Cloudwatch alarm for IAM Policies changes doesn't work - Amazon web services

Igor
September 23, 2022
190 views
0 votes
2 Answers

I’m just trying to create fully functional alarm that will change state if there’s any IAM Policies changes will be made.

Create an S3 Bucket for Cloudtrail logs.
Create trail in Cloudtrail.
Add Metric filter:

{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}

Create Alarm for this filter by using created Metric and Metricname.

If I attach or detach any policy for any IAM Role – nothing happening.

There’s a policies for cloudwatch role:

    "Statement": [
        {
            "Action": [
                "s3:GetBucketAcl",
                "s3:PutObject",
                "cloudtrail:StartLogging",
                "cloudtrail:StopLogging",
                "cloudtrail:Get*",
                "cloudtrail:CreateTrail",
                "cloudtrail:UpdateTrail",
                "iam:CreateServiceLinkedRole",
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:ListRoles",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole"
                "autoscaling:Describe*",
                "cloudwatch:*",
                "logs:*",
                "sns:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

Anyone can advise why there’s no changes in alarm state?

Answers

Chosen as BEST ANSWER
- Igor
- September 28, 2022 at 9:41 am
- 0 votes
0
Well, I figured it out: It works correctly only in the us-east-1 region. I saw a hint in some instructions, which said something completely different, and decided to try setting up IAM Changes Alarm in another region.

@shimo, thanks for reassuring me that my settings are completely correct.

(Edit)

- shimo
- September 24, 2022 at 7:01 am
- 0 votes
0
Your Metric filter works fine, and the role is ok (it seems too much, though).

Try to check your filter can detect from your own trail logs by testing on the console.

Check the state of the alarm is OK.

Check the Metrics are found properly.

Note: I think when setting CW alarms, we need to wait a while (several minutes or so). Immediate actions do not work.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Cloudwatch alarm for IAM Policies changes doesn't work – Amazon web services

Answers