Set Up Real-Time Rule Alerts
Stax supports Real-Time Rule Alerts that monitor your cloud trail event logs to trigger alerts when non-compliant items are detected. In the following guide, we'll walk through deploying the required configuration so we can process your changes as they happen.
For Real-Time Rule Alerts, we use your CloudTrail events history to process targeted updates of rules in your account. This lets us alert on changes as they happen, typically within a few minutes of something occurring.
All Rules in Stax support Real-Time Rule Alerts out of the box, and once the stack that gives CloudTrail access is deployed, you'll just need to regularly update your normal stack to keep Real-Time Rules running when you add new accounts.
Please note: All Stax customers and Enterprise Stax Cost & Compliance customers can access this feature. Setting this up requires deployment separate to your existing Stax Cost & Compliance roles, but is a one-time setup.
In practice, our goal is to set up a configuration that lets Stax send events on your CloudTrail bucket to an SNS topic Stax controls in one of our accounts.
Due to limitations of CloudTrail, this requires some configuration, but in doing so you gain the flexibility of fitting alerts into your existing cloud setup.
If you're already using a centralized CloudTrail account, you'll only need deploy the stack in the accounts with buckets. We'll reuse your existing Stax roles in the other accounts to actually check for changes once we process CloudTrail.
In each of your accounts that process Real-Time Rules, you'll need to go through the following process:
- Go into the S3 console and find the appropriate bucket.
- In the given bucket, click the properties tab.
- Find and expand the "Events" section. You'll need to add a new notification.
For the properties of the given notification, fill it in as follows:
- Name: Anything, We suggest StaxSpotlightRTRNotification
- Events: "All object create events"
- Prefix: Leave blank.
- Suffix: Leave blank.
- Send to: SNS Topic
- SNS Topic ARN: arn:aws:sns:ap-southeast-2:228473277269:cloudtrail-receiver-external-prod
In the SNS topic ARN, ensure you replace the
ap-southeast-2with the correct region for your S3 bucket (e.g. if it's in
us-east-1, it'd be
- Save the notification.
Now, you'll need to grant Stax permission to read this bucket.
- Locate the stack to grant permissions via a restricted IAM role found at the URL: https://s3-ap-southeast-2.amazonaws.com/stax-public-resources/stax-iam-role-rtr-cfn.json
- Deploy using the following configuration:
- CloudTrailBucketName - The name of your S3 bucket that was just used to set notifications up in.
- StaxEnvironment - Leave as prod, unless directed otherwise.
- StaxProvidedExternalClientId - provide your external id when setting up, but it'll be the same value as all of your other Stax roles.
- Once that is done, you will need to send back the following to firstname.lastname@example.org
- The value of the StaxRoleArn output of the above stack.
- The AWS account id (in the form of 12 numbers, e.g. 112233445566) of the account the CloudTrail bucket is in.
- The name of the CloudTrail destination bucket.
Once the Stax team receives these details, we will configure on our side and let you know, giving you access to the feature.