Monitoring Security Groups with Amazon CloudWatch Events
SPL-138 - Version 2.1.6
© 2018 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
Errors or corrections? Email us at firstname.lastname@example.org.
Other questions? Contact us at https://aws.amazon.com/contact-us/aws-training/
Amazon EC2 security groups are an important control for restricting access to your AWS infrastructure. In order to improve the effectiveness of this control, we can go one step further and monitor API calls that could change the configuration of a security group. In this lab you will learn how to use Amazon CloudWatch Events with AWS CloudTrail and an AWS Lambda function to monitor API calls that add or revoke ingress permissions associated with an EC2 security group. The Lambda function will be triggered whenever the APIs that modify ingress permissions are called. If the resulting ingress rule configuration differs from that which is coded in the function, the Lambda function will send notifications to Amazon CloudWatch Logs.
By the end of this lab, you will be able to:
- Upload an AWS Lambda function that will be used as a target for a CloudWatch Events rule.
- Create a CloudWatch Events rule associated with the Lambda function that looks for API calls that can change the ingress ports of a security group.
- Modify the security group to trigger the Lambda function.
- Observe the results in Amazon CloudWatch Logs.
Technical knowledge prerequisites
To successfully complete this lab, you should be familiar with EC2 security groups. Python programming skills are helpful, although full solution code is provided. It would be helpful to have taken the Introduction to AWS Lambda.
Other AWS services
AWS services other than those needed for this lab are disabled by IAM policy during your access time in this lab. In addition, the capabilities of the services used in this lab are limited to what's required by the lab and in some cases are even further limited as an intentional aspect of the lab design. You should expect errors when accessing other services or performing actions beyond those provided in this lab guide.
Notice the lab properties below the lab title:
- setup - The estimated time to set up the lab environment
- access - The time the lab will run before automatically shutting down
- completion - The estimated time the lab should take to complete
- At the top of your screen, launch your lab by clicking
If you are prompted for a token, use the one distributed to you (or credits you have purchased).
A status bar shows the progress of the lab environment creation process. The AWS Management Console is accessible during lab resource creation, but your AWS resources may not be fully available until the process is complete.
- Open your lab by clicking
This will automatically log you into the AWS Management Console.
Please do not change the Region unless instructed.
Common login errors
Error : Federated login credentials
If you see this message:
- Close the browser tab to return to your initial lab window
- Wait a few seconds
- Click again
You should now be able to access the AWS Management Console.
Error: You must first log out
If you see the message, You must first log out before logging into a different AWS account:
- Click click here
- Close your browser tab to return to your initial Qwiklabs window
- Click again
Join Qwiklabs to read the rest of this lab...and more!
- Get temporary access to the Amazon Web Services Console.
- Over 200 labs from beginner to advanced levels.
- Bite-sized so you can learn at your own pace.