Skip to main content

Configure Real-Time Rule Alerts

  • Updated

Real-Time Rule Alerts monitors events in your AWS Accounts to constantly review Rule compliance. This allows Stax to alert on changes and non-compliance within minutes of them occurring.

If your AWS accounts are Stax-managed, Stax takes care of this for you. This guidance assumes you're subscribed to only the Stax Cost & Compliance module. Your organization's AWS accounts must be part of a Stax Cost & Compliance Enterprise subscription to access Real-Time Rule Alerts.

To enable Real-Time Rule Alerts in your AWS Accounts, you must first deploy some configuration allowing Stax Cost & Compliance to access your CloudTrail logs.

Before you Begin

  • Estimated time to complete: 15 minutes
  • Ensure you are a member of the Admin role in your Stax tenancy
  • Ensure you have appropriate access to each AWS Account that receives CloudTrail events into an S3 bucket
  • Retrieve the latest Real-Time Rule Alerts IAM role CloudFormation template

Retrieve your Stax Cost & Compliance External ID. If you do not already know this, please raise a support case and the Stax support team will provide it to you

Configure your CloudTrail S3 Buckets

For each AWS account in your organization that receives CloudTrail logs, you must perform the configuration below. If your AWS accounts are Stax-managed, this is typically your logging account only.

  1. Log in to the AWS account. Stax platform users can do this via the Stax Console

  2. Browse to the S3 Console and locate then open the S3 bucket containing CloudTrail logsset-up-real-time-rule-alerts-0.png

  3. On the S3 bucket's properties page, scroll down to find the Events card. Click it to see configured event notifications for the S3 bucketset-up-real-time-rule-alerts-1.pngset-up-real-time-rule-alerts-2.png

  4. Choose Add Notification and complete the form using the details below, then choose Save

    Parameter Value
    Name StaxRTRNotification
    Events All object create events
    Prefix (blank)
    Suffix (blank)
    Send to SNS Topic
    SNS Topic ARN arn:aws:sns:<your-cloudtrail-region>:228473277269:cloudtrail-receiver-external-prod
    In the SNS Topic ARN above, ensure you enter the correct region for your CloudTrail S3 bucket.

    If you receive an error when attempting to save the Notification, see Troubleshooting for more information.

  5. Stax needs permission to see the contents of the CloudTrail S3 bucket. To configure this, deploy the Real-Time Rule Alerts IAM role CloudFormation template you retrieved earlier using AWS CloudFormation. When prompted for parameters, enter the following values:

    Parameter Value
    Stack name RealTimeRuleAlertsRoleStack
    Stax-provided External ID The external ID you retrieved in the Before you Begin steps
    StaxEnvironment prod
    CloudTrailBucketName The name of the S3 bucket you configured the event notification on earlier
    set-up-real-time-rule-alerts-3.png

Troubleshooting

Configurations overlap. Configurations on the same bucket cannot share a common event type

S3 buckets only support one event of each type on each S3 bucket. If you already have a notification for the All object create events event configured on your CloudTrail S3 bucket, you won't be able to complete the steps required to configure Real-Time Rule Alerts.

set-up-real-time-rule-alerts-5.png

If you continue to experience issues, please raise a support case.

Was this article helpful?
0 out of 0 found this helpful

Related articles