Set Up Real-Time Rule Alerts
Real-Time Rule Alerts alerts you within minutes when compliance rules you've configured become non-compliant.
Real-Time Rule Alerts monitors events in your AWS Accounts to constantly review Rule compliance. This allows Stax to alert on changes and non-compliance within minutes of them occurring.
To enable Real-Time Rule Alerts in your AWS Accounts, you must first deploy some configuration allowing Stax Cost & Compliance to access your CloudTrail logs.
Before you Begin
- Estimated time to complete: 15 minutes
- Ensure you are a member of the Admin role in your Stax tenancy
- Ensure you have appropriate access to each AWS Account that receives CloudTrail events into an S3 bucket
- Retrieve the latest Real-Time Rule Alerts IAM role CloudFormation template from this URL: https://s3-ap-southeast-2.amazonaws.com/stax-public-resources/stax-iam-role-rtr-cfn.json
- Retrieve your Stax Cost & Compliance External ID. If you do not already know this, please raise a support case and the Stax support team will provide it to you
Configure your CloudTrail S3 Buckets
For each AWS account in your organization that receives CloudTrail logs, you must perform the configuration below. If you're using Stax platform, this is typically your logging account only.
Log into the AWS account. Stax platform users can do this via the Stax Console
Browse to the S3 Console and locate then open the S3 bucket containing CloudTrail logs
On the S3 bucket's properties page, scroll down to find the Events card. Click it to see configured event notifications for the S3 bucket
Choose Add Notification and complete the form using the details below, then choose Save
Parameter Value Name StaxRTRNotification Events All object create events Prefix (blank) Suffix (blank) Send to SNS Topic SNS Topic ARN arn:aws:sns:<your-cloudtrail-region>:228473277269:cloudtrail-receiver-external-prod
Important: in the SNS Topic ARN above, ensure you enter the correct region for your CloudTrail S3 bucket.
If you receive an error when attempting to save the Notification, see Troubleshooting for more information.
Stax needs permission to see the contents of the CloudTrail S3 bucket. To configure this, deploy the Real-Time Rule Alerts IAM role CloudFormation template you retrieved earlier using AWS CloudFormation. When prompted for parameters, enter the following values:
Parameter Value Stack name RealTimeRuleAlertsRoleStack Stax-provided External ID The external ID you retrieved in the Before you Begin steps StaxEnvironment prod CloudTrailBucketName The name of the S3 bucket you configured the event notification on earlier
Configurations overlap. Configurations on the same bucket cannot share a common event type
S3 buckets only support one event of each type on each S3 bucket. If you already have a notification for the All object create events event configured on your CloudTrail S3 bucket, you won't be able to complete the steps required to configure Real-Time Rule Alerts.
Stax support can work with you to resolve this issue, so please raise a support case.