Lets say , You have an EC2 instance with a security group attached with it.

We won’t be able to track who made the changes to the security group unless we setup some monitoring such as Cloudtrail , AWS config , Cloudwatch etc.

So , In this guide We are going to setup a monitoring for security groups so whenever a change happens in the security group It will trigger the cloudwatch event and then we will be alerted on a specific channel such as Email , SMS using SNS.

Services Used

  • Cloudwatch Event
  • SNS

Step 1: Add SNS topic with Subscriber

Security group

First we need to setup a SNS topic with the subscriber , So whenever the cloudwatch event is triggered with a particular event eg: RevokeSecurityGroupIngress , It will let the SNS topic to send us the message.

To setup the SNS topic , Login to SNS Console.

In the left navigation pane , Choose Topics

Security group

You will get the following screen.

Security group

Click Create topic , to create a new SNS topic.

I have explained in detail on How to setup SNS topic with subscriber

Once the SNS topic with the subscriber is configured , We are ready to get notifications.

Step 2 : Create Cloudwatch Events rule

To create a cloudwatch event rule , Open the Cloudwatch console.

In the Left navigation pane , Under Events , Choose Rules

Security group

You will see the following screen , Click Create rule

Security group

The first step is to create a rule for the event pattern.

Under Event Source , Select the Event pattern

Security group

For Service Name , Choose EC2 from the drop down menu.

For Event Type , Choose AWS API Call via Cloudtrail

Security group

Choose Specific operations and then select the following API calls.

The below API calls are used to add or remove a rule from the security groups.

Copy paste the each events in the box below.

AuthorizeSecurityGroupIngress
AuthorizeSecurityGroupEgress
RevokeSecurityGroupIngress
RevokeSecurityGroupEgress
Security group

The above setting will create a following event pattern.

{
   "source": [
     "aws.ec2"
   ],
   "detail-type": [
     "AWS API Call via CloudTrail"
   ],
   "detail": {
     "eventSource": [
       "ec2.amazonaws.com"
     ],
     "eventName": [
       "AuthorizeSecurityGroupIngress",
       "AuthorizeSecurityGroupEgress",
       "RevokeSecurityGroupIngress",      
       "RevokeSecurityGroupEgress"
     ]
   }
 }

And then for Targets , Click Add target

Security group

From the drop down menu , Choose SNS topic

and then select the SNS topic which you have created in Step 1.

and then click Configure details

Security group

Here we need to configure the details for the rule.

Provide a name for the rule and a short description.

Make sure the State is Enabled (Checked)

Security group

and then click Create Rule.

Going forward ,If anyone makes any changes in the security group ,

The event will be matched and it will trigger the cloudwatch event rule and then it trigggers the SNS topic to send message to the subscribers.

Hope you find it helpful.Please check out my other publications.