Sorry, my teammates. I audited you guys using CloudTrail.

Let's monitor AWS IAM users' activity!

Audit AWS IAM Users

You can use this small project to audit your AWS IAM users to prevent unexpected behavior and charge.
If you follow the steps below, you can make a small system that notifies you when an IAM user uses not only AWS console but also API call using SDK.

How to use

Notification channel - Slack

First of all, you need a channel to receive an alert message through it. My favorites are Slack and Telegram and I'm going to use Slack in this example.

  1. Log in Slack and go to here to create new app.
  2. Click Create New App button and select to create from scratch.
    slack app list
    create app option
  3. Enter the name of your app and pick a workspace where your app can work.
    name and workspace
  4. Now, you are in the configuration page. Let's configure Incoming Webhooks. Click this button.
    add features
  5. Activate incoming webhooks.
    activate incoming webhooks
  6. Click Add New Webhook to Workspace and choose a channel that audit messages will be posted on.
    choose channel
  7. Then, you have created new webhook URL. When sending JSON data to the URL, that data will be posted on the selected channel.
    webhook created

AWS CloudTrail

You can use AWS CloudTrail to track user activity and API usage.

  1. Log in AWS account that has a permission for CloudTrail and for CloudWatch.
  2. Go to CloudTrail dashboard and click Create trail.
    cloudtrail dashboard
  3. Fill in the required fields and make sure you enable CloudWatch Logs. Then, press next button.
  4. Choose log event types you want to record and configure for them, and finish creating trail.
    trail created

Now, all events are logged with CloudWatch.

AWS Lambda

Although CloudTrail tracks and records events, it does not send any message by itself.
You need to process and filter logs, and send message to your slack channel. We are going to use AWS Lambda for this.

  1. Log in AWS account that has a permission to create AWS Lambda, and go to the page of AWS Lambda.

  2. Click Create function.

  3. Fill in the required form, select runtime as Python 3.9 or newer, and then create it.
    Now, your function is created. Let's upload code that will be used to process CloudTrail logs.

  4. Download this repository or git clone it.
    $ git clone https://github.com/a2tt/Audit-AWS-IAM-User.git

  5. Copy configs.example.py to configs.py and modify it with yours.

  6. Archive this directory by executing shell script.

    Make sure you have installed python3 on your machine.

    $ . zip_function.sh

    What this script does is ...

    1. Make directory named 'package'.
    2. Install python packages required into the directory.
    3. Zip python code with the packages.
  7. Click Upload from - .zip file to upload function.zip to AWS Lambda.
    upload function

AWS CloudWatch

Finally, you need to configure AWS CloudWatch to trigger the Lambda function.
We are going to use Subscription filters functionality.

  1. Log in AWS account that has a permission for CloudWatch and go to CloudWatch - log groups menu.

  2. Find your cloudtrail log groups, and click the group.

  3. Click Subscription filters tab and press Create - Create Lambda subscription filter.
    subscription filter

  4. Select your Lambda function and set log format as Amazon CloudTrail.

  5. This step is one of the most important and can be changed for your taste.
    You can set Subscription filter pattern to filter out unwanted events triggering the Lambda. I'm using this rule:

    { ($.userIdentity.type = "IAMUser") && ($.eventName != "Get*") && ($.eventName != "Describe*") }

    By filtering "IAMUser", it will trigger Lambda for the logs related to the events triggered by IAM user,
    and by filtering out "Get*" and "Describe*", you won't receive the rampant and frequent messages that are not likely to be important.

    You can check out what patterns are allowed here.

  6. It's time to start streaming!
    subscription filter created


When you log in as an IAM user, roam about AWS console, do API call using SDK(e.g. boto3) or do API call with AWS CLI, you will receive a message about it.

login alert api alert


You should know that well defined Role-based Access Control using IAM is more important than auditing.
Nonetheless, you can use this simple system for tracking users in a small sized group.

hit count