Menu
AWS CloudTrail
User Guide (Version 1.0)

Creating CloudWatch Alarms for CloudTrail Events: Examples

This topic describes how to configure alarms for CloudTrail events using example scenarios.

Prerequisites

Before you can use the examples in this topic, you must:

  • Create a trail with the CloudTrail console or CLI

  • Create a log group

  • Specify or create an IAM role that grants CloudTrail the permissions to create a CloudWatch Logs log stream in the log group that you specify and to deliver CloudTrail events to that log stream (the default CloudTrail_CloudWatchLogs_Role does this for you).

For more information, see Sending CloudTrail Events to CloudWatch Logs.

Create a metric filter, create an alarm

To create an alarm, you must first create a metric filter and then configure an alarm based on the filter. These steps are shown for every example in this topic.

Note

Instead of creating the metric filters and alarms that are presented here manually, you can use an AWS CloudFormation template to create them all at once. For more information, see Using an AWS CloudFormation Template to Create CloudWatch Alarms.

Example: Amazon S3 Bucket Activity

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an Amazon S3 API call is made to PUT or DELETE bucket policy, bucket lifecycle, bucket replication, or to PUT a bucket ACL. The alarm also is triggered for the CORS (cross-origin resource sharing) PUT bucket and DELETE bucket events. For information about cross-origin resource sharing, see Cross-Origin Resource Sharing.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter S3BucketActivity

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter S3BucketActivityEventCount.

  9. Click Metric Value, and then type 1. If Metric Value does not appear, click Advanced first.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the S3BucketActivity filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    S3 Bucket Activity

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Security Group Configuration Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when any configuration changes happen involving security groups.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter SecurityGroupEvents

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter SecurityGroupEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    Security Group Configuration Changes

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Network Access Control List (ACL) Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when any configuration changes happen involving network ACLs.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter NetworkACLEvents.

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name box, enter NetworkACLEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    Network ACL Configuration Changes

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Network Gateway Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, update, or delete a customer or Internet gateway.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter GatewayChanges

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter GatewayEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Example: Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    Network Gateway Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Amazon Virtual Private Cloud (VPC) Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, update or delete an Amazon VPC, an Amazon VPC peering connection or an Amazon VPC connection to classic Amazon EC2 instances.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter VpcChanges

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter VpcEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    VPC Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Amazon EC2 Instance Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, terminate, start, stop or reboot an Amazon EC2 instance.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter EC2InstanceChanges

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter EC2InstanceEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    EC2 Instance Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: EC2 Large Instance Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an API call is made to create a 4x or 8x-large EC2 instance.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter EC2LargeInstanceChanges

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter EC2LargeInstanceEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    EC2 Large Instance Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: CloudTrail Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an API call is made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter CloudTrailChanges

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter CloudTrailEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    CloudTrail Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Console Sign-In Failures

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when there are three or more sign-in failures during a five minute period.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ConsoleSignInFailures

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name box, enter ConsoleSigninFailureCount.

  9. Click Show advanced metric settings.

  10. Click Metric Value, and then type 1.

  11. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    Console Sign-in Failures

    >=3

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: Authorization Failures

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an unauthorized API call is made.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter AuthorizationFailures

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter AuthorizationFailureCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    Authorization Failures

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.

Example: IAM Policy Changes

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when an API call is made to change an IAM policy.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, click Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Click Create Metric Filter.

  5. On the Define Logs Metric Filter screen, click Filter Pattern and then type the following:

    {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Click Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter IAMPolicyChanges

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter IAMPolicyEventCount.

  9. Click Metric Value, and then type 1.

  10. When you are finished, click Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, click Create Alarm.

  2. On the Create Alarm page, provide the following values.

    CloudWatch Logs Create Alarm Wizard
    SettingValue

    IAM Policy Changes

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, click New list, and then type a unique topic name for the list.

    Click Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, click Create Alarm.