Monitor Your AWS Account to Detect Suspicious Behavior in Real Time
Learn how to combine CloudTrail, S3, SNS, and Lambda, to run a piece of code to check the API activity in your account.
Join the DZone community and get the full member experience.Join For Free
you can track every change made to your aws account with cloudtrail. did you know that you can also monitor your aws account in near real time with custom rules specific for your use case?
by combining cloudtrail, s3, sns, and lambda, you can run a piece of code to check the api activity in your account. because of the reporting frequency of cloudtrail, this will happen approximately every 5 minutes. this post explains how to deploy a solution to monitor your ec2 instance tags for suspicious behavior.
the following figure shows how this works on a high level.
let’s look at a concrete example.
what is suspicious behavior?
cloudtrail records a lot of api activity. your job is to determine which activities are suspicious. here are a few ideas:
- a security group was changed to open a port to the outside world (0.0.0.0/0).
- an iam user was created outside of normal business hours.
- an ec2 instance was started without following your company’s tag schema (for example, you may tag technical ownership, cost ownership, and so on).
the example that follows implements the idea of ec2 instance tag monitoring.
monitoring ec2 instance tags
each time cloudtrail has new data for you, a lambda function is triggered. the lambda function needs to do the following:
- understand the input data generated from sns.
- download the compressed cloudtrail files from an s3 bucket.
- uncompress the files.
iterate through the api activities, looking for ec2 tag-related events:
- alert if the tag schema was violated.
fortunately the code has already been written, so we won’t dive into node.js code this time. instead, we’ll focus on deploying this solution.
deploying the solution
lambda can be deployed almost entirely with cloudformation. a few steps are required to prepare everything you need:
choose an aws region you want to monitor (referenced as
$regionin the following).
create a sns topic in
$region, and subscribe to the topic via email. alerts will be sent to this topic.
download the code by running
wget https://github.com/widdix/aws-tag-watch/archive/master.zipin your terminal.
unzip master.zipin your terminal.
change dir by running
npm installin your terminal to install node.js dependencies.
config.json, and set
alerttopicarnto the arn of your sns topic from step 1.
./bundle.shin your console.
aws-tag-watch.zipto s3 (the bucket must be in
create a cloudformation stack based on
now your aws account in
is monitored. whenever you run a new ec2 instance or change the tags of an existing ec2 instance, the lambda function will check whether you’re sticking to the tag schema.
room for improvement
raising an alert via email isn’t that helpful if you are working on a team. you may want to look at opsgenie , which integrates nicely with sns.
read more about amazon web services
are you interested in learning more about amazon web services? andreas and i are writing a book called amazon web services in action , published by manning. the book is written for developers and devops engineers who are moving traditionally deployed distributed applications to the aws platform. no experience with aws is required.
what others say
Opinions expressed by DZone contributors are their own.