Implementing AWS Organizations Security Monitoring with CloudTrail, EventBridge, and SNS

To implement the solution described in the context using the AWS CLI, which involves creating a CloudTrail trail to capture AWS Organizations API calls and then using Amazon EventBridge and SNS for notifications, you can follow these detailed steps:

Step 1: Create a CloudTrail Trail

You can use the AWS CLI to create a CloudTrail trail that captures AWS Organizations API calls. Here are the AWS CLI parameters to set up the CloudTrail trail:

aws cloudtrail create-trail \
  --name MyOrganizationsTrail \
  --s3-bucket-name my-organization-trail-bucket \
  --is-multi-region-trail \
  • --name: Specify a name for your CloudTrail trail, such as “MyOrganizationsTrail.”
  • --s3-bucket-name: Set the S3 bucket where CloudTrail logs should be stored. Ensure you have a dedicated S3 bucket to store these logs.
  • --is-multi-region-trail: Use this flag to create a multi-region trail to capture AWS Organizations API calls across all regions.
  • --is-organization-trail: This flag is essential for capturing AWS Organizations events. It indicates that the trail should be configured to capture AWS Organizations events.

Step 2: Configure CloudTrail for AWS Organizations Events

You will need to configure CloudTrail to specifically capture AWS Organizations events. You can do this by updating the trail’s event selectors:

aws cloudtrail update-event-selectors \
  --trail-name MyOrganizationsTrail \
  --event-selectors '[{"ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{"Type": "AWSOrganizations"}]}]'
  • --trail-name: Specify the name of your CloudTrail trail, which is “MyOrganizationsTrail” in this example.
  • --event-selectors: Define an event selector that captures all AWS Organizations events with both read and write actions and includes management events.

Step 3: Set Up Amazon EventBridge Rule

Now that you’ve configured CloudTrail to capture AWS Organizations events, you can create an Amazon EventBridge rule that listens for these events. You’ll need to specify a target for this rule (e.g., SNS) to raise notifications. Here’s how to create the EventBridge rule:

aws events put-rule \
  --name OrganizationsEventRule \
  --event-pattern '{"source": ["aws.organizations"]}'
  • --name: Provide a name for your EventBridge rule, such as “OrganizationsEventRule.”
  • --event-pattern: Define the event pattern to match AWS Organizations events. In this example, we’re matching events from the “aws.organizations” source.

Step 4: Create an SNS Topic

You’ll need an SNS topic to send notifications to the security team. Create an SNS topic using the AWS CLI:

aws sns create-topic --name OrganizationsAlerts
  • --name: Specify a name for your SNS topic, e.g., “OrganizationsAlerts.”

Step 5: Connect EventBridge Rule to SNS Topic

Finally, connect your EventBridge rule to the SNS topic to send notifications when AWS Organizations events occur:

aws events put-targets \
  --rule OrganizationsEventRule \
  --targets '[{"Id": "1", "Arn": "arn:aws:sns:your-region:your-account-id:OrganizationsAlerts"}]'
  • --rule: Specify the name of the EventBridge rule, which is “OrganizationsEventRule.”
  • --targets: Define the target for the rule, which is the SNS topic “OrganizationsAlerts” in this example.

Now, whenever administrator-specified actions occur in your AWS Organization, CloudTrail will capture the events, EventBridge will match the AWS Organizations events, and notifications will be sent to the SNS topic for further action.

Ensure that you replace placeholders like my-organization-trail-bucket, your-region, and your-account-id with your actual values. Additionally, you may need appropriate IAM permissions to execute these AWS CLI commands.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top