Goal is to Fire an alert via SNS when something changes in the infrastructure.
Eg, when Network changes through API's are made, Cloudwatch should
fire an alarm.
First setup CloudTrail ( which monitors the API ) to log its events to CloudWatch.
- Open CloudTrail from your AWS console.
- Go to Trails and select Create Trails.
- Give the Trail a name and specify an s3 bucket to which logs should be stored ( this cant be avoided )
- Create the Trail.
Once the Trail is created, click on it and navigate down, you will find an option - CloudWatch
- Click on the Configure button seen towards the end.
- Give the CloudWatch Logs group ( you can leave it to default too )
- Now, the CloudTrail logs will be received at CloudWatch logs specified in the above step.
To invoke notifications on any changes via API ( which cloudtrail senses and now passes to Cloudwatch ), need to create a metric filter
- Go to Cloudwatch and select Logs
- Look out for the log stream with CloudTrail/whatever given during configuration stage.
- Press the button next to it and select the option create metric filter.
- In the Filter Patter, give the necessary filter which should be in place.
- For detecting changes in NetworkACL related changes, it would be something like :
{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } - Press Assign Metric.
On the Create Metric Filter and Assign a Metric page, do the following
- In the Filter Name box, enter NetworkACLChange ( for simplicity )
- In the Metric Namespace box, give CloudTrailMet
- In the Metric Name box, type NetworkAclEventCount for the metric identifier.
- In the Metric Value box, enter 1.
Now click on Create Filter button.
Once this is done, you will get a box with all the details passed in. In that box,
check for the option to create Alarm. Click on that to create the Alarm
based on this metric.
In the Create Alarm dialog box,
- Within the Alarm Threshold section, in the Name and Description fields,
enter alarm name and description of your choice. - Under Whenever: <Metric Name>, select >= (greater than or equal to)
from the is dropdown list and enter 1 as the threshold value. - In the Actions section, click the + Notification button, select
State is ALARM from the Whenever this alarm dropdown menu
and choose the AWS SNS topic name or notification you needed.
If its empty, create a new topic + notification for the topic from SNS. - In the Alarm Preview section, select 5 Minutes from the Period
dropdown list and Sum from the Statistic list.
The Alarm should fire whenever there is a change in NetworkACL via any APIs
