Listen to this Post
When securing AWS, you can build different solutions with native services, but which one works best for alerting on suspicious API calls? In this article, three AWS-native alerting methods are compared based on time to alert, cost, and ease of use:
- EventBridge → SNS → Email: Super fast (~5 sec) and cost-effective, but requires extra setup for multi-region deployments.
- CloudTrail → S3 → Lambda → SNS → Email: Highly customizable, great for context-rich alerts, but slower (~3:54 min).
- CloudTrail → CloudWatch → MetricFilter → MetricAlert → SNS → Email: Easy to deploy, good for simple alerts but lacks full event details (~3:34 min).
📖 Full article here: https://lnkd.in/dxHWch5U
👉 GitHub Terraform code: https://lnkd.in/dvgDuChA
Practice Verified Codes and Commands
Here’s a sample Terraform code snippet to set up the EventBridge → SNS → Email method:
[hcl]
provider “aws” {
region = “us-east-1”
}
resource “aws_cloudwatch_event_rule” “suspicious_api_calls” {
name = “suspicious-api-calls”
description = “Capture suspicious API calls”
event_pattern = jsonencode({
source = [“aws.cloudtrail”]
detail-type = [“AWS API Call via CloudTrail”]
detail = {
eventSource = [“s3.amazonaws.com”]
eventName = [“PutObject”, “DeleteObject”]
}
})
}
resource “aws_cloudwatch_event_target” “sns_target” {
rule = aws_cloudwatch_event_rule.suspicious_api_calls.name
target_id = “SendToSNS”
arn = aws_sns_topic.api_alerts.arn
}
resource “aws_sns_topic” “api_alerts” {
name = “suspicious-api-alerts”
}
resource “aws_sns_topic_subscription” “email_subscription” {
topic_arn = aws_sns_topic.api_alerts.arn
protocol = “email”
endpoint = “[email protected]”
}
[/hcl]
What Undercode Say
Securing AWS environments requires a balance between speed, cost, and ease of use. The three methods discussed—EventBridge, CloudTrail with Lambda, and CloudTrail with CloudWatch—offer varying levels of customization and efficiency. For rapid alerting, EventBridge paired with SNS and email is ideal, while CloudTrail with Lambda provides richer context for detailed investigations. CloudWatch, though simpler, may lack the granularity needed for complex security scenarios.
To further enhance your AWS security posture, consider integrating these commands and tools:
1. AWS CLI Command to Check CloudTrail Logs:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutObject
2. Linux Command to Monitor Logs:
tail -f /var/log/cloudtrail.log | grep "suspicious"
3. Windows Command to Check Event Logs:
Get-WinEvent -LogName "Security" | Where-Object { $_.Message -like "*suspicious*" }
4. Python Script to Parse CloudTrail Logs:
import boto3
cloudtrail = boto3.client('cloudtrail')
response = cloudtrail.lookup_events(LookupAttributes=[{'AttributeKey': 'EventName', 'AttributeValue': 'PutObject'}])
for event in response['Events']:
print(event['CloudTrailEvent'])
For more advanced configurations, refer to the AWS documentation:
– AWS EventBridge Documentation
– AWS CloudTrail Documentation
– AWS CloudWatch Documentation
By leveraging these tools and commands, you can build a robust security framework tailored to your AWS environment.
References:
initially reported by: https://www.linkedin.com/posts/adan-%C3%A1lvarez-vilchez-539a92115_diyevaluating-aws-native-approaches-for-activity-7302228808999276545-I1gp – Hackers Feeds
Extra Hub:
Undercode AI
