Enables notifications to an SNS topic when someone successfully logs in using the root account via the AWS Console in commercial AWS or using the Administrator user in AWS GovCloud.
Creates the following resources:
- CloudWatch event rule to filter for console logins with the root account or Administrator user.
- CloudWatch metric to trigger CW event when console rule is triggered
- CloudWatch event target to send notifications to an SNS topic (optional)
Usage
module "root-login-notifications" {
source = "trussworks/root-login-notifications/aws"
version = "2.2.0"
sns_topic_name = "slack-events"
}
Requirements
Name | Version |
---|---|
terraform | >= 0.13.0 |
aws | >= 3.0 |
Providers
Name | Version |
---|---|
aws | >= 3.0 |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
alarm_suffix | Suffix to add to alarm name, used for separating different AWS account. | string |
"" |
no |
send_sns | If true will send message Successful AWS console login with the root account to SNS topic | bool |
false |
no |
sns_topic_name | The name of the SNS topic to send root login notifications. | string |
n/a | yes |
Outputs
No output.
PagerDuty Setup
There are two methods to generate root logins alerts in PagerDuty.
Method 1: CloudWatch Rule
Use this method if already have a SNS topic handling existing CW Events.
- In TF or manually create a PagerDuty CloudWatch integration
- In TF ensure that the PagerDuty endpoint provided is assigned/subscribed to the SNS topic. For more info see the AWS topic about the proper policy.
- Apply this module to the SNS topic.
- Test by logging in as root
Method 2: Custom PagerDuty Event
Use this method if wishing to have a dedicated SNS topic for PagerDuty alerts or custom message parsing for advanced PagerDuty features.
- In TF or manually create a PagerDuty Custom Event Transformer CloudWatch
- In TF ensure that the PagerDuty endpoint provided is assigned/subscribed to the SNS topic. For more info see the AWS topic about the proper policy.
- Apply this module to the SNS topic with the
send_sns = true
and customizing the input_template as needed. - Test by logging in as root