Integration: Amazon EventBridge (previously CloudWatch Events)
You need to set up an Amazon SNS topic for this integration!
Important changes in your AWS account are published as events to Amazon EventBridge (previously CloudWatch Event). Events are generated when a Backup Job fails, an EC2 Spot Instance is interrupted, or much more.
The following example connects Root User login events with marbot.
Monitoring root user logins
Your AWS account’s root user should never be used. Instead, you create IAM users. If the root user logs in, this should be suspicious. With marbot, you can receive an alert when the root user logs in.
Creating a Rule to capture events
CloudTrail only sends events to EventBridge if a trail is created!
- Add marbot to Slack or Microsoft Teams.
- Invite marbot to a channel.
- Send
@marbot Create an SNS topic
to the channel. - Follow the wizard in the channel.
- Visit the Amazon EventBridge Console.
- Click on the Create rule button.
- Set a Name.
- In the Define pattern section:
- Select Event pattern.
- Then, select Pre-defined pattern by service.
- Set the Service provider to
AWS
. - Set the Service Name to
AWS Console Sign-in
- Set the Event Type to
Sign-in Events
- Select Specific user(s) by ARN and insert
arn:aws:iam::ACCOUNT_ID:root
below (replace ACCOUNT_ID with your AWS account ID ).
- In the Select targets section:
- Select SNS topic in the head
- Select the Topic marbot-standalone-topic created earlier.
- Save by clicking the Create button.
Sample Alert
When you log in to the AWS Management Console with the root user, you should receive an alert in Slack:
Event types with Quick Links
marbot enriches the following AWS-supported event types with Quick Links for fast access to resources in the AWS UI.
Source | Type |
---|---|
* | AWS API Call via CloudTrail |
aws.acm | ACM Certificate Approaching Expiration |
aws.appflow | AppFlow End Flow Run Report |
aws.appflow | AppFlow Event Flow Deactivated |
aws.appflow | AppFlow Event Flow Report |
aws.appflow | AppFlow Scheduled Flow Deactivated |
aws.appflow | AppFlow Start Flow Run Report |
aws.application-autoscaling | Application Auto Scaling Scaling Activity State Change |
aws.athena | Athena Query State Change |
aws.autoscaling | EC2 Auto Scaling Instance Refresh Cancelled |
aws.autoscaling | EC2 Auto Scaling Instance Refresh Checkpoint Reached |
aws.autoscaling | EC2 Auto Scaling Instance Refresh Failed |
aws.autoscaling | EC2 Auto Scaling Instance Refresh Started |
aws.autoscaling | EC2 Auto Scaling Instance Refresh Succeeded |
aws.autoscaling | EC2 Instance Launch Successful |
aws.autoscaling | EC2 Instance Launch Unsuccessful |
aws.autoscaling | EC2 Instance Terminate Successful |
aws.autoscaling | EC2 Instance Terminate Unsuccessful |
aws.autoscaling | EC2 Instance-launch Lifecycle Action |
aws.autoscaling | EC2 Instance-terminate Lifecycle Action |
aws.backup | Backup Job State Change |
aws.backup | Backup Plan State Change |
aws.backup | Backup Vault State Change |
aws.backup | Copy Job State Change |
aws.backup | Recovery Point State Change |
aws.backup | Region Settings State Change |
aws.backup | Restore Job State Change |
aws.batch | Batch Job State Change |
aws.cloudwatch | CloudWatch Alarm State Change |
aws.codebuild | CodeBuild Build Phase Change |
aws.codebuild | CodeBuild Build State Change |
aws.codecommit | CodeCommit Approval Rule Template Change |
aws.codecommit | CodeCommit Comment on Commit |
aws.codecommit | CodeCommit Comment on Pull Request |
aws.codecommit | CodeCommit Pull Request State Change |
aws.codecommit | CodeCommit Repository State Change |
aws.codedeploy | CodeDeploy Deployment State-change Notification |
aws.codedeploy | CodeDeploy Instance State-change Notification |
aws.codepipeline | CodePipeline Action Execution State Change |
aws.codepipeline | CodePipeline Pipeline Execution State Change |
aws.codepipeline | CodePipeline Stage Execution State Change |
aws.dlm | DLM Policy State Change |
aws.ec2 | EBS Multi-Volume Snapshots Completion Status |
aws.ec2 | EBS Snapshot Notification |
aws.ec2 | EBS Volume Notification |
aws.ec2 | EC2 Instance Interruption Warning |
aws.ec2 | EC2 Instance State-change Notification |
aws.ec2fleet | EC2 Fleet Error |
aws.ec2fleet | EC2 Fleet Information |
aws.ec2fleet | EC2 Fleet Instance Change |
aws.ec2fleet | EC2 Fleet Spot Instance Request Change |
aws.ec2fleet | EC2 Fleet State Change |
aws.ec2spotfleet | EC2 Spot Fleet Error |
aws.ec2spotfleet | EC2 Spot Fleet Information |
aws.ec2spotfleet | EC2 Spot Fleet Instance Change |
aws.ec2spotfleet | EC2 Spot Fleet Spot Instance Request Change |
aws.ec2spotfleet | EC2 Spot Fleet State Change |
aws.ecr | ECR Image Action |
aws.ecr | ECR Image Scan |
aws.ecs | ECS Container Instance State Change |
aws.ecs | ECS Service Action |
aws.ecs | ECS Task State Change |
aws.emr | EMR Auto Scaling Policy State Change |
aws.emr | EMR Cluster State Change |
aws.emr | EMR Instance Group State Change |
aws.emr | EMR Step Status Change |
aws.es | Amazon ES Service Software Update Notification |
aws.events | Scheduled Event |
aws.glue | Glue Data Catalog Table State Change |
aws.glue | Glue Job State Change |
aws.guardduty | GuardDuty Finding |
aws.health | AWS Health Abuse Event |
aws.health | AWS Health Event |
aws.iotanalytics | IoT Analytics Dataset Lifecycle Notification |
aws.kms | KMS CMK Deletion |
aws.kms | KMS CMK Rotation |
aws.kms | KMS Imported Key Material Expiration |
aws.macie | Macie Alert |
aws.opsworks | OpsWorks Alert |
aws.opsworks | OpsWorks Command State Change |
aws.opsworks | OpsWorks Deployment State Change |
aws.opsworks | OpsWorks Instance State Change |
aws.rds | RDS DB Instance Event |
aws.rds | RDS DB Snapshot Event |
aws.s3 | Object Access Tier Changed |
aws.s3 | Object ACL Updated |
aws.s3 | Object Created |
aws.s3 | Object Deleted |
aws.s3 | Object Restore Completed |
aws.s3 | Object Restore Expired |
aws.s3 | Object Restore Initiated |
aws.s3 | Object Storage Class Changed |
aws.s3 | Object Tags Added |
aws.s3 | Object Tags Deleted |
aws.securityhub | Security Hub Findings - Custom Action |
aws.securityhub | Security Hub Findings - Imported |
aws.securityhub | Security Hub Insight Results |
aws.signin | AWS Console Sign In via CloudTrail |
aws.ssm | Configuration Compliance State Change |
aws.ssm | EC2 Command Invocation Status-change Notification |
aws.ssm | EC2 Command Status-change Notification |
aws.ssm | EC2 State Manager Association State Change |
aws.ssm | EC2 State Manager Instance Association State Change |
aws.ssm | Maintenance Window Execution State-change Notification |
aws.ssm | Maintenance Window State-change Notification |
aws.ssm | Maintenance Window Target Registration Notification |
aws.ssm | Maintenance Window Task Execution State-change Notification |
aws.ssm | Maintenance Window Task Target Invocation State-change Notification |
aws.states | Step Functions Execution Status Change |
aws.trustedadvisor | Trusted Advisor Check Item Refresh Notification |
aws.workspaces | WorkSpaces Access |
aws.xray | AWS X-Ray Insight Update |

Chatbot for AWS Monitoring
Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.