@Ryan. The problem you are having is because when creating the rule, you have the "whenever" set to >= 0. It should be >=1. That’s also in the screenshots in the blog but hard to see.
3 Answers
Thanks for bringing this to our attention! I’ll add a note to the lecture until Ryan can get this re-recorded
Quite confused here as I have just completed this with it being >= 0 and it works perfectly fine.
the 1 – should not really make any difference anyway as it only says greater or equal to 1, however it would have required an event to trigger it.
I did however had to wait about 5 mins before logs would generate into s3, once that started I was able to get it.
FWIW, a newer implementation was published by AWS a couple years ago that aligns with modern blueprints for roll-your-own event-driven security monitoring, notification, and response actions. The new design works flawlessly for this and other security scenarios. Having said that, I’ll likely develop another function that improves readability of the alerts when email notifications are desired since the raw email format is difficult to read. Setup and testing time for the new design was < 10 minutes.
https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
Hope this helps. Good luck on your exams.
Hi Gurus, if the case scenario is changed where alert needs to be sent when a certain IAM user makes an API call to an s3 bucket, what would be the solution? If this has already been answered in a separate thread, appreciate if you can direct me there. Thanks in advance.
yep
+1
Worked for me when I made Don’s tweak. Thanks Don!
+1
You’re the…… Don (+1)
Why would >=1 make a difference? Any count is >=0 so should work the same as >=1, right?