英文:
Send notification when a CloudTrail event occurs for AWS SSO assume role
问题
My requirement is to:
-
Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.
-
Send an email notification to a destination that says which SSO user has assumed that role.
What is Event Name called when a SSO users assumes a role to log in to a specific account? I can see there is a new IAM event called DescribeAccountAttributes upon a user assuming a role, but I am wondering if there is any better event to act upon in this scenario?
Can my requirements be fulfilled by creating a new Rule in AWS EventBridge, or do I need to have a custom parser running in Lambda, for example, that parses every single event in CloudTrail and filters the ones I am interested in?
英文:
My requirement is to:
-
Trace the log event in cloud trail when a SSO user assumes a
specific role (developer-full-access) using AWS SSO home page. -
Send an email notification to a destination that says which SSO user
has assumed that role.
What is Event Name called when a SSO users assumes a role to login into a specific account? I can see there is a new IAM event called DescribeAccountAttributes upon user assuming a role, but I am wondering if there is any better event to act upon in this scenario?
Can my requirements be full filled by creating a new Rule in AWS EventBridge or do I need to have a custom parser running in Lambda for example that parse every single event in CloudTrail and filter the ones I am interested?
答案1
得分: 1
EventName 是 AssumeRole。(您可以在 CloudTrail -> 事件历史记录 -> 事件名称(查找属性) -> AssumeRole(值) 中验证此事件)
针对您的需求:
跟踪云迹中的日志事件,当单点登录用户使用 AWS SSO 主页假定特定角色(developer-full-access)时。
向目标发送电子邮件通知,说明哪个单点登录用户已经假定了该角色。
您需要为 CloudTrail 事件设置 CloudWatch 告警(在您的情况下是假定角色事件)。
大致步骤如下:
-
基于AssumeRole事件名称创建度量过滤器。
-
创建一个告警。
-
配置SNS作为告警的操作,以便在告警处于活动状态时发送通知。
-
在该SNS主题中配置您的电子邮件。
英文:
Let's break your question in parts:
>What is Event Name called when a SSO users assumes a role to login into a specific account
EventName is AssumeRole. ( you can verify about this event in cloudtrail -> EventHistory -> EventName(lookup attributes) -> AssumeRole (value) )
Coming to your requirement
>Trace the log event in cloud trail when a SSO user assumes a specific role (developer-full-access) using AWS SSO home page.
>
>Send an email notification to a destination that says which SSO user has assumed that role.
You will need to setup cloudwatch alarm for cloudtrail event ( in your case assume role)
It would be something like this :-
- Create a metric filter based on Assumerole Event name
- Create an alarm
- Configure SNS as action to alarm whenever alarm is in active
- To that sns topic conjure your email
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论