Quick Fix: Enable Monitoring of IAM Administrative Actions

Outcome

IAM administrative actions will be monitored via an EventBridge rule that matches CloudTrail events. When someone creates, modifies, or deletes IAM policies, roles, users, or groups, the rule triggers and sends a notification to an SNS topic so your team can investigate potential privilege escalation.

For example, after applying this fix:

• An AttachRolePolicy call granting AdministratorAccess to a role will trigger a notification
• A CreateUser or PutUserPolicy call made outside normal change windows will be flagged for review

Prerequisites

This fix requires a CloudTrail trail with logging enabled. CloudTrail automatically sends management events to the default EventBridge event bus when a trail is active.

You can check for an existing trail:

aws cloudtrail describe-trails \
  --query 'trailList[*].{Name:Name,IsLogging:IsLogging}' \
  --output table

If no trails appear or none show IsLogging: True, create and start a trail before proceeding.

Fix

Step 1: Set configuration variables

# Email address to receive notifications
ALERT_EMAIL="security-team@example.com"

Step 2: Create an SNS topic for notifications

SNS_TOPIC_ARN=$(aws sns create-topic \
  --name IAMAdminActions-Alerts \
  --query 'TopicArn' --output text)

echo "Created SNS topic: ${SNS_TOPIC_ARN}"

# Subscribe an email endpoint
aws sns subscribe \
  --topic-arn "${SNS_TOPIC_ARN}" \
  --protocol email \
  --notification-endpoint "${ALERT_EMAIL}"

Check the inbox for ALERT_EMAIL and confirm the subscription -- notifications won't be delivered until confirmed.

Step 3: Create an EventBridge rule for IAM admin actions

This rule matches CloudTrail events for IAM policy and principal management actions on the default event bus:

aws events put-rule \
  --name IAMAdminActions \
  --description "Matches IAM administrative actions to detect unauthorized privilege escalation" \
  --event-pattern '{
    "source": ["aws.iam"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
      "eventName": [
        "CreateUser", "DeleteUser",
        "CreateRole", "DeleteRole",
        "CreateGroup", "DeleteGroup",
        "CreatePolicy", "DeletePolicy",
        "CreatePolicyVersion", "DeletePolicyVersion",
        "AttachUserPolicy", "DetachUserPolicy",
        "AttachRolePolicy", "DetachRolePolicy",
        "AttachGroupPolicy", "DetachGroupPolicy",
        "PutUserPolicy", "DeleteUserPolicy",
        "PutRolePolicy", "DeleteRolePolicy",
        "PutGroupPolicy", "DeleteGroupPolicy"
      ]
    }
  }'

Step 4: Grant EventBridge permission to publish to the SNS topic

EventBridge needs permission to send notifications to the SNS topic. Add a resource-based policy to the topic:

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
REGION=$(aws configure get region)

aws sns set-topic-attributes \
  --topic-arn "${SNS_TOPIC_ARN}" \
  --attribute-name Policy \
  --attribute-value '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AllowEventBridgePublish",
        "Effect": "Allow",
        "Principal": {
          "Service": "events.amazonaws.com"
        },
        "Action": "sns:Publish",
        "Resource": "'"${SNS_TOPIC_ARN}"'",
        "Condition": {
          "ArnEquals": {
            "aws:SourceArn": "arn:aws:events:'"${REGION}"':'"${ACCOUNT_ID}"':rule/IAMAdminActions"
          }
        }
      }
    ]
  }'

Step 5: Add the SNS topic as a target for the rule

aws events put-targets \
  --rule IAMAdminActions \
  --targets "Id=IAMAdminActionsSNS,Arn=${SNS_TOPIC_ARN}"

Verify the fix

Confirm the rule and target are in place:

# Check the rule
aws events describe-rule \
  --name IAMAdminActions \
  --query '{Name:Name,State:State,EventPattern:EventPattern}' \
  --output table

# Check the target
aws events list-targets-by-rule \
  --rule IAMAdminActions \
  --query 'Targets[*].{Id:Id,Arn:Arn}' \
  --output table

The rule state should show ENABLED.

References

• AWS: CloudTrail events delivered via EventBridge
• AWS: IAM events in EventBridge
• AWS: Creating CloudWatch alarms for CloudTrail events -- alternative approach using CloudWatch Logs metric filters

Gotcha

This rule matches IAM admin actions broadly -- it will fire for legitimate changes too (e.g. deployments that modify IAM policies). If your team makes frequent IAM changes, you can refine the event pattern to exclude specific principals by adding a "userIdentity.arn" condition with "anything-but" matching. Start with the broad filter and tune based on what you observe.

Also, the SNS email subscription must be confirmed before any notifications are delivered. If the rule fires before confirmation, those notifications are silently dropped.

---

Last update: February 5, 2026