发送通知当发生 AWS SSO 承担角色的 CloudTrail 事件。

huangapple go评论61阅读模式
英文:

Send notification when a CloudTrail event occurs for AWS SSO assume role

问题

My requirement is to:

  1. Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.

  2. Send an email notification to a destination that says which SSO user has assumed that role.

What is Event Name called when a SSO users assumes a role to log in to a specific account? I can see there is a new IAM event called DescribeAccountAttributes upon a user assuming a role, but I am wondering if there is any better event to act upon in this scenario?

Can my requirements be fulfilled by creating a new Rule in AWS EventBridge, or do I need to have a custom parser running in Lambda, for example, that parses every single event in CloudTrail and filters the ones I am interested in?

英文:

My requirement is to:

  1. Trace the log event in cloud trail when a SSO user assumes a
    specific role (developer-full-access) using AWS SSO home page.

  2. Send an email notification to a destination that says which SSO user
    has assumed that role.

What is Event Name called when a SSO users assumes a role to login into a specific account? I can see there is a new IAM event called DescribeAccountAttributes upon user assuming a role, but I am wondering if there is any better event to act upon in this scenario?

Can my requirements be full filled by creating a new Rule in AWS EventBridge or do I need to have a custom parser running in Lambda for example that parse every single event in CloudTrail and filter the ones I am interested?

发送通知当发生 AWS SSO 承担角色的 CloudTrail 事件。

答案1

得分: 1

EventName 是 AssumeRole。(您可以在 CloudTrail -> 事件历史记录 -> 事件名称(查找属性) -> AssumeRole(值) 中验证此事件)

针对您的需求:

跟踪云迹中的日志事件,当单点登录用户使用 AWS SSO 主页假定特定角色(developer-full-access)时。

向目标发送电子邮件通知,说明哪个单点登录用户已经假定了该角色。

您需要为 CloudTrail 事件设置 CloudWatch 告警(在您的情况下是假定角色事件)。

大致步骤如下:

  • 基于AssumeRole事件名称创建度量过滤器。

  • 创建一个告警。

  • 配置SNS作为告警的操作,以便在告警处于活动状态时发送通知。

  • 在该SNS主题中配置您的电子邮件。

英文:

Let's break your question in parts:

>What is Event Name called when a SSO users assumes a role to login into a specific account

EventName is AssumeRole. ( you can verify about this event in cloudtrail -> EventHistory -> EventName(lookup attributes) -> AssumeRole (value) )

Coming to your requirement

>Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.
>
>Send an email notification to a destination that says which SSO user has assumed that role.

You will need to setup cloudwatch alarm for cloudtrail event ( in your case assume role)

It would be something like this :-

  • Create a metric filter based on Assumerole Event name
  • Create an alarm
  • Configure SNS as action to alarm whenever alarm is in active
  • To that sns topic conjure your email

huangapple
  • 本文由 发表于 2023年2月14日 19:34:28
  • 转载请务必保留本文链接:https://go.coder-hub.com/75447245.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定