Ensure AWS CloudTrail events are being monitored with CloudWatch Logs for management and security purposes. This enables you to respond quickly to critical operational events detected with CloudTrail events and captured by CloudWatch logs.
With CloudTrail - CloudWatch integration enabled you will be able to manage better your AWS infrastructure. For example, you can receive an SNS notification whenever an authorization failure occurs for your AWS account so you can have finer control over the account user access. Note: this procedure assume that you have already one or more working CloudTrail trails created in your AWS account.
To determine if CloudWatch integration is enabled, perform the following:
Step 1: Create a custom log group for the selected CloudTrail trail in order to enable AWS CloudWatch monitoring:
Step 2: create a Simple Notification Service (SNS) topic in order to send notifications whenever the CloudWatch alarm will fire based on a selected CloudTrail log event:
Step 3: Create AWS CloudWatch metric filters, metrics and alarms to receive SNS notifications and take immediate action. The scenario used here will suppose that you need to receive an SNS notification whenever an authorization failure occurs for your AWS account: