The CloudFormation template in this repo installs an AWS Lambda function and an Amazon EventBridge rule that detects the following events and sends out Amazon SNS notifications.
- API calls made by the root user
- Console logins by the root user
The CloudFomration template prompts for these parameters.
- The name of an SNS topic to create
- The e-mail address to subscribe to the SNS topic
The Lambda function that's installed uses two environment variables.
- SNSARN - Initially set to the ARN of the SNS topic that is provisioned by CloudFormation
- LOGGING_LEVEL - The value to be passed to the Python logger() function, initially set to DEBUG
An earlier verison of he code appeared on this blog post from Sudhanshu Malhotra.
https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
The code was subsequently revised by Jeffrey S. Levine.
NOTE FOR CLOUDFORMATION STACKSETS: If you intend to deploy this template as part of a CloudFormation StackSet, please keep the StackSet name short. If you use a long StackSet name, the resource names will exceed the 64 character limit and will cause the deployment to fail.