CloudWatch can capture any AWS sign-in events, and you can configure response using either Alarms or Rules.
Alarms can keep track of the number of failed logins, but Rules are useful when you need an immediate response or if you have an external SIEM system.
There is a great article from TrendMicro on how to configure CloudWatch Alarms. In this post I will explain how to configure CloudWatch Rules.
- A Rule needs to be configured only in us-east-1 region to capture Sign-in events.
- A Rule needs to be configured for every account in AWS Organizations (even with CloudTrail logging to central location — CloudWatch cannot catch them from another account). You can create a target per rule per account, or push events to Master or Shared account Event Bus, and configure target there.
- Click “Create Rule”.
- Configure the same rule in other accounts, creating either SNS topic, or pushing event to Event Bus in Master or Shared Account
In summary, a Sign-in event Rule provides you with options to perform operations based on event details and helps you build your desired workflow.