Security events monitoring with EventBride

Serverless solution to monitor security-related events in AWS using EventBridge, a Python Lambda function, and SNS. Currently, it monitors four events:

• IAM user creation,
• IAM user access key creation,
• S3 bucket policy change,
• Security group ingress changes (create, remove, update). Event for ingress and egress updates is the same (ModifySecurityGroupRules), so it will be also triggered for engress updates.

EventBridge will trigger Lambda function, which will send proper notification to SNS topic and, from there, to the recipient via email.

Deployment and testing

Solution is using local state. To leverage remote state please update the env/backend.tfvars file with proper values and modify the state definition in the backend.tf file.

The sns_topic_email_endpoint value is not defined in the variables file, please update it with proper email address. Next solution can be deployed with terraform plan -var-file="env/env.tfvars" and terraform apply -var-file="env/env.tfvars" commands.

To test solution, Approve a subscription from the SNS topic and perform one of monitored actions.

Limitations

• Trail events return non-standardized output for different events, so the Lambda function can only process JSONs corresponding to the four events defined above.
• To avoid duplicating Python code, EventBridge rules reuse the same Lambda.
• The monitoring solution has been tested only in one region, but it can be easily expanded to all regions using the is_multi_region_trail in the aws_cloudtrail resource.

Requirements

Name	Version
aws	~> 5.0

Providers

Name	Version
archive	2.7.0
aws	5.91.0
random	3.7.1

Modules

Name	Source	Version
evenbridge_rule	./modules/eventbridge-rule	n/a

Resources

Name	Type
aws_cloudtrail.security_events_monitoring	resource
aws_cloudwatch_log_group.security_incident_notifications_logs	resource
aws_iam_role.security_notifications_lambda	resource
aws_iam_role_policy.security_notifications_lambda	resource
aws_lambda_function.security_incident_notifications	resource
aws_s3_bucket.claudtrail_logs	resource
aws_s3_bucket_lifecycle_configuration.claudtrail_logs	resource
aws_s3_bucket_policy.claudtrail_logs	resource
aws_sns_topic.security_events_notification	resource
aws_sns_topic_subscription.user_updates_sqs_target	resource
random_string.bucket_name_extension	resource
archive_file.lambda_code	data source
aws_caller_identity.current	data source
aws_iam_policy_document.claudtrail_logs_bucket	data source
aws_iam_policy_document.security_notifications_lambda_assume_policy	data source
aws_iam_policy_document.security_notifications_lambda_execution	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
cloudtrail_enable_logging	Enable trail logging.	bool	true	no
cloudtrail_event_type_logging	Type of events to log. Valid values are ReadOnly, WriteOnly, All.	string	"All"	no
cloudtrail_exclude_management_events	A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com.	set(string)	null	no
cloudtrail_include_global_services	Include events from global services such as IAM in the log files.	bool	false	no
eventbridge_rules	Map of all EventBridge rules.	map(object({ name = string description = string event_pattern = object({ source = list(string) detail-type = list(string) detail = object({ eventSource = list(string) eventName = list(string) }) }) event_target_lambda_arn = optional(string) event_target_lambda_name = optional(string) }))	n/a	yes
log_retention	Number of days the logs will be retained (S3 and CloudWatch).	number	30	no
notification_lambda_function_name	Security notification Lambda function name.	string	n/a	yes
region	AWS region to deploy resources.	string	n/a	yes
sns_topic_email_endpoint	Target email for SNS notifications.	string	n/a	yes
sns_topic_name	SNS topic name.	string	n/a	yes
trail_name	CloudTrail trail name.	string	n/a	yes

Outputs

No outputs.