Wondering how to monitor changes to security groups on EC2 using CloudWatch Events? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how our Support techs assist with this query.

How to monitor changes to security groups on EC2 using CloudWatch Events?

 
Today, let us see the steps followed by our Support Techs to perform the task.
 

Create and subscribe to an Amazon SNS topic

 
1.Firstly, open the Amazon SNS console.

2.On the SNS dashboard, select Topics, and then choose Create Topic.

3.Then, enter a name for the topic.

4.Next, choose Create topic.

5.Make a note of the topic’s Amazon Resource Name (ARN).

6.Then, choose Create subscription.

7.For Topic ARN, enter the ARN that you made a note of in step 5.

8.Next, for Protocol, choose Email.

9.For Endpoint, enter an email address to receive the notifications, and then choose Create subscription.

You’ll receive an email confirming the subscription.

After you confirm the subscription, the email address receives notifications when the SNS topic is triggered.

Create a CloudWatch Events rule that triggers on an event using the CloudWatch console

 
1.Firstly, open the CloudWatch console.

2.In the navigation pane, choose Rules under Events, and then choose Create rule.

3.Then, select the Event Pattern.

4.For Service Name, choose EC2.

5.For Event Type, choose AWS API Call via CloudTrail.

6.Choose Specific Operation and provide the following API calls. These API calls are used to add or remove security group rules.

AuthorizeSecurityGroupIngress
AuthorizeSecurityGroupEgress
RevokeSecurityGroupIngress
RevokeSecurityGroupEgress

These settings create the following event pattern.

{
"source": [
"aws.ec2"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"AuthorizeSecurityGroupIngress",
"AuthorizeSecurityGroupEgress",
"RevokeSecurityGroupIngress",
"RevokeSecurityGroupEgress"
]
}
}

7.Then, choose Add target.

8.In the list of targets, choose SNS topic.

9.For Topic, enter the topic that you created.

Please note by default, Matched event is selected under Configure input. Matched event passes the entire JSON output of the event to the SNS topic.

If you don’t want to pass the entire JSON output, select Input Transformer to filter the event information.

Use the input transformer to customize text from an event to create an easy-to-read message, rather than sending the entire JSON output to your target.

In Input Template, enter the text and variables you want to appear in the message:

"A <source> API call was made against the security group <name> on <time> with the below details"
" <value> "

11.Then, choose Configure details.

12.On the Configure rule details page, enter a name and an optional description. For State, leave the Enabled box selected.

13.Finally, choose Create rule.

[Need help with the process? We’d be happy to assist]

Conclusion

In short, we saw how our Support Techs monitor changes to security groups on EC2 using CloudWatch Events.