Create an Amazon EventBridge Rule Using an AWS CloudTrail Event Pattern:
AWS CloudTrail logs API calls made in your account, including actions performed by roles.
Create an EventBridge rule that matches CloudTrail events where the AssumeRole API call is made to assume the administrator role.
Invoke an AWS Lambda Function:
Configure the EventBridge rule to trigger a Lambda function whenever the rule's conditions are met.
The Lambda function will handle the logic to send a notification.
Publish a Message to an Amazon SNS Topic:
The Lambda function will publish a message to an SNS topic to notify the security team.
Subscribe the security team’s email address to this SNS topic to receive real-time notifications.
Example EventBridge rule pattern:
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["sts.amazonaws.com"],
"eventName": ["AssumeRole"],
"requestParameters": {
"roleArn": ["arn:aws:iam::<account-id>:role/AdministratorRole"]
}
}
}
Example Lambda function (Node.js) to publish to SNS:
const AWS = require('aws-sdk');
const sns = new AWS.SNS();
exports.handler = async (event) => {
const params = {
Message: `Administrator role assumed: ${JSON.stringify(event.detail)}`,
TopicArn: 'arn:aws:sns::<account-id>:'
};
await sns.publish(params).promise();
};
[References:, Creating EventBridge Rules, Using AWS Lambda with Amazon SNS, , , , ]
Submit