AWS – (实战)当root户口登入了,系统发出email通知
- 去到CloudTrail当中创建Trail,需要记录Management Event
注意:必须开启把Trail也记录进CloudWatch Log当中 - 在CloudWatchLog当中创建Metric和Alarm
注意:我自己测试是在login之后需要等2分钟才收到email - Alarm当中需要使用SNS的topic来触发
参考视频或文章:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html#matching-terms-json-log-events
https://www.youtube.com/watch?v=s10vVxVDPxY&t=524s
这文章主要是详细讲解CloudWatchLog创建Meric的部分
【创建Root User的filter metric】
1. Filter Pattern
登入成功的Pattern
{ $.eventType = "AwsConsoleSignIn" && $.userIdentity.type = "Root" && $.responseElements.ConsoleLogin = "Success" && $.eventName = "ConsoleLogin" }登入失败的Pattern
{ $.eventType = "AwsConsoleSignIn" && $.userIdentity.type = "Root" && $.responseElements.ConsoleLogin = "Failure" && $.eventName = "ConsoleLogin" }2. 登入json记录
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "97505021111",
"arn": "arn:aws:iam::97505021111:root",
"accountId": "97505021111",
"accessKeyId": ""
},
"eventTime": "2024-07-02T04:49:48Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "60.48.200.94",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&nc2=h_ct&oauthStart=1719895719542&src=header-signin&state=hashArgsFromTB_ap-southeast-2_d687aeee0897ff20",
"MobileVersion": "No",
"MFAIdentifier": "arn:aws:iam::975050217111:mfa/kiatphone",
"MFAUsed": "Yes"
},
"eventID": "f94714ee-38c3-4c36-9606-1fd1ad66b0f3",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "97505021111",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}【创建IAM User的filter metric】
1. Filter Pattern
{ $.eventType = "AwsConsoleSignIn" && $.userIdentity.type = "IAMUser" && $.responseElements.ConsoleLogin = "Success" && $.eventName = "ConsoleLogin" }2. 登入json记录
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6GBMFS2L2X625DDTF",
"arn": "arn:aws:iam::97505021111:user/kiat",
"accountId": "97505021111",
"userName": "kiat"
},
"eventTime": "2024-07-01T09:04:18Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "ap-southeast-2",
"sourceIPAddress": "60.48.200.94",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&nc2=h_ct&oauthStart=1719824647652&src=header-signin&state=hashArgsFromTB_ap-southeast-2_6cb7cb4b669eb617",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "4b2f4a99-08f3-4313-9e25-078cdb0335f0",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "97505021111",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ap-southeast-2.signin.aws.amazon.com"
}
}以下的视频教程是使用EventBridge来侦测登入的,
但是我自己测试了Root login并没有收到email通知, 反而是IAM User 在switch role的时候是收到email通知的
https://www.youtube.com/watch?v=dpAiHL5C6P4
Facebook评论