Events to monitor and alert¶
Explanation¶
This is a list of events that were originally posted here and that you may want to consider setting up alerts for since they could indicate a security event.
Not all of these may make sense for your environment and they could result in alert fatigue depending on your use case, so use this as a starting point and reference guide, but make sure to think through implementation. Consider also using available monitoring, logging, and alerting tools like the ASSK instead of re-inventing the wheel.
cloudshell.amazonaws.com¶
CreateEnvironment
CreateSession
DeleteEnvironment
GetEnvironmentStatus
GetFileDownloadUrls
GetFileUploadUrls
PutCredentials
StartEnvironment
StopEnvironment
cloudtrail.amazonaws.com¶
DeleteEventDataStore
DeleteTrail
PutEventSelectors
StopLogging
UpdateEventDataStore
UpdateTrail
config.amazonaws.com¶
DeleteDeliveryChannel
StopConfigurationRecorder
connect.amazonaws.com¶
CreateInstance
ec2.amazonaws.com¶
CreateDefaultVpc
CreateImage
CreateInstanceExportTask
CreateKeyPair
CreateVpc
DeleteFlowLogs
DeleteVpc
DescribeInstanceAttribute
DisableEbsEncryptionByDefault
DisableImageBlockPublicAccess
DisableSerialConsoleAccess
DisableSnapshotBlockPublicAccess
EnableEbsEncryptionByDefault
EnableImageBlockPublicAccess
EnableSerialConsoleAccess
EnableSnapshotBlockPublicAccess
GetPasswordData
ModifyInstanceAttribute
ModifySnapshotAttribute
SharedSnapshotCopyInitiated
SharedSnapshotVolumeCreated
ecr.amazonaws.com¶
CreateRepository
GetAuthorizationToken
ecs.amazonaws.com¶
RegisterTaskDefinition
RunTask
eks.amazonaws.com¶
CreateCluster
DeleteCluster
elasticache.amazonaws.com¶
AuthorizeCacheSecurityGroupEgress
AuthorizeCacheSecurityGroupIngress
CreateCacheSecurityGroup
DeleteCacheSecurityGroup
RevokeCacheSecurityGroupEgress
RevokeCacheSecurityGroupIngress
elasticfilesystem.amazonaws.com¶
DeleteFileSystem
DeleteMountTarget
glue.amazonaws.com¶
CreateDevEndpoint
DeleteDevEndpoint
UpdateDevEndpoint
guardduty.amazonaws.com¶
CreateIPSet
iam.amazonaws.com¶
AddUserToGroup
AttachGroupPolicy
AttachUserPolicy
ChangePassword
CreateAccessKey
CreateLoginProfile
CreateUser
CreateVirtualMFADevice
DeactivateMFADevice
DeleteAccessKey
DeleteUser
DeleteUserPolicy
DeleteVirtualMFADevice
DetachGroupPolicy
DetachUserPolicy
EnableMFADevice
PutUserPolicy
ResyncMFADevice
UpdateAccessKey
UpdateGroup
UpdateLoginProfile
UpdateSAMLProvider
UpdateUser
kms.amazonaws.com¶
DisableKey
ScheduleKeyDeletion
lambda.amazonaws.com¶
AddLayerVersionPermission
CreateFunction
GetLayerVersionPolicy
PublishLayerVersion
UpdateFunctionConfiguration
macie.amazonaws.com¶
DisableMacie
macie2.amazonaws.com¶
DisableMacie
organizations.amazonaws.com¶
LeaveOrganization
rds.amazonaws.com¶
ModifyDBInstance
RestoreDBInstanceFromDBSnapshot
rolesanywhere.amazonaws.com¶
CreateProfile
CreateTrustAnchor
route53.amazonaws.com¶
DisableDomainTransferLock
TransferDomainToAnotherAwsAccount
s3.amazonaws.com¶
PutBucketLogging
PutBucketPublicAccessBlock
PutBucketWebsite
PutEncryptionConfiguration
PutLifecycleConfiguration
PutReplicationConfiguration
ReplicateObject
RestoreObject
securityhub.amazonaws.com¶
BatchUpdateFindings
DeleteInsight
UpdateFindings
UpdateInsight
sso.amazonaws.com¶
AttachCustomerManagedPolicyReferenceToPermissionSet
AttachManagedPolicyToPermissionSet
CreateAccountAssignment
CreateInstanceAccessControlAttributeConfiguration
CreatePermissionSet
DeleteAccountAssignment
DeleteInlinePolicyFromPermissionSet
DeleteInstanceAccessControlAttributeConfiguration
DeletePermissionsBoundaryFromPermissionSet
DeletePermissionSet
DetachCustomerManagedPolicyReferenceFromPermissionSet
DetachManagedPolicyFromPermissionSet
ProvisionPermissionSet
PutInlinePolicyToPermissionSet
PutPermissionsBoundaryToPermissionSet
UpdateInstanceAccessControlAttributeConfiguration
UpdatePermissionSet
sts.amazonaws.com¶
GetFederationToken
GetSessionToken