In this blog post , I have explained , how to Track IAM changes using Cloudtrail & Cloudwatch

As an Cloud Admin or DevOps engineer , We should know when and who is making changes to the system , especially when it comes to security.

As we know that the access to the AWS services for users are provided using IAM (identity and Access Management) , but sometimes We grant access to them than what is actually required.

In this case , The user may screw up something but unfortunately we won’t know who does that and what was being changed.

To avoid such cases We will implement a monitoring system for IAM and any changes in the IAM console will be tracked and we will be notified immediately.

Below are the lists of AWs services used to setup monitoring and alerting for IAM changes.

Services Used

  • Cloudtrail – Which is used to track all the User and API activities on AWS services.
  • Cloudwatch – All the events recorded by the Cloudtrail event will be stored in Cloudwatch Log group.
  • SNS – When a particular event occurs on IAM console , Simple Notification service will alert us.

Step 1:

The first step is to Enable Cloudtrail.

We must enable Cloudtrail on each AWS regions in the AWS account.

Check this detailed article to Enable Cloudtrail.

I hope you have gained some insights on how cloudtrail works.

After the cloudtrail is enabled , Now we need to configure logging for it.

Step 2:

All the events recorded by the Cloudtrail will be available only for the Last 90 days.

In this case , We need to configure logging for Cloudtrail so that It will send all the recorded events to Cloudwatch Log group.

Check this detailed article To send Cloudtrail Logs to Cloudwatch

By this time , I hope we have enabled cloudtrail which have already started tracking all the aws services and created Cloudwatch Log group and configured Cloudtrail to send logs to Cloudwatch.

Step 3:

The next step is setup alerting system. For this we are going to use SNS (simple notification service).

Check this article to Setup SNS topic with Subscriber.

Subscriber are the one who should be notified.

Now we have all the required setup to configure monitoring and alerting for IAM changes.

Step 4:

Before creating an Alarn using CLoudwatch Alarms , We should decide , based on what activity the alarm should be triggered.

Below are the following filter patterns which we can use and create alarm accordingly.

1)Monitoring Changes to IAM

Using the below pattern , You can monitor changes only in your IAM account.

{ ( ($.eventSource = "") && (($.eventName = "Add") || ($.eventName = "Attach") || ($.eventName = "Change") || ($.eventName = "Create") || ($.eventName = "Deactivate") || ($.eventName = "Delete") || ($.eventName = "Detach") || ($.eventName = "Enable") || ($.eventName = "Put") || ($.eventName = "Remove") || ($.eventName = "Set") || ($.eventName = "Update") || ($.eventName = "Upload*")) ) }

It will track events from the IAM service that begins with Add , Create , Deactivate , Change , Delete , Enable , Remove , Put , Upload and Update.

2)Monitoring All Calls to IAM

Using the below filter pattern to monitor all the calls & changes to IAM.

{ ($.eventSource = "") }

All calls to IAM will be recorded by the cloudtrail and for each calls you will be notified.

If you’re using IAM for lot of service , You will get lot of alerts , Use this pattern only if you’re having minimal IAM activity.

3)Monitoring Changes to Authentication & Authorization Configurations

Using the below filter pattern , You can monitor changes to security credentilas and policy configuration changes.

{ ( ($.eventSource = "") && (($.eventName = "PutPolicy") || ($.eventName = "Attach") || ($.eventName = "Detach") || ($.eventName = "Create") || ($.eventName = "Update") || ($.eventName = "Upload") || ($.eventName = "Delete") || ($.eventName = "Remove") || ($.eventName = "Set*")) ) }

Creating Cloudwatch Metric Filter

We know that we have all the cloudtrail recorded events stored on the Cloudwatch log group.

We should create the Cloudwatch metric based on the IAM changes and then we will create an alarm based on that.

Login to Cloudwatch console , In the navigation pane , Under Logs , Choose Log groups

Click the log group name which you have created in Step 2 , and then Under Actions , Choose Create metric filter

track iam changes

On Define pattern page , For Create filter pattern , Enter one of the filter patterns we discussed above.

track iam changes

For Test pattern , Choose the log data to test and then click Test pattern to see the results matching those patterns.

From the Log event messages , if the required pattern matches , Click Next

We need to assign metric , provide a Filter name.

track iam changes

For Metric details , Enter a Metric namespace ,

track iam changes

For the Metric name , Enter IAMAuthnAuthzActivity (any authentication or authorization changes) and enter the metric Value as 1.

track iam changes

Click Next , Review the settings and then click Create metric filter

next we need to create Cloudwatch alarm.

Creating Cloudwatch Alarm

If you check the cloudwatch Log group page , You will see the Metric filter created for the log group.

track iam changes

Click the filter, You will see this page.

track iam changes

Click Create alarm

For Statistic , Let it be Sum and the Period be 5 minutes

track iam changes

Under Conditions , Threshold type be Static , and the alarm condition be Greater/Equal and value to be 1.

So the alarm will be triggered when the metric is >=1 for 1 consecutive period.

track iam changes

and click Next,

For Notification , We are going to use the SNS topic which we have already created.

For Alarm state trigger , Choose In alarm

For Select an SNS topic , Choose Select an existing SNS topic

Send a notification to…choose the SNS topic and then click Next

track iam changes

Provide a name for the Cloudwatch alarm and then click Next , Review and then click Create alarm

track iam changes

When a Cloudwatch metric filter finds a pattern matching Authentication and Authorization changes , It will trigger the Cloudwatch Alarm and We will be notified by SNS.

By this way , We can easily track the changes occurred on the IAM service and we can revert any changes or take immediate actions.

Thanks for reading this article.

Hope you find it helpful.

Please do check out my other blogs.