To monitor Subnet and Nacl Changes in AWS account, we are using below AWS services.
- CloudTrail
- CloudWatch Event
- SNS (Simple Notification Services)
1. CloudTrail
CloudTrail is enabled by default for your AWS Account.You can use Event history in the Cloud Trail console to view all your account activity across your AWS infrastructure. This includes all activity made through the like AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. Creating an organization trail helps you define a uniform event logging strategy for your organization
2. CloudWatch
AWS Cloud watch is used monitor AWS Web services and Applications with are running on your AWS account. Amazon Cloud Watch Events delivers a near real-time stream of system events that describe changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly set up, you can match events and route them to one or more target functions. Cloud Watch Events becomes aware of any operational changes done in AWS account. Cloud Watch Events responds to these operational changes and takes corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information.
Below connect you need to understand before configuring CloudWatch Rules:
- Events: Event means API Changes in you AWS account. AWS resources create events in when their state changes
- Rule: You can create rules for particular events and route them to the required targets
- Targets: Targets is used to process the events. Some AWS services we can used as Targets.(E.g EC2. SNS, SQS, Lambda etc.). It receives events in JSON format
3. SNS (Simple Notification Services)
This service is used to deliver the notifications from publisher to subscribers. Publishers communicate subscribers by sending messages to a topic, which is a logical access point and communication channel. Clients can subscribe to the SNS topic and receive published messages using a supported endpoint type, such as Amazon Kinesis Data Firehouse, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS). We are using SNS topic as Targets in Cloud watch Events.
Please follow below steps to configure mail alerts to monitor Subnet and NACL Changes in your AWS account.
a. Create SNS topics for Email Notification
Go to the AWS SNS service ---> Click on Create topic --->Select type (Standard) ---> Create topic.
Now Create Subscriptions for the SNS topic
b. Create CloudWatch Rule
Go to the AWS CloudWatch service ---> Click Events option --->Click on Rules ---> Create Rule
For Event Source → Select Event Pattern → Service Name (e.g EC2) → Event Type (AWS API Call via CloudTrail)-->
Now add Specific API Operations which you want to Monitor ---> Select Targets (SNS topic Name)
Now you will receive an email notification like below if any changes done in Subnet and NACL in your AWS account by any IAM Users.
