I set an SNS notification to send me an email whenever there is a change regarding the IAM policies. When a change occurs, CloudTrail sends a Log to CloudWatch which triggers an alarm attached to an SNS topic. More details in this link.
Here is an example of what I get by mail:
Alarm Details:
- Name: PolicyAlarm
- Description: This alarm is to monitor IAM Changes
- State Change: INSUFFICIENT_DATA -> ALARM
- Reason for State Change: Threshold Crossed: 1 datapoint [1.0 (31/08/17 09:15:00)] was greater than or equal to the threshold (1.0).
- Timestamp: Thursday 31 August, 2017 09:20:39 UTC
- AWS Account: 00011100000
Threshold:
- The alarm is in the ALARM state when the metric is GreaterThanOrEqualToThreshold 1.0 for 300 seconds.
The only relevant information here is the AWS Account ID. Is there a way to also include the change? Who made it, when and where? Or maybe send little information from the cloudwatch log like the "eventName" ?
There are two ways to trigger notifications from an AWS CloudTrail:
Configure Amazon CloudWatch Logs to look for specific strings. When found, it increments a metric. Then, create an alarm that triggers when the metric exceeds a particular value over a particular period of time. When the notification is sent, only information about the alarm is sent. OR...
Create a rule in Amazon CloudWatch Events to look for the event. Set an Amazon SNS topic as the target. When the notification is sent, full details of the event are passed through.
You should use # 2, since it provides full details of the event.
Here's what I did to test:
us-east-1(where all IAM events take place)us-east-1with:Within a short time, the event appeared in SQS:
Here's the relevant bits of the policy that came through:
I sent the message to SQS, but you could also send it to SNS to then forward via email.