假设交叉账户，AWS CloudWatch Events会触发STS角色上的SNS [英] AWS CloudWatch Events trigger SNS on STS role assuming for cross account

问题描述

我有一个跨帐户架构，并且正在为STS角色设置一个CloudWatch事件，假设它进入另一个帐户.我在帐户上启用了CloudTrail，来自CloudTrail的日志存储在单独的帐户s3存储桶中.SNS会根据假设将其送入SES以发送电子邮件.

I have a cross-account architecture and I'm setting up a CloudWatch event for the STS role assuming into another account. I have CloudTrail enabled on the account, the logs from CloudTrail are stored in a separate accounts s3 bucket. The SNS feeds into SES to send an email upon assumption.

由于某种原因，当担任角色时，不会触发此事件模式！有什么想法吗?

For some reason, this event pattern won't trigger when the role is assumed! Any ideas?

{
  "source": [
    "aws.sts"
  ],
   "detail-type": [
     "AWS API Call via CloudTrail"
   ],
   "detail": {
     "eventSource": ["sts.amazonaws.com"],
     "eventName": ["AssumeRole"],
     "requestParameters": {
       "roleArn": ["arn:aws:iam::1111111111:role/RoleName"]
     }
   }
}

推荐答案

供以后使用此解决方案的任何人.

For anyone looking at this in the future..

IAM居住在弗吉尼亚北部地区！确保审核那里的STS日志

IAM lives in the N. Virginia region! Make sure to audit the logs there for STS

这篇关于假设交叉账户，AWS CloudWatch Events会触发STS角色上的SNS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！