Send email alert when aws root sign-in

 

The diagram below describes the solution at a high level.

1. An Amazon CloudWatch Events rule detects any AWS account root user API events.
2. It triggers an AWS Lambda function.
3. The Lambda function then processes the root API event. It also publishes a message to an Amazon SNS topic, where the subject contains the AWS account ID or AWS account alias where the root API call was detected and the type of API activity.
4. The SNS topic then sends notifications to its email subscribers about this event.

I walk through deploying the AWS CloudFormation stack that creates these resources and then validates that root user activity is detected and notified. It helps if you know about CloudWatch Events rules, Lambda, and SNS.

Prerequisites

• Create and enable a multi-region AWS CloudTrail trail for all AWS regions.
• Upload the RootActivityLambda.zip file to an S3 bucket.

Deployment steps

1. In the CloudFormation console, choose Create Stack. Use the RootAPIMonitor.json CloudFormation JSON template. Choose Next.
2. Create the stack in the region in which to monitor root API activity, as well as the us-east-1 region. Root API login is a global event and logged in us-east-1. I recommend deploying in all AWS regions.
3. Enter the following parameter details and choose Next:
   • SNSTopicName: A unique name for the SNS topic to be created.
   • SNSSubscriptions: An email address to subscribe to the SNS topic. . I recommend sending these notifications to a distribution list rather than an individual.
   • LambdaTimeout: The Lambda function timeout value in seconds. The default is 30 seconds.
   • LambdaS3Bucket: Name of the S3 bucket where the Lambda function zip file is stored.
   • LambdaS3Key: Name of the Lambda function zip file. This is the full path to the S3 object, with the prefix. For example, “/dir1/dir2/lambdafunction.zip”.