🚀 Executive Summary
TL;DR: Manually reviewing AWS CloudTrail logs for security events like IAM user creation is inefficient and risky. This guide provides a real-time, automated solution using CloudTrail, EventBridge, and SNS to alert administrators instantly via email or other channels.
🎯 Key Takeaways
- AWS CloudTrail records all API activity, serving as the foundational audit log for security events.
- Amazon EventBridge enables real-time filtering of CloudTrail events using custom JSON patterns, specifically targeting `CreateUser` actions from `iam.amazonaws.com`.
- Amazon SNS provides flexible notification delivery, allowing alerts to be sent via email, or integrated with Lambda for custom actions like Slack notifications.
- Ensuring CloudTrail is enabled as a multi-region trail is a best practice for comprehensive audit logging.
- Common pitfalls include unconfirmed SNS subscriptions, typos in EventBridge JSON patterns, and insufficient IAM permissions for EventBridge to publish to SNS.
Alert on IAM User Creation in AWS via CloudTrail and SNS
Alright, let’s talk about security posture. I remember the time I found a rogue IAM user named ‘temporary-dev-access’ with full admin rights. It had been sitting in our account for two months, created during a late-night deployment and completely forgotten. That was my “aha” moment. Manually combing through CloudTrail logs isn’t just tedious; it’s a security risk. You can’t catch things in real-time.
So, I built a simple, automated alert system. Now, anytime an IAM user is created, I get an email notification within a minute. It’s a foundational security check that gives me incredible peace of mind. Today, I’m going to walk you through setting it up. This is a high-value, low-effort integration that every DevOps engineer should have in their toolkit.
Prerequisites
Before we dive in, make sure you have the following ready:
- An AWS account with permissions to manage IAM, CloudTrail, EventBridge (CloudWatch Events), and SNS.
- The AWS Command Line Interface (CLI) configured on your machine, just in case you prefer it over the console.
- A basic understanding of JSON, as we’ll use it for our event pattern.
The Guide: Setting Up Your Real-Time Alert
We’re going to connect a few AWS services like a chain reaction: an event happens in CloudTrail, EventBridge detects it, and then it tells SNS to send us a notification.
Step 1: Create an SNS Topic
First, we need a destination for our alerts. That’s what the Simple Notification Service (SNS) topic is for.
1. Navigate to the SNS dashboard in the AWS Console.
2. Click on “Topics” and then “Create topic”.
3. Choose the “Standard” type. This is perfect for our needs.
4. Give it a descriptive name, something like `IAMUserCreation-Alerts`.
5. Scroll down and click “Create topic”.
6. Once created, click on the “Subscriptions” tab and “Create subscription”.
7. For the “Protocol”, select “Email”. For the “Endpoint”, enter the email address where you want to receive alerts.
8. Click “Create subscription”. You’ll get an email to confirm the subscription. Make sure you click that confirmation link!
Pro Tip: In my production setups, I often point this SNS topic to a Lambda function that then posts a formatted message to a dedicated Slack channel like `#aws-security-alerts`. It gives the whole team instant visibility.
Step 2: Ensure CloudTrail is Enabled
CloudTrail is the service that records API activity in your AWS account. It’s our source of truth. Most modern AWS accounts have it enabled by default, but it’s always good to check.
1. Go to the CloudTrail dashboard.
2. Click on “Trails”. If you don’t have one, create a new trail.
3. When creating a trail, I strongly recommend you make it a multi-region trail and apply it to all S3 buckets. This gives you a complete audit log. For our specific alert, a single-region trail will work, but multi-region is best practice.
Step 3: Create the EventBridge (CloudWatch Events) Rule
This is the brains of our operation. EventBridge will watch the CloudTrail stream for the specific event we care about: the creation of an IAM user.
1. Navigate to the Amazon EventBridge console and click “Create rule”.
2. Give your rule a clear name, like `DetectIAMUserCreation`.
3. In the “Event bus” section, just leave it as `default`.
4. For “Rule type”, select “Rule with an event pattern”. Click “Next”.
5. In the “Event source” section, keep “AWS events or EventBridge partner events”.
6. Scroll down to the “Event pattern” section. This is the critical part. Select “Custom patterns (JSON editor)” and paste in the following JSON payload:
{
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": ["CreateUser"]
}
}
Let’s break that down: We’re telling EventBridge to only listen for events that come from the `aws.iam` service, are logged by CloudTrail, and specifically have the event name `CreateUser`. Simple and effective.
7. Click “Next”.
8. In the “Target” section, select “SNS topic” from the dropdown.
9. For the “Topic”, choose the `IAMUserCreation-Alerts` topic you created in Step 1.
10. Click “Next”, review your settings, and then “Create rule”.
And that’s it! To test it, go to the IAM console and create a new test user. Within a minute or two, you should receive an email with the raw JSON event data from CloudTrail.
Common Pitfalls (And How to Avoid Them)
I’ve set this up dozens of times, and here’s where I usually mess up, so you don’t have to:
- Forgetting to Confirm the SNS Subscription: This is the most common one. You set everything up perfectly, but the emails never arrive. Always check your inbox for that confirmation link after creating the subscription.
- A Typo in the Event Pattern: JSON is notoriously picky. A misplaced comma or a typo in `CreateUser` will cause the rule to fail silently. I always double-check my JSON and use the “Test event pattern” feature in EventBridge to validate it against a sample event.
- IAM Permissions: In more complex setups, you might run into issues where EventBridge doesn’t have permission to publish to the SNS topic. The default resource-based policy that SNS creates usually handles this, but if you’ve customized your SNS topic policies, make sure the `events.amazonaws.com` service principal is allowed to perform the `sns:Publish` action.
Conclusion
You’ve just built a robust, real-time security alert for one of the most critical events in an AWS account. This simple automation moves you from a reactive to a proactive security stance. It’s a small change that has a massive impact on your ability to monitor your environment and respond to unexpected activity immediately. Now, go create that test user and enjoy the satisfaction of seeing that first alert come through
🤖 Frequently Asked Questions
âť“ How can I set up real-time alerts for IAM user creation in AWS?
Configure an SNS topic for notifications, ensure CloudTrail is enabled, and create an EventBridge rule with a custom JSON pattern (`source: aws.iam`, `detail-type: AWS API Call via CloudTrail`, `eventName: CreateUser`) targeting the SNS topic.
âť“ How does this automated alerting system compare to manual CloudTrail log review?
This automated system provides real-time, proactive security monitoring, instantly notifying administrators of critical events like IAM user creation, unlike manual log review which is reactive, tedious, and prone to delays and missed incidents.
âť“ What is a common pitfall when implementing CloudTrail-EventBridge-SNS alerts for IAM user creation?
A common pitfall is forgetting to confirm the SNS subscription. Always check your email for the confirmation link after creating an SNS email subscription to ensure alerts are delivered.
Leave a Reply