"You work for a large organization and many of your departments have access to the AWS console. The company has been using AWS for a number of years, and user permissions have been managed with different designs during that time. You have already reviewed the IAM accounts and policies and deleted any accounts that are no longer required, but your CTO still suspects that many of the users have greater access than they need for their role, with many users having the ability to launch EC2 instances and change Security Group settings at any time, which is against the company Security Policy. What measures can you suggest?
(1)Implement event based security using Lambda and CloudWatch Events to alert when a user performs an action which is against company policy and sends an SNS notification
(2)Implement event based security using GuardDuty and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification
(3)Implement event based security using CloudWatch Logs and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification
(4)Implement event based security using CloudTrail and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification
3 Answers
Lambda is used to run scripts on an event triggered from CloudTrail or CloudWatch. It doesn’t trigger events to send to SNS.
Option 4 is more specific than the option 1. The CloudWatch event rule functions as an an event listener, you need to specify the event source and type of event that you want the CloudWatch event rule to monitor.
CloudTrail monitors API calls and is used for auditing purposes. It records information which includes the user, resources (e.g. EC2 instance, S3 bucket, DynamoDB table, etc.), the actions performed and the parameters, along with the success status. This information is used to track changes made to your AWS resources and to troubleshoot operational issues. CloudTrail usually delivers log information within 15 minutes and makes it easier to ensure compliance with internal policies and regulatory standards.
CloudWatch Events provides near a real-time stream of actions to your AWS environment and can respond accordingly by triggering functions, making modifications and tracking state information.
Both CloudTrail and CloudWatch Events should be used as CloudWatch Events does not capture all the information recorded by CloudTrail.
A Lambda function can be used to publish messages to SNS topics which will produce SNS notifications. However, Lambda does not provide the auditing capability of CloudTrail.
CloudTrail details: https://aws.amazon.com/cloudtrail/faqs/
CloudWatch Events information: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html
Further reading for SNS and Lambda: https://docs.aws.amazon.com/sns/latest/dg/sns-lambda-as-subscriber.html
Thank you all
Thanks to Jennifer for the very thorough explanation!