< Back
Integration: Amazon CloudWatch Event
You need to set up an Amazon SNS topic for this integration!
CloudWatch Events announce important changes in your AWS account. An event can be an EBS Snapshot Notification, a Trusted Advisor Event, or much more.
Monitoring root user logins
Your AWS account’s root user should never be used. Instead, you create IAM users. If the root user logs in, this should be suspicious. With marbot, you can receive an alert when the root user logs in.
Creating a CloudWatch Event
CloudTrail only sends events to CloudWatch if a trail is created!
- Visit https://console.aws.amazon.com/cloudwatch/home?region=us-east-1#events:
- Click on the Create rule button
- In the Event Source section
- Set the Service Name to
AWS Console Sign-in - Set the Event Type to
Sign-in Events - Select Specific user(s) by ARN and insert
arn:aws:iam::ACCOUNT_ID:rootbelow. - Replace ACCOUNT_ID with your AWS Account ID.
- Set the Service Name to
- In the Targets section
- Select SNS topic in the head
- Select the Topic
marbot
- Continue by clicking the Configure Details button.
- Choose a Name
- Save by clicking the Create rule button.
Sample Alert
When you login to the AWS Management Console with the root user, you should receive an alert in Slack:
Event types with Quick Links
| Source | Type |
|---|---|
| * | AWS API Call via CloudTrail |
| aws.autoscaling | EC2 Instance Launch Successful |
| aws.autoscaling | EC2 Instance Launch Unsuccessful |
| aws.autoscaling | EC2 Instance Terminate Successful |
| aws.autoscaling | EC2 Instance Terminate Unsuccessful |
| aws.autoscaling | EC2 Instance-launch Lifecycle Action |
| aws.autoscaling | EC2 Instance-terminate Lifecycle Action |
| aws.batch | Batch Job State Change |
| aws.cloudwatch | CloudWatch Alarm State Change |
| aws.codebuild | CodeBuild Build Phase Change |
| aws.codebuild | CodeBuild Build State Change |
| aws.codedeploy | CodeDeploy Deployment State-change Notification |
| aws.codedeploy | CodeDeploy Instance State-change Notification |
| aws.codepipeline | CodePipeline Action Execution State Change |
| aws.codepipeline | CodePipeline Pipeline Execution State Change |
| aws.codepipeline | CodePipeline Stage Execution State Change |
| aws.dlm | DLM Policy State Change |
| aws.ec2 | EBS Multi-Volume Snapshots Completion Status |
| aws.ec2 | EBS Snapshot Notification |
| aws.ec2 | EBS Volume Notification |
| aws.ec2 | EC2 Instance State-change Notification |
| aws.ec2 | EC2 Spot Instance Interruption Warning |
| aws.ecr | ECR Image Action |
| aws.ecr | ECR Image Scan |
| aws.ecs | ECS Container Instance State Change |
| aws.ecs | ECS Service Action |
| aws.ecs | ECS Task State Change |
| aws.emr | EMR Auto Scaling Policy State Change |
| aws.emr | EMR Cluster State Change |
| aws.emr | EMR Instance Group State Change |
| aws.emr | EMR Step Status Change |
| aws.events | Scheduled Event |
| aws.glue | Glue Job State Change |
| aws.glue | Glue Data Catalog Table State Change |
| aws.guardduty | GuardDuty Finding |
| aws.health | AWS Health Abuse Event |
| aws.health | AWS Health Event |
| aws.iotanalytics | IoT Analytics Dataset Lifecycle Notification |
| aws.kms | KMS CMK Deletion |
| aws.kms | KMS CMK Rotation |
| aws.kms | KMS Imported Key Material Expiration |
| aws.macie | Macie Alert |
| aws.opsworks | OpsWorks Alert |
| aws.opsworks | OpsWorks Command State Change |
| aws.opsworks | OpsWorks Deployment State Change |
| aws.opsworks | OpsWorks Instance State Change |
| aws.rds | RDS DB Snapshot Event |
| aws.securityhub | Security Hub Findings - Imported |
| aws.signin | AWS Console Sign In via CloudTrail |
| aws.ssm | EC2 Command Invocation Status-change Notification |
| aws.ssm | EC2 Command Status-change Notification |
| aws.ssm | EC2 State Manager Association State Change |
| aws.ssm | EC2 State Manager Instance Association State Change |
| aws.ssm | Maintenance Window Execution State-change Notification |
| aws.ssm | Maintenance Window State-change Notification |
| aws.ssm | Maintenance Window Target Registration Notification |
| aws.ssm | Maintenance Window Task Execution State-change Notification |
| aws.ssm | Maintenance Window Task Target Invocation State-change Notification |
| aws.states | Step Functions Execution Status Change |
| aws.trustedadvisor | Trusted Advisor Check Item Refresh Notification |
| aws.workspaces | WorkSpaces Access |
| aws.codecommit | CodeCommit Approval Rule Template Change |
| aws.codecommit | CodeCommit Comment on Commit |
| aws.codecommit | CodeCommit Comment on Pull Request |
| aws.codecommit | CodeCommit Pull Request State Change |
| aws.codecommit | CodeCommit Repository State Change |
| aws.rds | RDS DB Instance Event |
Chatbot for AWS Monitoring
Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.
Add to Slack
Add to Teams