< Back
Integration: Amazon EventBridge (previously CloudWatch Events)
You need to set up an Amazon SNS topic for this integration!
Important changes in your AWS account are published as events to Amazon EventBridge (previously CloudWatch Event). Events are generated when a Backup Job fails, an EC2 Spot Instance is interrupted, or much more.
The following example connects Root User login events with marbot.
Monitoring root user logins
Your AWS account’s root user should never be used. Instead, you create IAM users. If the root user logs in, this should be suspicious. With marbot, you can receive an alert when the root user logs in.
Creating a Rule to capture events
CloudTrail only sends events to EventBridge if a trail is created!
- Add marbot to Slack or Microsoft Teams.
- Invite marbot to a channel.
- Send
@marbot Create an SNS topicto the channel. - Follow the wizard in the channel.
- Visit the Amazon EventBridge Console.
- Click on the Create rule button.
- Set a Name.
- In the Define pattern section:
- Select Event pattern.
- Then, select Pre-defined pattern by service.
- Set the Service provider to
AWS. - Set the Service Name to
AWS Console Sign-in - Set the Event Type to
Sign-in Events - Select Specific user(s) by ARN and insert
arn:aws:iam::ACCOUNT_ID:rootbelow (replace ACCOUNT_ID with your AWS account ID ).
- In the Select targets section:
- Select SNS topic in the head
- Select the Topic marbot-standalone-topic created earlier.
- Save by clicking the Create button.
Sample Alert
When you log in to the AWS Management Console with the root user, you should receive an alert in Slack:
Event types with Quick Links
marbot enriches the following AWS-supported event types with Quick Links for fast access to resources in the AWS UI.
| Source | Type | Definition of similar (for aggregation and mute) |
|---|---|---|
| * | AWS API Call via CloudTrail | Account ID, region, and event name must match |
| aws.acm | ACM Certificate Approaching Expiration | Account ID, region, and certificate ID must match |
| aws.appflow | AppFlow End Flow Run Report | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Event Flow Deactivated | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Event Flow Report | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Scheduled Flow Deactivated | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Start Flow Run Report | Account ID, region, and flow name must match |
| aws.application-autoscaling | Application Auto Scaling Scaling Activity State Change | Account ID, region, and resource ID must match |
| aws.athena | Athena Query State Change | Account ID, region, and workgroup name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Cancelled | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Checkpoint Reached | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Failed | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Started | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Succeeded | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Launch Successful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Launch Unsuccessful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Terminate Successful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Terminate Unsuccessful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance-launch Lifecycle Action | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance-terminate Lifecycle Action | Account ID, region, and ASG name must match |
| aws.backup | Backup Job State Change | Account ID, region, and backup job ID must match |
| aws.backup | Backup Plan State Change | Account ID, region, and backup plan ID must match |
| aws.backup | Backup Vault State Change | Account ID, region, and backup vault name must match |
| aws.backup | Copy Job State Change | Account ID, region, and copy job ID must match |
| aws.backup | Recovery Point State Change | Account ID, region, and recovery point ID must match |
| aws.backup | Region Settings State Change | Account ID and region must match |
| aws.backup | Restore Job State Change | Account ID, region, and restore job ID must match |
| aws.batch | Batch Job State Change | Account ID, region, and job name must match |
| aws.cloudwatch | CloudWatch Alarm State Change | Account ID, region, name, and state must match |
| aws.codebuild | CodeBuild Build Phase Change | Account ID, region, and project name must match |
| aws.codebuild | CodeBuild Build State Change | Account ID, region, and project name must match |
| aws.codecommit | CodeCommit Approval Rule Template Change | Account ID, region, and approval rule template name must match |
| aws.codecommit | CodeCommit Comment on Commit | Account ID, region, repository name, and commit ID must match |
| aws.codecommit | CodeCommit Comment on Pull Request | Account ID, region, repository name, and pull request ID must match |
| aws.codecommit | CodeCommit Pull Request State Change | Account ID, region, repository name, and pull request ID must match |
| aws.codecommit | CodeCommit Repository State Change | Account ID, region, and repository name must match |
| aws.codedeploy | CodeDeploy Deployment State-change Notification | Account ID, region, application, and deployment group must match |
| aws.codedeploy | CodeDeploy Instance State-change Notification | Account ID, region, application, and deployment group must match |
| aws.codepipeline | CodePipeline Action Execution State Change | Account ID, region, pipeline, stage, and action must match |
| aws.codepipeline | CodePipeline Pipeline Execution State Change | Account ID, region, and pipeline must match |
| aws.codepipeline | CodePipeline Stage Execution State Change | Account ID, region, pipeline, and stage must match |
| aws.dlm | DLM Policy State Change | Account ID, region, and policy ID must match |
| aws.dms | DMS Replication Task State Change | Account ID, region, task ID must match |
| aws.ec2 | EBS Multi-Volume Snapshots Completion Status | Account ID, region, and snapshot ID must match |
| aws.ec2 | EBS Snapshot Notification | Account ID, region, and snapshot ID must match |
| aws.ec2 | EBS Volume Notification | Account ID, region, and volume ID must match |
| aws.ec2 | EC2 Spot Instance Interruption Warning | Account ID and region must match |
| aws.ec2 | EC2 Instance Rebalance Recommendation | Account ID and region must match |
| aws.ec2 | EC2 Instance State-change Notification | Account ID, region, and instance ID must match |
| aws.ec2fleet | EC2 Fleet Error | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet Information | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet Instance Change | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet Spot Instance Request Change | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet State Change | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Error | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Information | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Instance Change | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Spot Instance Request Change | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet State Change | Account ID, region, and fleet ID must match |
| aws.ecr | ECR Image Action | Account ID, region, and repository name must match |
| aws.ecr | ECR Image Scan | Account ID, region, and repository name must match |
| aws.ecs | ECS Container Instance State Change | Account ID, region, and container instance ID must match |
| aws.ecs | ECS Service Action | Account ID, region, and service name must match |
| aws.ecs | ECS Task State Change | Account ID, region, and task definition must match |
| aws.elasticbeanstalk | Elastic Beanstalk resource status change | Account ID, region, application name, and environment name must match |
| aws.elasticbeanstalk | Health status change | Account ID, region, application name, and environment name must match |
| aws.elasticbeanstalk | Managed update status change | Account ID, region, application name, and environment name must match |
| aws.elasticbeanstalk | Other resource status change | Account ID, region, application name, and environment name must match |
| aws.emr | EMR Auto Scaling Policy State Change | Account ID, region, and cluster ID must match |
| aws.emr | EMR Cluster State Change | Account ID, region, and cluster ID must match |
| aws.emr | EMR Instance Group State Change | Account ID, region, and cluster ID must match |
| aws.emr | EMR Step Status Change | Account ID, region, and cluster ID must match |
| aws.es | Amazon ES Service Software Update Notification | Account ID, region, and domain must match |
| aws.events | Scheduled Event | Account ID, region, and rule name must match |
| aws.glue | Glue Data Catalog Table State Change | Account ID, region, and table name must match |
| aws.glue | Glue Job State Change | Account ID, region, and job name must match |
| aws.guardduty | GuardDuty Finding | Account ID, region, and affected resource ID must match |
| aws.health | AWS Health Abuse Event | Account ID, region, and event type category must match |
| aws.health | AWS Health Event | Account ID, region, and event type category must match |
| aws.iotanalytics | IoT Analytics Dataset Lifecycle Notification | Account ID, region, and dataset name must match |
| aws.kms | KMS CMK Deletion | Account ID, region, and key ID must match |
| aws.kms | KMS CMK Rotation | Account ID, region, and key ID must match |
| aws.kms | KMS Imported Key Material Expiration | Account ID, region, and key ID must match |
| aws.macie | Macie Alert | Account ID, region, and rule must match |
| aws.opsworks | OpsWorks Alert | Account ID, region, and stack ID must match |
| aws.opsworks | OpsWorks Command State Change | Account ID, region, and command ID must match |
| aws.opsworks | OpsWorks Deployment State Change | Account ID, region, and deployment ID must match |
| aws.opsworks | OpsWorks Instance State Change | Account ID, region, and stack ID must match |
| aws.rds | RDS DB Instance Event | Account ID, region, and instance ID must match |
| aws.rds | RDS DB Snapshot Event | Account ID, region, and snapshot ID must match |
| aws.s3 | Object Access Tier Changed | Account ID, region, and bucket name must match |
| aws.s3 | Object ACL Updated | Account ID, region, and bucket name must match |
| aws.s3 | Object Created | Account ID, region, and bucket name must match |
| aws.s3 | Object Deleted | Account ID, region, and bucket name must match |
| aws.s3 | Object Restore Completed | Account ID, region, and bucket name must match |
| aws.s3 | Object Restore Expired | Account ID, region, and bucket name must match |
| aws.s3 | Object Restore Initiated | Account ID, region, and bucket name must match |
| aws.s3 | Object Storage Class Changed | Account ID, region, and bucket name must match |
| aws.s3 | Object Tags Added | Account ID, region, and bucket name must match |
| aws.s3 | Object Tags Deleted | Account ID, region, and bucket name must match |
| aws.securityhub | Security Hub Findings - Custom Action | Account ID, region, and product must match |
| aws.securityhub | Security Hub Findings - Imported | Account ID, region, and product must match |
| aws.securityhub | Security Hub Insight Results | Account ID, region, and insight must match |
| aws.signin | AWS Console Sign In via CloudTrail | Account ID, region, and identity must match |
| aws.ssm | Configuration Compliance State Change | Account ID, region, and patch baseline ID must match |
| aws.ssm | EC2 Command Invocation Status-change Notification | Account ID, region, and document name must match |
| aws.ssm | EC2 Command Status-change Notification | Account ID, region, and document name must match |
| aws.ssm | EC2 State Manager Association State Change | Account ID, region, and document name must match |
| aws.ssm | EC2 State Manager Instance Association State Change | Account ID, region, and document name must match |
| aws.ssm | Maintenance Window Execution State-change Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window State-change Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window Target Registration Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window Task Execution State-change Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window Task Target Invocation State-change Notification | Account ID, region, and window ID must match |
| aws.states | Step Functions Execution Status Change | Account ID, region, state machine, and status must match |
| aws.trustedadvisor | Trusted Advisor Check Item Refresh Notification | Account ID and region must match |
| aws.workspaces | WorkSpaces Access | Account ID, region, and workspace ID must match |
| aws.xray | AWS X-Ray Insight Update | Account ID, region, and insight ID must match |
In all other cases (including now AWS events), source, event type, account ID, and region must match.
Chatbot for AWS Monitoring
Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.
Add to Slack
Add to Teams