You need to setup an AWS SNS HTTPS endpoint for this integration!

This integration requires marbot  plus

CloudWatch Events announce important changes in your AWS account. An event can be an EBS Snapshot Notification, a Trusted Advisor Event, or much more.

Monitoring root user logins

Your AWS account’s root user should never be used. Instead, you create IAM users. If the root user logs in, this should be suspicious. With marbot, you can receive an alert when the root user logs in.

Before you can start to set up CloudWatch Events, you have to make one change to the SNS topic endpoint that is required for this integration. You have to allow CloudWatch Events to send messages to your topic.

Allowing AWS to send messages to your topic

1. Visit https://console.aws.amazon.com/sns/?region=us-east-1
2. Click on the Topics link on the left
3. Select the topic that you created for marbot
4. Click on the Actions button, where you click on the Edit topic policy link.
   
5. Select the Advanced view tab

If this is the first time you edit the SNS topic policy, you should see a default entry like this:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      [...TRUNCATED...]
    }
  ]
}

You can replace the default policy with:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AmazonCloudWatchEvents",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sns:Publish",
      "Resource": "ARN"
    }
  ]
}

If the topic contains already a policy, you have to add an entry to the Statement array:

{
  "Sid": "AmazonCloudWatchEvents",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": "sns:Publish",
  "Resource": "ARN"
}

1. Replace ARN with your SNS topic ARN that you created for marbot.
2. Click on the Update policy button to save the policy.

Now, Amazon CloudWatch Events is allowed to send messages to your topic. Continue to create a CloudWatch Event.

Creating a CloudWatch Event

1. Visit https://console.aws.amazon.com/cloudwatch/home?region=us-east-1#events:
2. Click on the Create rule button
3. In the Event Source section
   1. Set the Service Name to AWS Console Sign-in
   2. Set the Event Type to Sign-in Events
   3. Select Specific user(s) by ARN and insert arn:aws:iam::ACCOUNT_ID:root below.
   4. Replace ACCOUNT_ID with your AWS Account ID.
      
4. In the Targets section
   1. Select SNS topic in the head
   2. Select the Topic marbot
      
5. Continue by clicking the Configure Details button.
6. Choose a Name
   
7. Save by clicking the Create rule button.

Sample Alert

When you login to the AWS Management Console with the root user, you should get an alert in Slack via a direct message: