Monitoring Security Groups with Amazon CloudWatch Events

Monitoring Security Groups with Amazon CloudWatch Events

57 minutes 10 Credits

SPL-138 - Version 2.1.6

© 2019 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.

Errors or corrections? Email us at

Other questions? Contact us at


Amazon EC2 security groups are an important control for restricting access to your AWS infrastructure. In order to improve the effectiveness of this control, we can go one step further and monitor API calls that could change the configuration of a security group. In this lab you will learn how to use Amazon CloudWatch Events with AWS CloudTrail and an AWS Lambda function to monitor API calls that add or revoke ingress permissions associated with an EC2 security group. The Lambda function will be triggered whenever the APIs that modify ingress permissions are called. If the resulting ingress rule configuration differs from that which is coded in the function, the Lambda function will send notifications to Amazon CloudWatch Logs.

Topics Covered

By the end of this lab, you will be able to:

  • Upload an AWS Lambda function that will be used as a target for a CloudWatch Events rule.
  • Create a CloudWatch Events rule associated with the Lambda function that looks for API calls that can change the ingress ports of a security group.
  • Modify the security group to trigger the Lambda function.
  • Observe the results in Amazon CloudWatch Logs.

Technical knowledge prerequisites

To successfully complete this lab, you should be familiar with EC2 security groups. Python programming skills are helpful, although full solution code is provided. It would be helpful to have taken the Introduction to AWS Lambda.

Other AWS services

AWS services other than those needed for this lab are disabled by IAM policy during your access time in this lab. In addition, the capabilities of the services used in this lab are limited to what's required by the lab and in some cases are even further limited as an intentional aspect of the lab design. You should expect errors when accessing other services or performing actions beyond those provided in this lab guide.

Start Lab

  1. At the top of your screen, launch your lab by clicking Start Lab

This will start the process of provisioning your lab resources. An estimated amount of time to provision your lab resources will be displayed. You must wait for your resources to be provisioned before continuing.

If you are prompted for a token, use the one distributed to you (or credits you have purchased).

  1. Open your lab by clicking Open Console

This will automatically log you into the AWS Management Console.

Please do not change the Region unless instructed.

Common login errors

Error : Federated login credentials

If you see this message:

  • Close the browser tab to return to your initial lab window
  • Wait a few seconds
  • Click Open Console again

You should now be able to access the AWS Management Console.

Error: You must first log out

If you see the message, You must first log out before logging into a different AWS account:

  • Click click here
  • Close your browser tab to return to your initial Qwiklabs window
  • Click Open Console again

Join Qwiklabs to read the rest of this lab...and more!

  • Get temporary access to the Amazon Web Services Console.
  • Over 200 labs from beginner to advanced levels.
  • Bite-sized so you can learn at your own pace.
Join to Start This Lab