< Back

Integration: Amazon CloudWatch Event

You need to set up an Amazon SNS topic for this integration!

CloudWatch Events announce important changes in your AWS account. An event can be an EBS Snapshot Notification, a Trusted Advisor Event, or much more.

Monitoring root user logins

Your AWS account’s root user should never be used. Instead, you create IAM users. If the root user logs in, this should be suspicious. With marbot, you can receive an alert when the root user logs in.

Creating a CloudWatch Event

CloudTrail only sends events to CloudWatch if a trail is created!

  1. Visit https://console.aws.amazon.com/cloudwatch/home?region=us-east-1#events:
  2. Click on the Create rule button
  3. In the Event Source section
    1. Set the Service Name to AWS Console Sign-in
    2. Set the Event Type to Sign-in Events
    3. Select Specific user(s) by ARN and insert arn:aws:iam::ACCOUNT_ID:root below.
    4. Replace ACCOUNT_ID with your AWS Account ID.
      Event Sourc
  4. In the Targets section
    1. Select SNS topic in the head
    2. Select the Topic marbot
      Targets
  5. Continue by clicking the Configure Details button.
  6. Choose a Name
    Choose a Name
  7. Save by clicking the Create rule button.

Sample Alert

When you login to the AWS Management Console with the root user, you should receive an alert in Slack:

Budget Alert

Source Type
* AWS API Call via CloudTrail
aws.autoscaling EC2 Instance Launch Successful
aws.autoscaling EC2 Instance Launch Unsuccessful
aws.autoscaling EC2 Instance Terminate Successful
aws.autoscaling EC2 Instance Terminate Unsuccessful
aws.autoscaling EC2 Instance-launch Lifecycle Action
aws.autoscaling EC2 Instance-terminate Lifecycle Action
aws.batch Batch Job State Change
aws.cloudwatch CloudWatch Alarm State Change
aws.codebuild CodeBuild Build Phase Change
aws.codebuild CodeBuild Build State Change
aws.codedeploy CodeDeploy Deployment State-change Notification
aws.codedeploy CodeDeploy Instance State-change Notification
aws.codepipeline CodePipeline Action Execution State Change
aws.codepipeline CodePipeline Pipeline Execution State Change
aws.codepipeline CodePipeline Stage Execution State Change
aws.dlm DLM Policy State Change
aws.ec2 EBS Multi-Volume Snapshots Completion Status
aws.ec2 EBS Snapshot Notification
aws.ec2 EBS Volume Notification
aws.ec2 EC2 Instance State-change Notification
aws.ec2 EC2 Spot Instance Interruption Warning
aws.ecr ECR Image Action
aws.ecr ECR Image Scan
aws.ecs ECS Container Instance State Change
aws.ecs ECS Service Action
aws.ecs ECS Task State Change
aws.emr EMR Auto Scaling Policy State Change
aws.emr EMR Cluster State Change
aws.emr EMR Instance Group State Change
aws.emr EMR Step Status Change
aws.events Scheduled Event
aws.glue Glue Job State Change
aws.glue Glue Data Catalog Table State Change
aws.guardduty GuardDuty Finding
aws.health AWS Health Abuse Event
aws.health AWS Health Event
aws.iotanalytics IoT Analytics Dataset Lifecycle Notification
aws.kms KMS CMK Deletion
aws.kms KMS CMK Rotation
aws.kms KMS Imported Key Material Expiration
aws.macie Macie Alert
aws.opsworks OpsWorks Alert
aws.opsworks OpsWorks Command State Change
aws.opsworks OpsWorks Deployment State Change
aws.opsworks OpsWorks Instance State Change
aws.rds RDS DB Snapshot Event
aws.securityhub Security Hub Findings - Imported
aws.signin AWS Console Sign In via CloudTrail
aws.ssm EC2 Command Invocation Status-change Notification
aws.ssm EC2 Command Status-change Notification
aws.ssm EC2 State Manager Association State Change
aws.ssm EC2 State Manager Instance Association State Change
aws.ssm Maintenance Window Execution State-change Notification
aws.ssm Maintenance Window State-change Notification
aws.ssm Maintenance Window Target Registration Notification
aws.ssm Maintenance Window Task Execution State-change Notification
aws.ssm Maintenance Window Task Target Invocation State-change Notification
aws.states Step Functions Execution Status Change
aws.trustedadvisor Trusted Advisor Check Item Refresh Notification
aws.workspaces WorkSpaces Access
aws.codecommit CodeCommit Approval Rule Template Change
aws.codecommit CodeCommit Comment on Commit
aws.codecommit CodeCommit Comment on Pull Request
aws.codecommit CodeCommit Pull Request State Change
aws.codecommit CodeCommit Repository State Change
aws.rds RDS DB Instance Event

More help needed? Or want to share feedback?

If you experience any issues, let us know.

E-mail icon
E-Mail
marbot teaser

Chatbot for AWS Monitoring

Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.

Slack
Add to Slack
Microsoft Teams
Add to Teams