriber , So whenever the cloudwatch event is triggered with a particular event eg: RevokeSecurityGroupIngress , It will let the SNS topic to send us the message.

To setup the SNS topic , Login to SNS Console.

In the left navigation pane , Choose Topics

You will get the following screen.

Click Create topic , to create a new SNS topic.

I have explained in detail on How to setup SNS topic with subscriber

Once the SNS topic with the subscriber is configured , We are ready to get notifications.

Step 2 : Create Cloudwatch Events Rule

To create a cloudwatch event rule , Open the Cloudwatch console.

In the Left navigation pane , Under Events , Choose Rules

You will see the following screen , Click Create rule

The first step is to create a rule for the event pattern.

Under Event Source , Select the Event pattern

For Service Name , Choose EC2 from the drop down menu.

For Event Type , Choose AWS API Call via Cloudtrail

Choose Specific operations and then select the following API calls.

The below API calls are used to add or remove a rule from the security groups.

Copy paste the each events in the box below.

AuthorizeSecurityGroupIngress
AuthorizeSecurityGroupEgress
RevokeSecurityGroupIngress
RevokeSecurityGroupEgress

The above setting will create a following event pattern.

{
   "source": [
     "aws.ec2"
   ],
   "detail-type": [
     "AWS API Call via CloudTrail"
   ],
   "detail": {
     "eventSource": [
       "ec2.amazonaws.com"
     ],
     "eventName": [
       "AuthorizeSecurityGroupIngress",
       "AuthorizeSecurityGroupEgress",
       "RevokeSecurityGroupIngress",      
       "RevokeSecurityGroupEgress"
     ]
   }
 }

And then for Targets , Click Add target

From the drop down menu , Choose SNS topic

and then select the SNS topic which you have created in Step 1.

and then click Configure details

Here we need to configure the details for the rule.

Provide a name for the rule and a short description.

Make sure the State is Enabled (Checked)

and then click Create Rule.

Going forward ,If anyone makes any changes in the security group ,

The event will be matched and it will trigger the cloudwatch event rule and then it trigggers the SNS topic to send message to the subscribers.

Hope you find it helpful.Please check out my other publications.