AWS configure cloud watch/trail to monitor for 'AccessDenied' and 'UnauthorizedOperation' errors
I'd like to setup some monitoring for capturing access denied and unauthorized operation errors in my AWS account. I'd like to capture all of these events across different AWS services but have run into some issues. I've initially setup some a couple of cloud watch rules that trigger a basic lambda function but I'm not capturing the events I'm looking for. Below are a couple of the rules events that trigger a Lambda function (ideally I'd filter these down from capturing all events once I get this working).
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"]
}
}
// All cloud watch
{
"source": [
"aws.cloudwatch"
]
}
I've been testing with the AWS CLI, making calls to resources I don't have access too e.g. :
- aws dynamodb list-tables
- aws ec2 describe-instances
- List item
I'm getting the correct errors in response from the CLI but I'm not seeing these events being propagated to the Lambda (I am seeing other non errors triggering the Lambda though).
Do I have to configure this more narrowly or am I missing a step for collecting these errors?
Thanks for the help
aws dynamodb list-tables, aws ec2 describe-instances and List item do not work because List*, Get* and Describe* API events are not supported by CloudWatch Events:
If you want to capture such events, you have to do it through CloudWatch Logs. Namely, setup your CT trail to push events to CloudWatch Logs. Then, setup a subscription filter to your lambda. This will push all API events to your lambda through CloudWatch Logs. Subsequently, you will be able to detect AccessDenied errors in the events and perform other actions you require.
Other possibility would be to setup metric filter on the logs so that AccessDenied errors are captured to create a CloudWatch metric. Then you setup a CloudWatch Alarm based on the metric. This will trigger an alarm, but it will not pass the details of event that triggered the alarm to your function. You will only know that access denied happened, but without further details.
Update
create-table works as expected. I used the following rule in my tests which I hooked up to SQS for quick checks:
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"dynamodb.amazonaws.com"
],
"errorCode": [
"AccessDenied"
]
}
}
- Wildcard filter in aws-nuke
- Add advanced validation for AWS::Serverless::Api GET query params
- Organizing AWS IAM permissions: limit of 10 policies?
- AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account
- failed calling webhook "vingress.elbv2.k8s.aws"
- terraform tags for list variable not working
- Amazon SES successfully forwarded emails but respond with 451 4.3.0 This message could not be delivered
- Why should I use Amazon Kinesis and not SNS-SQS?
- AWS Elastic Load Balancing: Seeing extremely long initial connection time
- AWS: None of the Instances are sending data
- How to assign a role to an iam user?
- Can't connect to ECS service through ALB
- How do I reference a resource created from different module in my current module?
- Aws Workspace Client cannot be opened in Ubuntu - 20.04.6 LTS
- AWS Lambda - How to stop retries when there is a failure
- How to enable "Use for Hive table metadata" in "AWS Glue Data Catalog settings" using Terraform?
- How Do I get Object URL for Amazon S3 object
- not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
- Handling an image/jpeg response from Lambda in API Gateway
- Do different API keys associated on the same usage plan share the same quota limit too?
- S3: Access Denied
- AWS DynamoDB table.query() not working as expected
- Can I programmatically find all untagged resources?
- Terraform doesn't allow to use variable when creating resource. How to go around?
- Multiple Tasks Definition on ECS Service using CloudFormation
- How to calculate the CodeSha256 of aws lambda deployment package before uploading
- Problems using MySQL with AWS Lambda in Python
- EKS Fargate workloads unable to resolve DNS names
- Certbot unable to locate environment variable credentials
- using AWS lambda-docker Error "lambda-entrypoint.sh: exec format error"