In a scenario where it is critical to get alerts or keep track of the login events in the AWS console for the root or any specific IAM users, there is a requirement for a mechanism that can send notifications based on the login event.
One of the use-case for this would be to receive the notification when there is a login event via root user credentials via console because the root account has excessive privileges and should not be used for usual activities.
In this scenario, the setup will send the email notification about the CosnoleLogin event. The ConsoleLogin event will be recorded in the CloudTrail. The rule (we will create later) within the EventBridge will be triggered based on the console login event pattern and the target will be called ( in this case its SNS). However, the rule can have multiple targets.
Resources to be created
SNS Topic with email subscription (To receive the alerts)
The SNS topic will be the target for EventBridge rule. Create the SNS Topic as follows.
Post creation of the topic, open the topic and create the email subscription by selecting Protocol as Email and the email address where you want to receive the email alerts as Endpoint.
After creating the subscription, you will receive the subscription confirmation email. Confirm the subscription to successfully receive the alerts via SNS topic.
CloudTrail trail (To receive the login notification successfully within EventBridge, the trail needs to be created)
Goto CloudTrail → Create a trail (If not created already) as follows.
In step 2, make sure to check the Management events under Events and Read, Write under API activity. In step 3, review the configuration and create the trail.
Create EventBridge rule
Goto Amazon EventBridge → Click Rules under Events → Create rule. Enter the rule name, select default under Event bus and enable the rule. Select Rule with an event pattern as Rule type.
In step 2, select AWS events or EventBridge partner events as the Event source because the expected event will be sent from AWS services. Under the Event pattern, select AWS services as the Event source, AWS Console Sign-in as AWS Service and Sign-in Events as the Event type. If you want to receive notifications for all users then select Any user or Specific user(s) by ARN for the selected user.
In step 3, we will configure 1 target. However, you can set multiple targets. Under Target types select AWS service. Choose an SNS topic with the respective topic name (created as a part of the first step)
Review the configuration and create the rule.
Test the setup
Open another browser/incognito mode and login into the AWS account via console. This console login event will be recorded in CloudTrail and the rule will be triggered which will invoke the target (i.e. SNS Topic) to send the email alerts.
In case the changes are not reflected instantly, please give it 10–15 mins for CloudTrail to start recording the events and send notifications.
If you like to follow along with me, then you can refer to the video tutorial of the same.
Thank you for reading!