Posts Notify When Someone Login From Console
Post
Cancel

Notify When Someone Login From Console

Introduction:

CloudTrail is a service that records all AWS API activities, hence we can use this service combined with other services which are S3, CloudWatch Logs and SNS to accomplish a function that will notify you when someone login from web console

Objective:

Be notified when someone login from console

Steps:

  1. Create SNS with email option to receive notification when someone login from web console
  2. Create CloudTrail trail
    • Configure a S3 bucket to save the trail log
  3. Configure trail to send logs to CloudWatch Logs
  4. Create filter for CloudWatch Logs
  5. Create CloudWatch Alarm for metric

Create SNS with email option

Navigate to SNS SNS

Click Topics and create new topic SNS
SNS

Give a name to topic and leave the rest options default SNS
SNS

Create a subscription for the topic just created SNS

Choose email for Protocol option, we need to confirm the subscription from the email entered SNS
SNS

Finish view, the status is pending cause we need to confirm the subscription SNS

Login your email box and to confirm subscription SNS

If you see this page, it means subscription is successful and you will the status change to Confirmed SNS
SNS

Create CloudTrail trail

Navigate to CloudTrail service CloudTrail

Create a trail CloudTrail

Give trail a name and configure options to fit needs CloudTrail
CloudTrail

Create a new or choose an existing S3 bucket to save trail log CloudTrail

Configure trail to send logs to CloudWatch Logs

On the trail list page, click the trail just created CloudTrail

Scroll all the way to bottom to configure CloudWatch Logs CloudTrail

Give CloudWatch Logs a name CloudTrail

Since CloudTrail trail will send logs to CloudWatch Logs, so we need to assign a role with appropriate privileges to CloudTrail trail CloudTrail

Finish view CloudTrail

Create filter for CloudWatch Logs

Navigate to CloudWatch CloudWatch Logs

Click Logs then filters of the Logs we just created CloudWatch Logs

Add a metric filter CloudWatch Logs

On the define page, we make a test first. evenName is what we will be filtering, so we pick an evenName from sample Log Data and test if we can correctly filter out results CloudWatch Logs

After we succeed, change evenName to ConsoleLogin CloudWatch Logs

Give a name to the filter and finish with some configuration CloudWatch Logs

Finish view CloudWatch Logs

For testing purpose, on the Log list page, set retention day to the logs CloudWatch Logs
CloudWatch Logs
CloudWatch Logs

Finish view CloudWatch Logs

Till now, we have completed the process of when someone login through console, API activity will be trailed, saved to S3 and push to CloudWatch Logs. Now, re-login through console and wait for about 15 mins to see if everything works correctly. If so, you will see the metric in CloudWatch Metric

Create CloudWatch Alarm for metric

Create alarm from CloudWatch home page CloudWatch Alarms

Select the metric to monitor CloudWatch Alarms

Select the metric that is generated by filtering logs from trail CloudWatch Alarms
CloudWatch Alarms
CloudWatch Alarms

Change metric settings CloudWatch Alarms
CloudWatch Alarms

Give a name and set the threshold of this alarm CloudWatch Alarms

Set action to trigger when threshold is reached, which is the SNS we created in the first place CloudWatch Alarms

Finish view CloudWatch Alarms

Lastly, re-login through console again and after around 15 mins, you will receive notification through mail CloudWatch Alarms

REFERENCES:
AWS: How to get notified on IAM user logins
How to Receive Notifications When Your AWS Account’s Root Access Keys Are Used

This post is licensed under CC BY 4.0 by the author.