问题
I have a cross-account architecture and I'm setting up a CloudWatch event for the STS role assuming into another account. I have CloudTrail enabled on the account, the logs from CloudTrail are stored in a separate accounts s3 bucket. The SNS feeds into SES to send an email upon assumption.
For some reason, this event pattern won't trigger when the role is assumed! Any ideas?
{
"source": [
"aws.sts"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": ["sts.amazonaws.com"],
"eventName": ["AssumeRole"],
"requestParameters": {
"roleArn": ["arn:aws:iam::1111111111:role/RoleName"]
}
}
}
回答1:
For anyone looking at this in the future..
IAM lives in the N. Virginia region! Make sure to audit the logs there for STS
来源:https://stackoverflow.com/questions/50004568/aws-cloudwatch-events-trigger-sns-on-sts-role-assuming-for-cross-account