Search code examples
amazon-ec2amazon-cloudwatchaws-security-groupamazon-cloudtrail

How to create a cloudwatch rule for new security group creation?

I would like to create a cloudwatch rule that monitors and alerts on the creation of new security groups. I thought that the CreateSecurityGroup event is what I was looking for but no metrics are being created when I create a new security group. Below is the json for this cloudwatch rule:

{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "CreateSecurityGroup"
    ]
  }
}

What do I need to change in order to get this working?

Solution

  • It works for me!

    Here's what I did:

    • Already existing: CloudTrail trail running in the Region
    • Went to Amazon CloudWatch Events in the management console
    • Created a new rule:
      • Service: EC2
      • Event Type: API call via CloudTrail
      • Specific Operation: CreateSecurityGroup
      • Target: Existing SQS queue with appropriate permissions
    • Created a new Security Group in the EC2 management console
    • Went to SQS, found a message in the queue that was sent about a minute after the Security Group was created

    Here's an extract:

    "eventName":"CreateSecurityGroup","awsRegion":"ap-southeast-2","sourceIPAddress":"54.222.111.1","userAgent":"signin.amazonaws.com","requestParameters":{"groupName":"stackSG3","groupDescription":"trail notify","vpcId":"vpc-12347014"}

    It took about 10 minutes for the event to appear in the CloudTrail console, but the event was CloudWatch Events rule activated within a couple of minutes.

    The event pattern in the rule shows as:

    {
  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "CreateSecurityGroup"
    ]
  }
}