I'm just trying to create fully functional alarm that will change state if there's any IAM Policies changes will be made.
{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}
If I attach or detach any policy for any IAM Role - nothing happening.
There's a policies for cloudwatch role:
"Statement": [
{
"Action": [
"s3:GetBucketAcl",
"s3:PutObject",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudtrail:Get*",
"cloudtrail:CreateTrail",
"cloudtrail:UpdateTrail",
"iam:CreateServiceLinkedRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole"
"autoscaling:Describe*",
"cloudwatch:*",
"logs:*",
"sns:*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
Anyone can advise why there's no changes in alarm state?
Well, I figured it out: It works correctly only in the us-east-1 region. I saw a hint in some instructions, which said something completely different, and decided to try setting up IAM Changes Alarm in another region.
@shimo, thanks for reassuring me that my settings are completely correct.