My colleague Jamie Hargrove recently shared a significant update regarding the integration of CloudTrail with CloudWatch, along with insights into a new CloudFormation template designed to expedite your setup process.
At the re:Invent 2014 conference, we introduced the integration of AWS CloudTrail with Amazon CloudWatch Logs in the US East (N. Virginia), Europe (Ireland), and US West (Oregon) regions. This integration enables you to monitor specific API calls made within your AWS account and receive email alerts whenever those calls occur.
Now, we are pleased to announce that this functionality is available in additional regions, including Asia Pacific (Sydney), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Frankfurt). More regions will be added in the future! Additionally, we have developed an AWS CloudFormation template that simplifies the creation of CloudWatch alarms for API activities captured by CloudTrail.
CloudFormation Template Overview
In this post, I will guide you through the process of using CloudFormation to set up CloudWatch alarms that monitor critical network and security-related API activities, ensuring you receive email notifications when these API calls are executed in your AWS account. The CloudFormation template includes predefined metric filters that track essential API calls involving the creation, deletion, and updates of Security Groups, Network ACLs, Internet Gateways, EC2 instances, and IAM policy alterations.
For comprehensive details, you can refer to the CloudTrail documentation, which elaborates on the alarms defined in the CloudFormation template. You have the flexibility to configure the CloudWatch alarms according to your specific requirements or adjust the metric filters to suit your scenario.
Prerequisites
To get started, ensure that CloudTrail log file delivery is configured for CloudWatch Logs. The CloudTrail console provides secure default settings to facilitate the configuration of log file delivery. Visit the CloudTrail Console or consult the CloudTrail documentation for guidance. If you operate in multiple regions, you can apply the same process and CloudFormation template to monitor specific API calls there and receive email notifications. If you’re not using the default CloudWatch Logs log group, remember to note its name for the CloudFormation template.
Step 1 – Download the CloudFormation Template
Download the template from this link and save it locally. While the template is ready for use, feel free to open it in a text editor or an online JSON editing tool for a closer look.
Step 2 – Upload the CloudFormation Template
Head over to the CloudFormation Console and create a stack to upload the template. Assign a meaningful name to the stack and upload the CloudFormation template from your saved location.
Step 3 – Specify Parameters
Click “Next” to provide parameters. You will need to specify an email address for notifications and the CloudWatch Logs log group you configured in Step 1. The CloudFormation template will create an SNS topic and subscribe your email to it. Ensure you use the same CloudWatch Logs log group from Step 1.
Proceed by clicking “Next” for additional options like tagging or advanced settings; however, I am not utilizing these features in this instance. On the following screen, review your parameters and prepare to create the alarm stack.
Step 4 – Review Parameters and Create
Confirm that your email address and log group name are accurate, then click “Create.” Your CloudFormation stack will be established within a few minutes.
Step 5 – Confirm Email Subscription
Once the stack creation is complete, an email will arrive containing a request to validate your email address. Click “Confirm Subscription” in the email to begin receiving notifications when alarms are triggered.
Step 6 – Receive Email Notifications
For instance, you might receive an email alert indicating that an API call was made to create, update, or delete a security group in your account.
If you have suggestions for additional alarms to include in the CloudFormation template, please feel free to share your feedback in the CloudTrail forum. You may also find this blog post helpful for further insights, and if you want more authoritative information, check out this resource on the topic. Additionally, this video serves as an excellent resource for visual learners.
— Jamie Hargrove, Senior Product Manager
Leave a Reply