You can track every change made to your AWS account with CloudTrail. Did you know that you can also monitor your AWS account in near real time with custom rules specific to your use case?

By combining CloudTrail, S3, SNS, and Lambda, you can run a piece of code to check the API activity in your account. Because of the reporting frequency of CloudTrail, this will happen approximately every 5 minutes. This post explains how to deploy a solution to monitor your EC2 instance tags for suspicious behavior.

The following figure shows how this works on a high level.

Let’s look at a concrete example.

What is suspicious behavior?

CloudTrail is recording a lot of API activity. Your job is to determine which activities are suspicious. Here are a few ideas:

A security group was changed to open a port to the outside world (0.0.0.0/0).

An IAM user was created outside of regular business hours.

An EC2 instance was started without following your company’s tag schema (for example, you may mark technical ownership, cost ownership, and so on).

The example that follows implements the idea of EC2 instance tag monitoring.