Menu
AWS CloudTrail
User Guide (Version 1.0)

Creating CloudWatch Alarms for CloudTrail Events: Examples

This topic describes how to configure alarms for CloudTrail events using example scenarios.

Prerequisites

Before you can use the examples in this topic, you must:

  • Create a trail with the console or CLI.

  • Create a log group.

  • Specify or create an IAM role that grants CloudTrail the permissions to create a CloudWatch Logs log stream in the log group that you specify and to deliver CloudTrail events to that log stream. The default CloudTrail_CloudWatchLogs_Role does this for you.

For more information, see Sending Events to CloudWatch Logs.

Create a metric filter and create an alarm

To create an alarm, you must first create a metric filter and then configure an alarm based on the filter. The procedures are shown for all examples. For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch Logs User Guide.

Note

Instead of manually creating the following metric filters and alarms examples, you can use an AWS CloudFormation template to create them all at once. For more information, see Creating CloudWatch Alarms with an AWS CloudFormation Template.

Example: Amazon S3 Bucket Activity

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an Amazon S3 API call is made to PUT or DELETE bucket policy, bucket lifecycle, bucket replication, or to PUT a bucket ACL.

The alarm also is triggered for the CORS (cross-origin resource sharing) PUT bucket and DELETE bucket events. For more information, see Cross-Origin Resource Sharing in the Amazon Simple Storage Service Developer Guide.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }
  6. Choose Assign Metric.

  7. For Filter Name, type S3BucketActivity.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type S3BucketActivityEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the S3BucketActivity filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    S3 Bucket Activity

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Testing the Alarm for S3 Bucket Activity

You can test the alarm by changing the S3 bucket policy.

To test the alarm

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose an S3 bucket in a region that your trail is logging. For example, if your trail is logging in the US East (Ohio) Region only, choose a bucket in the same region. If your trail applies to all regions, choose an S3 bucket in any region.

  3. Choose Permissions and then choose Bucket Policy.

  4. Use the Bucket policy editor to change the policy and then choose Save.

  5. Your trail logs the PutBucketPolicy operation, and delivers the event to your CloudWatch Logs logs group. The event triggers your metric alarm and CloudWatch Logs sends you a notification about the change.

Example: Security Group Configuration Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when configuration changes happen that involve security groups.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
  6. Choose Assign Metric.

  7. For Filter Name, type SecurityGroupEvents.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type SecurityGroupEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    Security Group Configuration Changes

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: Network Access Control List (ACL) Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when any configuration changes happen involving network ACLs.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }
  6. Choose Assign Metric.

  7. For Filter Name, type NetworkACLEvents.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type NetworkACLEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    Network ACL Configuration Changes

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: Network Gateway Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, update, or delete a customer or Internet gateway.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }
  6. Choose Assign Metric.

  7. For Filter Name, type GatewayChanges.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type GatewayEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Example: Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    Network Gateway Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: Amazon Virtual Private Cloud (VPC) Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, update, or delete an Amazon VPC, an Amazon VPC peering connection, or an Amazon VPC connection to classic Amazon EC2 instances.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }
  6. Choose Assign Metric.

  7. For Filter Name, type VpcChanges.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type VpcEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    VPC Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: Amazon EC2 Instance Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, terminate, start, stop, or reboot an Amazon EC2 instance.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }
  6. Choose Assign Metric.

  7. For Filter Name, type EC2InstanceChanges.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type EC2InstanceEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    EC2 Instance Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: EC2 Large Instance Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to create a 4x or 8x-large Amazon EC2 instance.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }
  6. Choose Assign Metric.

  7. For Filter Name, type EC2LargeInstanceChanges.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type EC2LargeInstanceEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    EC2 Large Instance Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: CloudTrail Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, update, or delete a CloudTrail trail, or to start or stop logging a trail.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }
  6. Choose Assign Metric.

  7. For Filter Name, type CloudTrailChanges.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type CloudTrailEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    CloudTrail Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: Console Sign-In Failures

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when there are three or more sign-in failures during a five minute period.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
  6. Choose Assign Metric.

  7. For Filter Name, type ConsoleSignInFailures.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type ConsoleSigninFailureCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    Console Sign-in Failures

    >=3

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: Authorization Failures

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an unauthorized API call is made.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }
  6. Choose Assign Metric.

  7. For Filter Name, type AuthorizationFailures.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type AuthorizationFailureCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    Authorization Failures

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.

Example: IAM Policy Changes

Follow this procedure to create an Amazon CloudWatch alarm that is triggered when an API call is made to change an IAM policy.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}
  6. Choose Assign Metric.

  7. For Filter Name, type IAMPolicyChanges.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type IAMPolicyEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, follow this procedure to create an alarm.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
							CloudWatch Logs Create Alarm Wizard

    Setting Value

    IAM Policy Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. You will receive an email at this address to confirm that you created this alarm.

  3. Choose Create Alarm.