5. Region Compliance


Customer has requirement to store data in geographic region e.g. Sydney, and needs to ensure that if resources like EC2 and S3 which hold and process data is NOT created outside of Sydney region and in case of such event it should be notified

Note: This lab is based on CloudTrail. Please complete this after CloudTrail Automation

Create Log group in CloudWatch

Note: Refer “CloudTrail Automation” and use same region as your trail created for CloudTrail

  • Open the CloudWatch console
  • In the navigation pane, choose Logs
  • Choose Actions, Create log group
  • Type a name for the log group, and choose Create log group

Configure CloudTrail to send events to CloudWatch Logs

Note: Use the same trail you have used in “CloudTrail Automation"

  • Open the AWS CloudTrail console
  • Choose the trail name (as configured CloudTrail Automation)
  • For CloudWatch Logs choose Configure
  • For New or existing log group, type the log group name, and then choose Continue
  • For the IAM role, choose Create a new IAM Role and provide role name or accept the default
  • Choose Allow to grant CloudTrail permissions to create a CloudWatch Logs log stream and deliver events

Create metric filter for CloudWatch logs to monitor S3 bucket created outside of desired region

  • Open the CloudWatch console
  • In the navigation pane, choose Logs
  • On the contents pane, select a log group (created above), and then choose Create Metric Filter
  • On the Define Logs Metric Filter screen
  • In Define pattern Use this pattern:
{ ($.eventSource = s3.amazonaws.com) && ($.eventName = CreateBucket) && ($.awsRegion != ap-southeast-1) }
  • Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, for Filter Name, type S3-RegionCompliance
  • Under Metric Details
    • Metric Namespace: MyNameSpace
    • Metric Name: S3-RegionCompliance
    • Metric Value: 1
  • Choose Create Filter

Create alarm for metric filter created above

On the same screen post the setp above

  • Select Create Alarm
  • On Alarm Thereshold page for Name: S3-RegionCompliance and provide a description
  • Configure alarm threshold parameters and Period and Treat Missing Data As using below screenshot
  • Continue to configure alert via email in Actions, use below screenshot for reference, In ctions section select New list
  • For Send notification to type S3-RegionComplianceAlert and provide email address on which you want to be notified. Refer to screenshot as below.
  • Ensure that you accept the notification Subscription Confirmation sent to email address you have specified

Verify it works

  • In the AWS Management Console, under Services, select s3**
  • Create a new S3 bucket in region other than the one we are running the woerkshop in
  • After some time, you should get an email notification for this event
  • You will also see cloud watch alarm for this event