< Back

Integration: Amazon EventBridge (previously CloudWatch Events)

You need to set up an Amazon SNS topic for this integration!

Important changes in your AWS account are published as events to Amazon EventBridge (previously CloudWatch Event). Events are generated when a Backup Job fails, an EC2 Spot Instance is interrupted, or much more.

The following example connects Root User login events with marbot.

Monitoring root user logins

Your AWS account’s root user should never be used. Instead, you create IAM users. If the root user logs in, this should be suspicious. With marbot, you can receive an alert when the root user logs in.

Creating a Rule to capture events

CloudTrail only sends events to EventBridge if a trail is created!

  1. Add marbot to Slack or Microsoft Teams.
  2. Invite marbot to a channel.
  3. Send @marbot Create an SNS topic to the channel.
  4. Follow the wizard in the channel.
  5. Visit the Amazon EventBridge Console.
  6. Click on the Create rule button.
  7. Set a Name.
  8. In the Define pattern section:
    1. Select Event pattern.
    2. Then, select Pre-defined pattern by service.
    3. Set the Service provider to AWS.
    4. Set the Service Name to AWS Console Sign-in
    5. Set the Event Type to Sign-in Events
    6. Select Specific user(s) by ARN and insert arn:aws:iam::ACCOUNT_ID:root below (replace ACCOUNT_ID with your AWS account ID ).
      Create EventBridge Rule
  9. In the Select targets section:
    1. Select SNS topic in the head
    2. Select the Topic marbot-standalone-topic created earlier.
      Targets
  10. Save by clicking the Create button.

Sample Alert

When you log in to the AWS Management Console with the root user, you should receive an alert in Slack:

Root User Sign In Notification

marbot enriches the following AWS-supported event types with Quick Links for fast access to resources in the AWS UI.

Source Type Definition of similar (for aggregation and mute)
* AWS API Call via CloudTrail Account ID, region, and event name must match
aws.acm ACM Certificate Approaching Expiration Account ID, region, and certificate ID must match
aws.appflow AppFlow End Flow Run Report Account ID, region, and flow name must match
aws.appflow AppFlow Event Flow Deactivated Account ID, region, and flow name must match
aws.appflow AppFlow Event Flow Report Account ID, region, and flow name must match
aws.appflow AppFlow Scheduled Flow Deactivated Account ID, region, and flow name must match
aws.appflow AppFlow Start Flow Run Report Account ID, region, and flow name must match
aws.application-autoscaling Application Auto Scaling Scaling Activity State Change Account ID, region, and resource ID must match
aws.athena Athena Query State Change Account ID, region, and workgroup name must match
aws.autoscaling EC2 Auto Scaling Instance Refresh Cancelled Account ID, region, and ASG name must match
aws.autoscaling EC2 Auto Scaling Instance Refresh Checkpoint Reached Account ID, region, and ASG name must match
aws.autoscaling EC2 Auto Scaling Instance Refresh Failed Account ID, region, and ASG name must match
aws.autoscaling EC2 Auto Scaling Instance Refresh Started Account ID, region, and ASG name must match
aws.autoscaling EC2 Auto Scaling Instance Refresh Succeeded Account ID, region, and ASG name must match
aws.autoscaling EC2 Instance Launch Successful Account ID, region, and ASG name must match
aws.autoscaling EC2 Instance Launch Unsuccessful Account ID, region, and ASG name must match
aws.autoscaling EC2 Instance Terminate Successful Account ID, region, and ASG name must match
aws.autoscaling EC2 Instance Terminate Unsuccessful Account ID, region, and ASG name must match
aws.autoscaling EC2 Instance-launch Lifecycle Action Account ID, region, and ASG name must match
aws.autoscaling EC2 Instance-terminate Lifecycle Action Account ID, region, and ASG name must match
aws.backup Backup Job State Change Account ID, region, and backup job ID must match
aws.backup Backup Plan State Change Account ID, region, and backup plan ID must match
aws.backup Backup Vault State Change Account ID, region, and backup vault name must match
aws.backup Copy Job State Change Account ID, region, and copy job ID must match
aws.backup Recovery Point State Change Account ID, region, and recovery point ID must match
aws.backup Region Settings State Change Account ID and region must match
aws.backup Restore Job State Change Account ID, region, and restore job ID must match
aws.batch Batch Job State Change Account ID, region, and job name must match
aws.cloudwatch CloudWatch Alarm State Change Account ID, region, name, and state must match
aws.codebuild CodeBuild Build Phase Change Account ID, region, and project name must match
aws.codebuild CodeBuild Build State Change Account ID, region, and project name must match
aws.codecommit CodeCommit Approval Rule Template Change Account ID, region, and approval rule template name must match
aws.codecommit CodeCommit Comment on Commit Account ID, region, repository name, and commit ID must match
aws.codecommit CodeCommit Comment on Pull Request Account ID, region, repository name, and pull request ID must match
aws.codecommit CodeCommit Pull Request State Change Account ID, region, repository name, and pull request ID must match
aws.codecommit CodeCommit Repository State Change Account ID, region, and repository name must match
aws.codedeploy CodeDeploy Deployment State-change Notification Account ID, region, application, and deployment group must match
aws.codedeploy CodeDeploy Instance State-change Notification Account ID, region, application, and deployment group must match
aws.codepipeline CodePipeline Action Execution State Change Account ID, region, pipeline, stage, and action must match
aws.codepipeline CodePipeline Pipeline Execution State Change Account ID, region, and pipeline must match
aws.codepipeline CodePipeline Stage Execution State Change Account ID, region, pipeline, and stage must match
aws.dlm DLM Policy State Change Account ID, region, and policy ID must match
aws.dms DMS Replication Task State Change Account ID, region, task ID must match
aws.ec2 EBS Multi-Volume Snapshots Completion Status Account ID, region, and snapshot ID must match
aws.ec2 EBS Snapshot Notification Account ID, region, and snapshot ID must match
aws.ec2 EBS Volume Notification Account ID, region, and volume ID must match
aws.ec2 EC2 Spot Instance Interruption Warning Account ID and region must match
aws.ec2 EC2 Instance Rebalance Recommendation Account ID and region must match
aws.ec2 EC2 Instance State-change Notification Account ID, region, and instance ID must match
aws.ec2fleet EC2 Fleet Error Account ID, region, and fleet ID must match
aws.ec2fleet EC2 Fleet Information Account ID, region, and fleet ID must match
aws.ec2fleet EC2 Fleet Instance Change Account ID, region, and fleet ID must match
aws.ec2fleet EC2 Fleet Spot Instance Request Change Account ID, region, and fleet ID must match
aws.ec2fleet EC2 Fleet State Change Account ID, region, and fleet ID must match
aws.ec2spotfleet EC2 Spot Fleet Error Account ID, region, and fleet ID must match
aws.ec2spotfleet EC2 Spot Fleet Information Account ID, region, and fleet ID must match
aws.ec2spotfleet EC2 Spot Fleet Instance Change Account ID, region, and fleet ID must match
aws.ec2spotfleet EC2 Spot Fleet Spot Instance Request Change Account ID, region, and fleet ID must match
aws.ec2spotfleet EC2 Spot Fleet State Change Account ID, region, and fleet ID must match
aws.ecr ECR Image Action Account ID, region, and repository name must match
aws.ecr ECR Image Scan Account ID, region, and repository name must match
aws.ecs ECS Container Instance State Change Account ID, region, and container instance ID must match
aws.ecs ECS Service Action Account ID, region, and service name must match
aws.ecs ECS Task State Change Account ID, region, and task definition must match
aws.elasticbeanstalk Elastic Beanstalk resource status change Account ID, region, application name, and environment name must match
aws.elasticbeanstalk Health status change Account ID, region, application name, and environment name must match
aws.elasticbeanstalk Managed update status change Account ID, region, application name, and environment name must match
aws.elasticbeanstalk Other resource status change Account ID, region, application name, and environment name must match
aws.emr EMR Auto Scaling Policy State Change Account ID, region, and cluster ID must match
aws.emr EMR Cluster State Change Account ID, region, and cluster ID must match
aws.emr EMR Instance Group State Change Account ID, region, and cluster ID must match
aws.emr EMR Step Status Change Account ID, region, and cluster ID must match
aws.es Amazon ES Service Software Update Notification Account ID, region, and domain must match
aws.events Scheduled Event Account ID, region, and rule name must match
aws.glue Glue Data Catalog Table State Change Account ID, region, and table name must match
aws.glue Glue Job State Change Account ID, region, and job name must match
aws.guardduty GuardDuty Finding Account ID, region, and affected resource ID must match
aws.health AWS Health Abuse Event Account ID, region, and event type category must match
aws.health AWS Health Event Account ID, region, and event type category must match
aws.iotanalytics IoT Analytics Dataset Lifecycle Notification Account ID, region, and dataset name must match
aws.kms KMS CMK Deletion Account ID, region, and key ID must match
aws.kms KMS CMK Rotation Account ID, region, and key ID must match
aws.kms KMS Imported Key Material Expiration Account ID, region, and key ID must match
aws.macie Macie Alert Account ID, region, and rule must match
aws.opsworks OpsWorks Alert Account ID, region, and stack ID must match
aws.opsworks OpsWorks Command State Change Account ID, region, and command ID must match
aws.opsworks OpsWorks Deployment State Change Account ID, region, and deployment ID must match
aws.opsworks OpsWorks Instance State Change Account ID, region, and stack ID must match
aws.rds RDS DB Instance Event Account ID, region, and instance ID must match
aws.rds RDS DB Snapshot Event Account ID, region, and snapshot ID must match
aws.s3 Object Access Tier Changed Account ID, region, and bucket name must match
aws.s3 Object ACL Updated Account ID, region, and bucket name must match
aws.s3 Object Created Account ID, region, and bucket name must match
aws.s3 Object Deleted Account ID, region, and bucket name must match
aws.s3 Object Restore Completed Account ID, region, and bucket name must match
aws.s3 Object Restore Expired Account ID, region, and bucket name must match
aws.s3 Object Restore Initiated Account ID, region, and bucket name must match
aws.s3 Object Storage Class Changed Account ID, region, and bucket name must match
aws.s3 Object Tags Added Account ID, region, and bucket name must match
aws.s3 Object Tags Deleted Account ID, region, and bucket name must match
aws.securityhub Security Hub Findings - Custom Action Account ID, region, and product must match
aws.securityhub Security Hub Findings - Imported Account ID, region, and product must match
aws.securityhub Security Hub Insight Results Account ID, region, and insight must match
aws.signin AWS Console Sign In via CloudTrail Account ID, region, and identity must match
aws.ssm Configuration Compliance State Change Account ID, region, and patch baseline ID must match
aws.ssm EC2 Command Invocation Status-change Notification Account ID, region, and document name must match
aws.ssm EC2 Command Status-change Notification Account ID, region, and document name must match
aws.ssm EC2 State Manager Association State Change Account ID, region, and document name must match
aws.ssm EC2 State Manager Instance Association State Change Account ID, region, and document name must match
aws.ssm Maintenance Window Execution State-change Notification Account ID, region, and window ID must match
aws.ssm Maintenance Window State-change Notification Account ID, region, and window ID must match
aws.ssm Maintenance Window Target Registration Notification Account ID, region, and window ID must match
aws.ssm Maintenance Window Task Execution State-change Notification Account ID, region, and window ID must match
aws.ssm Maintenance Window Task Target Invocation State-change Notification Account ID, region, and window ID must match
aws.states Step Functions Execution Status Change Account ID, region, state machine, and status must match
aws.trustedadvisor Trusted Advisor Check Item Refresh Notification Account ID and region must match
aws.workspaces WorkSpaces Access Account ID, region, and workspace ID must match
aws.xray AWS X-Ray Insight Update Account ID, region, and insight ID must match

In all other cases (including now AWS events), source, event type, account ID, and region must match.

More help needed? Or want to share feedback?

If you experience any issues, let us know.

E-mail icon
E-Mail
marbot teaser

Chatbot for AWS Monitoring

Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.

Slack
Add to Slack
Microsoft Teams
Add to Teams