Set Up Real-Time Rule Alerts

Real-Time Rule Alerts alerts you within minutes when compliance rules you've configured become non-compliant.

Article Tags
On This Page
Before you BeginConfigure your CloudTrail S3 BucketsTroubleshootingSee also

Real-Time Rule Alerts monitors events in your AWS Accounts to constantly review Rule compliance. This allows Stax to alert on changes and non-compliance within minutes of them occurring.

To enable Real-Time Rule Alerts in your AWS Accounts, you must first deploy some configuration allowing Stax Cost & Compliance to access your CloudTrail logs.

Your organization's AWS accounts must either be managed by Stax, or be part of a Stax Cost & Compliance Enterprise subscription to access Real-Time Rule Alerts.

Before you Begin

  • Estimated time to complete: 15 minutes
  • Ensure you are a member of the Admin role in your Stax tenancy
  • Ensure you have appropriate access to each AWS Account that receives CloudTrail events into an S3 bucket
  • Retrieve the latest Real-Time Rule Alerts IAM role CloudFormation template from this URL:
  • Retrieve your Stax Cost & Compliance External ID. If you do not already know this, please raise a support case and the Stax support team will provide it to you

Configure your CloudTrail S3 Buckets

For each AWS account in your organization that receives CloudTrail logs, you must perform the configuration below. If you're using Stax platform, this is typically your logging account only.

  1. Log into the AWS account. Stax platform users can do this via the Stax Console

  2. Browse to the S3 Console and locate then open the S3 bucket containing CloudTrail logs

    S3 Console
  3. On the S3 bucket's properties page, scroll down to find the Events card. Click it to see configured event notifications for the S3 bucket

    S3 Console Properties Page
    S3 Bucket Events
  4. Choose Add Notification and complete the form using the details below, then choose Save

    EventsAll object create events
    Send toSNS Topic
    SNS Topic ARNarn:aws:sns:<your-cloudtrail-region>:228473277269:cloudtrail-receiver-external-prod

    Important: in the SNS Topic ARN above, ensure you enter the correct region for your CloudTrail S3 bucket.

    If you receive an error when attempting to save the Notification, see Troubleshooting for more information.

  5. Stax needs permission to see the contents of the CloudTrail S3 bucket. To configure this, deploy the Real-Time Rule Alerts IAM role CloudFormation template you retrieved earlier using AWS CloudFormation. When prompted for parameters, enter the following values:

    Stack nameRealTimeRuleAlertsRoleStack
    Stax-provided External IDThe external ID you retrieved in the Before you Begin steps
    CloudTrailBucketNameThe name of the S3 bucket you configured the event notification on earlier
    S3 Event Notification Configuration


Configurations overlap. Configurations on the same bucket cannot share a common event type

S3 buckets only support one event of each type on each S3 bucket. If you already have a notification for the All object create events event configured on your CloudTrail S3 bucket, you won't be able to complete the steps required to configure Real-Time Rule Alerts.

Configurations overlap

Stax support can work with you to resolve this issue, so please raise a support case.

See also