Creating Policy Alerts for AWS

Create custom policies to generate alerts for actions on resources that are specific to your AWS environment.

Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.

Types of AWS Alerts

Understand the most common types of alerts you can generate.

This table summarizes the types of policy alerts available for actions that users and services can take on sensitive AWS resources.

Note:

This table omits Describe actions. These are requests to view a resource. These actions can trigger too many alerts to be practical, unless they’re restricted to particular addresses or users. Similarly, Any action is omitted. Any means that Oracle CASB Cloud Service is to monitor all of the actions that can be taken on a resource, which can be too broad to be practical.

Resource Type	Actions That Can Be Taken	Description
EC2 addresses	AllocateAddress. Acquire an elastic IP address. AssignPrivateIPAddresses. Allow AWS to automatically assign an EC2 VPC address. AssociateAddress. Assign one or more secondary private IP addresses to a network interface. DescribeAddresses. Display the configuration information for the address. DissociateAddress. Disconnect the address from the instance or network interface. ReleaseAddress. Dissociate the address and releases it to a public pool, potentially making it unavailable to you. UnassignPrivateIPAddress. Unassign the IP address.	EC2 addresses are used in the EC2 Classic platform or in a virtual private cloud (VPC). They are secondary private IP addresses in a network interface. Use these policies when you need to ensure that only authorized users perform these actions.
EC2 image	CopyImage. Initiate the copy of an Amazon Machine Image (AMI) from a source region to the current region. DeregisterImage. After deregistration, you can no longer use the AMI to start new instances. This doesn't affect the instances. If you no longer need them, then you should terminate them. DescribeImageAttribute. Show the attribute value, for example, its description, start permissions (who is permitted to start it), or kernel ID. ModifyImageAttribute. Updates the attribute value, for example, its description, start permissions (who is permitted to start it), or kernel ID. RegisterImage. Register a new AMI. ResetImageAttribute. Restores the default value of the attribute.	These are Amazon Machine Images (AMIs). These provide the information needed to start an EC2 instance. You can monitor when users assign or remove the permission to start the image, add or remove products from the image, and make the image private or public. You can user policies of this type to ensure that only authorized people are managing your images.
EC2 instance	BundleInstance. Prepare a customized instance for uploading to an S3 bucket in preparation for starting a new AMI. DescribeInstanceAttribute. View attributes of an instance, for example, the security groups attached to it. DescribeInstances. View basic properties of an instance, for example, the public DNS name, the security group assigned to it, and its profile. ImportInstance. Imports a virtual machine (VM) into an EC2 instance. ModifyInstanceAttribute. Modify attributes of an instance, for example, the security groups attached to it. MonitorInstances. Initiates instance monitoring. RebootInstances. Shuts down and restarts the instance. ReportInstanceStatus. Returns the status of a running instance (for example, whether it's stuck or unresponsive). ResetInstanceAttribute. Return attributes of an instance to their default states. RunInstances. Start instances using an AMI. StartInstance. Restart a stopped instance. StartInstance. Shut down an instance, but doesn't shut down its root device and other attached devices. TerminateInstances. Shut down an instance, its root device, and other attached devices. UnmonitorInstances. Stop instance monitoring.	These are Amazon virtual servers in the EC2. These servers let you run applications in the Amazon cloud.  You can monitor when users create or modify these virtual servers. You can use policies of this type to ensure that only authorized people are managing your images.
EC2 key pair	CreateKeyPair. Generate a key pair that allows a user to log in to an EC2 instance. DeleteKeyPair. Delete the key pair. ImportKeyPair. Import keys that you generate using a third-party tool.	These policies let you monitor activity related to keys for authenticating EC2 instances.
EC2 network	AttachNetworkInterface. Attach a network interface in an EC2 instance subnet with a primary private IP address and secondary private IP addresses. CreateNetworkACL. Create an access control list (ACL) for an EC2 network. CreateNetworkACLEntry. Create an entry in an ACL for an EC2 network. CreateNetworkInterface. Create a network interface to an EC2 instance. DeleteNetworkACL. Delete a network interface to an EC2 instance. DeleteNetworkACLEntry. Delete a network inbound or outbound rule from a network ACL. DeleteNetworkInterface. Delete a network interface to an EC2 instance. DetachNetworkInterface. Detache a network interface from an EC2 instance. ModifyNetworkInterfaceAttribute. Modify an attribute of a network interface, for example, whether source or destination checking is turned on for the associated security groups. ReplaceNetworkACLAssociation. Change the network ACL associated with a subnet. ReplaceNetworkACLEntry. Replace a network ACL rule. ResetNetworkInterfaceAttribute. Replace an attribute such as the connection timeout value or the access keys.	These policies let you monitor activity related to creating the network on which EC2 instances run and policies (interfaces and access control lists) that control the traffic into and out of the network.
EC2 reserved instance	CancelReservedInstancesListing. Cancel a listing in the Reserved Instance Marketplace. CreateReservedInstancesListing. Create a listing in the Reserved Instance Marketplace. DescribeReservedInstances. Show the attributes of a purchased reserved instance. DescribeReservedInstancesListings. Describe your accounts listings in the Reserved Instance Marketplace. DescribeReservedInstancesOfferings. Describe listings available in the Reserved Instance Marketplace. ModifyReservedInstances. Changes the zone, EC2 type (VPC or Classic), or instance type of a reserved instance. PurchaseReservedInstancesOfferings. Purchase a listing in the Reserved Instance Marketplace.	The reserved instance Marketplace matches buyers who want additional capacity with people who have excess capacity.   All reserved instances must be identical with the exception of Availability Zone, network platform, and instance type. Use these policies to monitor reserved instances, including the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your reserved instances.
EC2 route	AssociateRouteTable. Associate a subnet with a route table in the same VPC. CreateRoute. Create a route in a route table. The route directs traffic to a destination (for example, an internet gateway or a virtual private gateway) CreateRouteTable. Create a route table for a VPC. The table contains routes and is associated with a subnet. DeleteRoute. Delete a route in a route table. The route directs traffic to a destination (for example, an internet gateway or a virtual private gateway) DeleteRouteTable. Delete a route table for a VPC. The table contains routes and is associated with a subnet. DisableVgwRoutePropagation. Disable a virtual private gateway from sending routes to a VPC's route table. DissociateRouteTable. Disconnect a route table for a VPC. EnableWgwRoutePropagation. Allow a virtual private gateway to send routes to a VPC's route table. ReplaceRoute. Change a route in a route table. ReplaceRouteTableAssociation. Change the route table for a subnet in a VPC or the main route table for the VPC.	Use these policies to monitor routing in a VPC. EC2 routes control the flow of traffic on your network. You may want to ensure that only authorized people manage EC2 routes, and that these routes are only open to authorized subnets.
EC2 security group	AuthorizeSecurityGroupEgress. Permit EC2 instances to send traffic to one or more destination CIDR IP address ranges. Not applicable to EC2-Classic. AuthorizeSecurityGroupIngress. Permit one or more CIDR IP address ranges to access a security group in an EC2-Classic account. For an EC2-VPC, this permits one or more CIDR IP address ranges or other security groups (also called source groups) permission to access a security group for  your VPC. CreateSecurityGroup. Create a security group. DeleteSecurityGroup. Delete a security group. RevokeSecurityGroupEgress. Revoke a security group.	A security group is a virtual firewall. These resources control egress (outbound) and ingress (inbound) traffic to EC2 VPCs. You may want to monitor any tightening or loosening of restrictions on traffic to and from an EC2 instance and make sure that changes are necessary. Also, if a security group isn’t actively being used, then it's best to remove it.
EC2 snapshot	CopySnapshot. Duplicate a snapshot. CreateSnapshot. Create a snapshot.  DeleteSnapshot. Delete a snapshot. ModifySnapshotAttribute. Add or remove permissions for a snapshot. ResetSnapshotAttribute. Restore default permissions for a snapshot.	You use snapshots for backups, to make copies of EBS volumes, and to save data before shutting down an instance. Use policies of this type to be sure that these actions are authorized. Also, your EBS volumes should have snapshots taken at least every few weeks to ensure that systems can be restored easily.
EC2 subnet	CreateSubnet. Create a subnet for a VPC. DeleteSubnet. Administrators must terminate all running instances in a subnet before deleting the subnet.	An Amazon VPC is an isolated area where you can start AWS resources in a virtual network. A subnet directs traffic in the VPC. Use this type of policy to ensure that this action is authorized and doesn't create issues with access.
EC2 tags	CreateTags. Create a tag for an EC2 resource. DeleteTags. Delete a tag for an EC2 resource.	Tags identify EC2 resources such as Amazon Machine Images (AMIs) and EC2 instances. If your organization uses tags for particularly important resources, then you may want policies that specifically modify changes to these tags.
EC2 Tasks	CancelBundleTask. Cancel bundling for a Windows-based instance. CancelConversionTask. Cancel importing an EC2 instance or volume. CancelExportTask. Cancel an export task, along with partially created S3 objects. CancelInstanceExportTask. Cancel export of an EC2 instance to an S3 bucket. CreateInstanceExportTask. Export an EC2 instance to an S3 bucket.	Tasks allow you to run Docker containers in an Amazon EC2 Container Service (ECS). Some tasks are particularly sensitive. For example, you may want to keep track of people who are exporting your Amazon resources, including S3 objects and buckets. (These are included in an EC2 export.)
EC2 VPC	CreateVPC. Create a VPC. DeleteVPC. Delete a VPC. ModifyVPCAttribute. Modify a VPC attribute, for example, the connection timeout, your access keys, or the URL for the web service entry point.	An Amazon VPC is an isolated area where you can start AWS resources in a virtual network. These actions are highly sensitive. For example, to delete a VPC a user will have also detached or deleted all gateways, terminated all instances running in the VPC, deleted all security groups associated with the VPC (except the default one), and deleted all routing tables associated with the VPC (except the default one). Ensure that these actions are authorized, particularly if this alert appears for different VPCs.
EC2 VPN	AttachVPNGateway CreateVPNConnection CreateVPNConnectionRoute CreateVPNGateway DeleteVPNConnection DeleteVPNConnectionRoute DetachVPNGateway	A VPN controls access to your resources. A virtual private gateway is the endpoint on the side of your VPN connection. These gateways control access to your resources. These policies help you ensure that these actions are necessary and authorized.
EC2 volume	AttachVolume. Attach an Elastic Block Store (EBS) volume to an EC2 instance. CreateVolume. Create a volume. DeleteVolume. Delete a volume. DetachVolume. Detach a volume. ImportVolume. Import a volume. ModifyVolumeAttributes. Modify a volume's attributes, for example, its region, access URL, or the connection timeout.	You can use these policies to ensure that this EBS volume was set to use data at rest encryption at creation time. EBS volumes that are created without encryption can’t be encrypted later. Ensure that snapshots are taken of this volume at least every few weeks.
IAM account	CreateAccountAlias. Create a customized URL to your sign-in page for your AWS account. DeleteAccountAlias. Remove the alias. GetAccountSummary. Get information about IAM entity use and IAM quotas in the account. ListAccountAliases. List the account aliases.	Use this type of policy to be notified whenever this action occurs. Ensure that only authorized people have permission to perform these functions.
IAM certificate	DeleteServerCertificate. Delete the server certificate. Deleting the certificate can cause elastic load balancing to stop accepting traffic. GetServerCertificate. List server certificates (Windows). ListServerCertificate. List server certificates. ListSigningCertificates. List signing certificates. UpdateServerCertificate. Replace server certificates. UpdateSigningCertificate. Replace signing certificates. UploadServerCertificate. Upload server certificates. UploadSigningCertificate. Upload a signing certificate and associate it with a user.	X.509 signing certificates permit the user to use the EC2 command line and AMI tools. Server certificates permit the EC2 server to authenticate and use encrypted transmission. Use this type of policy to be notified whenever this action occurs. Ensure that only authorized people have permission to perform these functions.
IAM group	AddUserToGroup. Add a user to a group. The group's policies (permissions) apply to all users in the group. CreateGroup. Add a group. DeleteGroup. Delete a group. DeleteGroupPolicy. Delete a policy (a set of permissions) from the group. GetGroup. Describe a group. GetGroupPolicy. Describe a policy (a set of permissions) associated with a group. PutGroupPolicy. Add a policy (a set of permissions) to a group. RemoveUserFromGroup. Delete a user from a group. UpdateGroup.Modify the group name or path.	IAM groups are collections of privileges that you can assign to users. Use this type of policy to ensure that this action is authorized, and the group has only the privileges that its members need.
IAM ID provider	CreateSAMLProvider. Create an identity that you can use in a role's trust policy to create trust between AWS and the provider.  DeleteSAMLProvider. Delete the provider's definition. GetSAMLProvider. Get information about a provider. ListSAMLProvider. List providers. UpdateSAMLProvider. Modify a provider.	Someone deleted an identity provider that was set up using the Security Access Markup Language (SAML). SAML access permits users from external domains (federated users) access to your resources. You use these policies to be notified about creating SAML providers. Deleting them can also be problematic. For example, when deleted, the AWS administrator must also delete the identity provider manually from any IAM user roles that reference it. (The provider remains in policies that are attached to a role.) Users can’t assume any role that references this provider.
IAM MFA device	CreateVirtualMFADevice. Create a virtual multi-factor authentication (MFA) device. DeactivateMFADevice. Deactivate an MFA device. EnableMFADevice. Enable an MFA device.	Multifactor authentication (MFA) provides an extra layer of security, protecting against a single lost or stolen authentication credential. Use this policy when you want to monitor MFA, for example, to be aware of deactivation of an MFA device for sensitive users and roles.
IAM password policy	DeletePasswordPolicy. Delete the password rules (policy) for the account. GetPasswordPolicy. Show the password rules (policy) for the account. UpdatePasswordPolicy. Modify the password rules (policy) for the account.	Use this type of policy to monitor the password policy for the AWS account. Your password policies help users keep their accounts secure. Ensure that these changes conform to your security requirements.
IAM role	AttachRolePolicy. Add access privileges (a policy) for a role. CreateRole. Create an IAM role that can be assigned to a user or group (along with the role's policies). DeleteRole. Delete an IAM role. DeleteRolePolicy. Delete an inline policy. DetachRolePolicy. Remove a policy from a role. PutRolePolicy. Add an inline policy to a role. UpdateAssumeRolePolicy. Modify a policy that allows an entity to use a particular role.	Identity and access management (IAM) roles provide users with access to sensitive resources in your AWS account. Assumed roles give users permission to temporarily acquire privileges that they don’t ordinarily have. Ensure that new roles and assumed roles are necessary. Also ensure that the user is authorized to perform this action.
IAM user	ChangePassword. Update a user's password. ConsoleLoginFailure. A failed login to the AWS administration console. ConsoleLoginSuccess. A login to the AWS administration console. CreateAccessKey. Generate authentication keys for a user.  CreateUser. Add an IAM user. CreateUserPolicy. Create a set of permissions that can be assigned to a user. DeleteAccessKey. Remove the user's access keys.  DeleteUser. Remove the user. GetUserPolicy. Show the user's permissions. PutUserPolicy. Assign a policy to a user. UpdateAccessKey. Replace a user's keys. UpdateUser. Update the user's name or path.	Identity and access management (IAM) users are the people who are authorized to access your AWS account. User policies control what users are allowed to do in AWS. Use this type of policy to monitor user creation. Typically, only a limited number of people should have access to AWS resources.
S3 bucket	Get, put bucket, bucket ACL, or bucket CORS Get, put bucket location, logging, notification, policy, or website Get, put bucket request payment	AWS simple storage solution (S3) saves information in containers known as buckets. Use these policies to monitor activity related to creating and deleting these buckets.  For example cross-origin resource sharing (CORS) for an S3 bucket opens the bucket to requests from identified locations. For example, this type of sharing can open a bucket at my.example.bucket.com to requests from www.example.com. A policy that monitors for this action can help you identify the recipient of a shared resource and verify both the recipients and the user who is permitting sharing.
S3 object	Delete, get, put object or object ACL	This type of policy lets you monitor sensitive objects that you store in S3 buckets (for example, a document with personally identifiable information in it). Note that for delete actions, the AWS administrator can restore the object if versioning was enabled for it.

Creating an AWS Policy

Follow these general steps for any policy you create to generate an alert for actions in AWS.

Oracle CASB Cloud Service displays an alert in Risk Events whenever an event occurs that matches the policy conditions.

The following are general steps for creating a AWS policy that generates an alert whenever an event occurs that matches the policy conditions. Oracle CASB Cloud Service displays all alerts in Risk Events. Optionally, you can also choose to receive an email notification.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page:
   1. Enter a name for the policy.

      Policy names can only contain the characters a-z, A-Z, 0-9, underscore (_), space ( ) and dash (-). Oracle CASB Cloud Service automatically removes any characters that can't be used in a policy name.

   2. (Optional) Enter a description.
   3. Select a Priority.
   4. If you want policy violations included in user risk score computations, select  Include in user risk score.
   5. Click Next.
4. In the Resource page, make these selections:

   Field	Value(s)
   Application type	Select AWS.
   Application instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	The type of resource you want to monitor.
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below. Note: Some resources do not have a tag option.

   Go to a topic that follows in this section, which has instructions for the specific actions available on your selected resource, and select the Action on this resource there.

   Continue with the next step below after you have selected the action and clicked Next to proceed to the Username page.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.
6. (Optional) On the Conditions page, filter your policy so it is triggered only under the conditions that you specify.

   The table below lists the parameters you can configure in the Conditions page of an AWS policy alert.

   Note:

   Some parameters may not be available, depending on your Resource and Action on this resource selections.

   Parameter	Operator	Value
   IP address v4	Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to).	A comma-separated list of IPv4 addresses.
   SSH Key Used	The drop-down list determines whether you are setting a minimum, maximum, or exact value.	The number of days SSH keys may be kept before rotating them.
   Timestamp	The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame).	A value as a time in 24-hour HH:MM:SS format.
   CASB threat intelligence IP reputation	Equal to is the only option.	To flag events from IP addresses with bad or good reputations, select: Suspicious for bad reputations. Regular for good reputations.
   City, State, or Country	Equal to requires matching the name you enter in Value. Not Equal to requires not matching the name you enter in Value. In requires matching any one of several names you enter in Value. Not in requires matching none of several names you enter in Value.	The name of the city, or the state or province, in the physical address that’s associated with the IP address.
   Tag	Include or exclude this tag (Equal to or Not equal to). Select In or Not in if you want to enter a list of tags. You do not need to repeat a selection of Tag if you already entered tags in an earlier step.	There are a few ways to specify an AWS tag: As a complete key:value pair for the AWS tag. As a single key name. As a comma-separated list of key names or key:value pairs. The list is treated as a logical OR.
   Recipient (or Audience)	Include or exclude this user (Contains or Does not contain).	Available for AWS if on the Resources page of the policy wizard you selected S3 resources and the Share action. Takes a string that matches one or more users.

   When you are done, click Next.

7. Set your notifications:

   • Show a risk event in the Monitor. When an event matches the policy, Oracle CASB Cloud Service creates a risk event in the Risk Events page.

   • Display a recommendation in the risk event. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

   • Show a risk event in the Monitor. When an event matches the policy, Oracle CASB Cloud Service creates a risk event in the Risk Events page.

   • Display a recommendation in the risk event. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

   When you are done, click Next.

8. After reviewing your settings, click Next to submit the policy.
9. Click Done.

Creating Alerts for IAM Users

Create alerts for operations performed on or by IAM users, and actions for IAM user policies.

AWS administrators add and manage users and other administrators in the Identity and Access Management (IAM) Users section of the administration console.

You can create policy alerts for actions taken on IAM users (for example, adding or deleting users), and actions performed by users (for example logins or failed logins).

Note:

In the following procedures, if you select the action of Any, or a common action such as GetUser or GetUserPolicy, then you can trigger more alerts than you intended. However, this can be manageable if you filter the alert by user or group, or add other conditions in later pages of this wizard.

Creating Alerts for Changes to IAM Instance Profiles

Create policy alerts that flag changes to IAM instance profiles.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	IAM InstanceProfile
   Resource name	Select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified Direct Connect.
   AddRoleToInstanceProfile	A role has been added to the IAM instance profile.

   For additional information about Direct Connect actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for Operations Performed on IAM Users

Create alerts for operations performed on IAM users, such as deleting a user or administrator.

You may want to create alerts if people perform sensitive operations on users, for example, deleting users or user policies. You can also restrict these alerts to particular users (for example, to be alerted if someone deletes an AWS administrator).

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, select AWS as the application type, select an instance, and then specify a resource. For operations on particular users, specify the resource:

   Field	Value
   Resource	IAM User (a user created in the Identity and Access Management (IAM) section of AWS.
   Resource name or tag	IAM users can only be identified by their names. Select Text, select Contains from the drop-down list, and enter a partial string to match a set of users. If you select Regular expression, then enter a regular expression to match one or more users.
   Action	Select an action. For example, if you are concerned about modifications to your administrative users, then you could select UpdateUser. For a description of available actions, see Actions for IAM User Policies. An action of Any, or a common action such as GetUser or GetUserPolicy, may trigger more alerts than you intended. However, this can be manageable if you filter the alert by user or group, or add other conditions in later pages of this wizard.

   When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. When you are done, click Next. For a description of the additional policy filters (parameters), see Condition Parameters for AWS Alerts.

7. Click Next and set your Action notifications:

   • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to the Risk Events page.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

8. When you are done, click Next , and after reviewing your settings, click Next to submit the policy.

9. Click Done.

Actions for IAM User Policies

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is IAM user.

For additional documentation about IAM user actions, see Amazon's online documentation.

The table below lists the actions that are available when the Resource is IAM user.

Action	Description
ChangePassword	Triggers an alert when the password is updated for the IAM users. You supply a full user name, a partial name to match one or more users, or enter the .* regular expression to match all users.
ConsoleLoginFailure | ConsoleLoginSuccess	Triggers an alert when an IAM user logs in successfully or the login fails. You supply a full user name, a partial name to match one or more users, or enter the .* regular expression to match all users.
CreateAccessKey | DeleteAccessKey | UpdateAccessKey	Triggers an alert when someone generates, deletes, or updates access keys for an IAM user. You supply a full user name, a partial name to match one or more users, or enter the .* regular expression to match all users. The default status for new keys is Active. Depending on this user's role, these keys provide access to important resources, including EC2 instances and S3 servers.
CreateUser | DeleteUser | UpdateUser	Triggers an alert when someone creates, deletes, or updates an IAM user. You supply a full user name, a partial name to match one or more users, or type the .* regular expression to match all users.
CreateUserPolicy | DeleteUserPolicy | UpdateUserPolicy | PutUserPolicy	Triggers an alert when someone creates, deletes, or updates an inline policy document for an IAM user. You supply a full policy name, a partial name to match one or more users, or enter the .* regular expression to match all users. An inline policy document for a user sets the user's permissions to access important resources, including EC2 instances and S3 servers. Note: You can configure Oracle CASB Cloud Service to automatically reset modified IAM user policies to your preferred definition.
ListUsers | ListUserPolicies	Triggers an alert when someone views users and user policies. This action can be too commonplace to be used on its own in a policy. If you select this action, then further limit the alert by adding more actions and filters, or restricting the action to particular users.

Creating Alerts for Operations Performed by AWS Users

Create alerts for operations performed on IAM users on any resource.

Use the Username page of the policy wizard to filter any policy according to AWS users or group members who perform an action on any resource.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the Resource page, select AWS as the application type, select an instance, select a resource, action, and the resource name.

   For EC2 resources, you can also identify the resource by its tag.

   When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. When you are done, click Next.

   The Conditions page is optional. For a description of available parameters, see Condition Parameters for AWS Alerts.

7. Click Next, and in the Actions page, set one or more notifications.

8. When you are done, click Next, and after reviewing your settings, click Next to submit the policy.

9. Click Done.

Creating Alerts for IAM Groups

You can create policy alerts for the Resource type Identity and Access Management (IAM) group. For example, you can create an after-hours alert related to the addition and deletion of IAM groups.

Also, you can filter any policy alert according to group members who perform an action.

Note:

In the following procedure, if you select the action of Any, or a common action such as GetGroup or GetGroupPolicy, then you can trigger more alerts than you intended. However, this can be manageable if you filter the alert by user or group, or add other conditions in later pages of this wizard.

Creating Alerts for Operations on IAM Groups

Create alerts for operations performed on IAM groups, such as deleting a group.

AWS administrators add AWS groups in the IAM groups section of the AWS administration console. You can create policy alerts for actions taken on IAM groups.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the Resource page, select AWS as the application type, select an instance, and then specify a resource.

   For operations on IAM groups, specify the resource:

   Field	Value
   Resource	IAM Group
   Action	Select an action. For a description of available actions, see Actions for IAM User Policies.
   Match. . .Name	If you select Text, then select Contains from the drop-down list and enter a partial string to match a set of users. If you select Regular expression, then enter a regular expression to match one or more IAM groups.

   When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

   When you are done, click Next.

6. (Optional) On the Conditions page, filter your policy so it is triggered only under the conditions that you specify.

   For a description of the additional policy conditions (parameters), see Condition Parameters for AWS Alerts.

   When you are done, click Next.

7. Set your notifications:

   • Show a risk event in the Monitor. When an event matches the policy, Oracle CASB Cloud Service creates a risk event in the Risk Events page.

   • Display a recommendation in the risk event. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

   When you are done, click Next.

8. After reviewing your settings, click Next to submit the policy.

9. Click Done.

Actions for IAM Group Policies

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is IAM group.

For additional documentation about IAM goup actions, see Amazon's online documentation.

The table below lists the that actions are available in the Resources page of the policy creation wizard when the Resource is IAM group.

Action	Description
AddUserToGroup | RemoveUserFromGroup	Triggers an alert when an IAM user is added to or deleted from a group. You supply a full group name, a partial name to match one or more groups, or enter the .* regular expression to match all groups.
CreateGroup | DeleteGroup	Triggers an alert when someone creates or deletes a group. You supply a full group name, a partial name to match one or more groups, or enter the .* regular expression to match all groups.
AttachGroupPolicy  | CreateGroupPolicy | DeleteGroupPolicy | UpdateGroupPolicy | PutGroupPolicy	Triggers an alert when someone attaches, creates, deletes, or updates an inline policy document for an IAM group. You supply a full group name, a partial name to match one or more groups, or enter the .* regular expression to match all groups. You can configure Oracle CASB Cloud Service to automatically reset modified IAM user policies, but it can’t currently reset group policies. You must do that manually
GetGroup | ListGroup | GetGroupPolicy | ListGroupPolicy	These actions display the group and its policies. They are performed too frequently to be useful on their own. Use these actions for only particular groups or policies, or in conjunction with additional actions on this resource type.

Creating Alerts for Operations Performed by Users

Use the Username page of the wizard to filter a policy according to users who perform an action on the resource.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. On the Resource page, select AWS as the application type, select an instance, specify a resource, enter a text string to match the name or names of a selected resource (for example, an EC2 instance name), select an action on this resource, and then click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. When you are done, click Next.

   The conditions page is optional. For a description of available parameters, see Condition Parameters for AWS Alerts.

7. Click Next, and in the actions page, select and set one or more notifications.

8. When you are done, click Next, and after reviewing your settings, click Next to submit the policy.

9. Click Done.

Creating Alerts for the AWS Root User

If your organization uses an alias for your AWS account, create policies that specifically identify this user by the alias instead of root.

Having the root user not show up as root can create confusion in the policy alerts that you see in Risk Events, because alerts against the root user will show the account alias in the Actor field.

To make it easier to identify actions taken by the root user, you can create one or more policies that specifically identify this user. This policy is identical to any other AWS policy; however, in the Username page of the policy wizard, you can select the option Select by username, the Contains operator, and the account alias (case-sensitive).

Creating Alerts for Access and Federated Access

Create policy alerts for resources related to access privileges in AWS, including authentication keys and identity service providers.

For example, you can create a policy for adding and deleting federated access groups, known as Security Assertion Markup Language (SAML) providers.

You can filter these policies according to who performs an action and who is affected by it.

Creating Alerts for IAM User Access Key Changes

Create a policy alert for changes in IAM user access keys.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the Resources page, set the following:

   • Application type: AWS.

   • Application instance: Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

   • Resource: IAM User

   • Resource name: Select Text, select Contains, and then enter the full or partial user name (example: OCCSAdministrator). To match all users, select Regular expression and then enter .* in the input field.

   • Action on the resource: DeleteAccessKey. For an explanation of this and other actions for IAM users, see Types of AWS Alerts.

   • When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. Click Next. Conditions are optional. For a description of available parameters, see Condition Parameters for AWS Alerts.

7. Click Next, and set your Action notifications:

   • Show an alert in the Risk Events page. When an event matches the policy, Oracle CASB Cloud Service creates a risk event in Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address (one address only). Select this option to send an email to the designated address, with the message that you enter.

8. Click Next, review your settings, and then click Next to submit your policy.

9. Click Done.

Creating Alerts for Changes to Federated Access

Create policy alerts for various changes to federated access.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the Resources page, set the following:

   Select the plus sign to create additional resource entries. For example, you can add an entry for the same resource paired with an UpdateSAMLProvider or DeleteSAMLProvider action.

   • Application type: AWS

   • Application instance: Select the name of your AWS application instance or Any.

   • Resource: IAM IdProvider

   • Resource name: Select Text, select Contains, and enter the full or partial provider name. To match all providers, use a regular expression with the value .*.

   • Action on this resource: CreateSAMLProvider. For a description of actions for SAML providers, see Condition Parameters for AWS Alerts.

   • When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. Click Next and optionally select condition parameters such as IP addresses. For a description of the additional policy conditions (parameters), see Creating Alerts for Access and Federated Access.

7. Click Next, and set your Action notifications:

   • Show an alert in the Risk Events page. When an event matches the policy, Oracle CASB Cloud Service creates a risk event in Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address (one address only). Select this option to send an email to the designated address, with the message that you enter.

8. When you are done, click Next, review your settings, and then click Next to submit the policy.

9. Click Done.

Actions for IdProvider Policies

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is IAM IdProvider.

The table below lists the actions that are available in the Resource page of the policy creation wizard when the Resource type is IAM IdProvider.

Action	Description
CreateSAMLProvider | DeleteSAMLProvider | UpdateSAMLProvider	Triggers an alert when someone creates, deletes, or modifies an identity provider. You supply a full provider name, a partial name to match one or more providers, or enter the .* regular expression to match all providers.
GetSAMLProvider | ListSAMLProvider |	These actions display the provider. They are performed too frequently to be useful on their own. Use these actions for only particular providers, or in conjunction with additional actions on this resource type.

Creating Alerts for EC2 Instances and Networks

Create policy alerts for EC2 (Elastic Compute Cloud) starts and terminations, EC2 ACL network changes, and changes to EC2 instances and networks.

You can configure alerts for such activities as startup of EC2 instances. This can indicate unwanted extra expense or unwanted exposure of AWS network resources. Similarly, terminations of EC2 instances should be done seldom, and network updates can be sensitive.

An action of Any, or a common action such as DescribeInstance, can trigger more alerts than you intended. However, this can be manageable if you filter the alert by user or group, or add other conditions in later pages of this wizard.

Note:

When creating an alert for an AWS EC2 route, subnet, VPC, or VPN, you need to specify an ID instead of a resource name.

Creating Alerts for EC2 Starts and Terminations

Create policy alerts that flag both EC2 starts and EC2 terminations.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	EC2 Instance
   Identify resource by name or tag	Select Name if you want to match (filter the policy by) an EC2 instance name. Select Tag if you want to match the EC2 instance tag. In this case, the tag refers only to the key (in AWS, a tag can be a key: value pair).
   Resource name	If you chose to identify the EC2 instance by its name, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 instance name. If you select Regular expression, type a regular expression to match one or more EC2 instances.
   Action on this resource	Select StartInstances. An action of Any, or a common action such as DescribeInstance, can trigger more alerts than you intended. However, this can be manageable if you filter the alert by user or group, or add other conditions in later pages of this wizard. For a complete list of actions, see Actions for EC2 Instances and Networks.

   Click the plus sign and create another resource entry, this time selecting TerminateInstances as the action.

   When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. Click Next. The condition settings are optional.

   For a description of the additional policy conditions (parameters), see Condition Parameters for AWS Alerts.

7. Click Next and set your Action notifications:

   • Show an alert in the Risk Events page is always selected.

     When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

8. When you are done, click Next, review your settings, click Next to submit your policy.

9. Click Done.

Creating Alerts for EC2 Network ACL Modifications

Configure policy alerts for any type of modifications to the EC2 ACL network.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next..

4. In the resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	Select an instance name, or select Any to match all instances.
   Resource	EC2 Network
   Identify resource by name or tag	Select Name if you want to match (filter the policy by) an EC2 network name. Select Tag if you want to match the EC2 network tag (key only).
   Resource name	If you chose to match the EC2 network's name, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 network name. If you select Regular expression, type a regular expression to match one or more EC2 instances.
   Action on this resource	Select CreateNetworkAcl. Note: The following actions may generate too many alerts to be useful: DescribeNetworkAcls, DescribeNetworkInterfaceAttribute. For a complete list of actions, see Actions for EC2 Instances and Networks.

   Click the plus sign and create additional resource entries for these actions:DeleteNetworkAcl, CreateNetworkInterface, ResetNetworkInterfaceAttribute, DeleteNetworkInterface, DetachNetworkInterface, ReplaceNetworkInterface.

5. When you are done, click Next. The Username settings are optional.

6. Click Condition and optionally set conditional filters (for example, a time of day) or skip them. When you are done, click Next.

7. Click Next and set your Action notifications:

   • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

8. When you are done, click Review & Submit, and after reviewing your settings, click Submit.

Creating Alerts for Creating or Deleting EC2 Network ACL Entries

Create policy alerts that will flag both creating and deleting of EC2 network ACL entries.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	Select an instance name, or select Any to match all instances.
   Resource	EC2 Network
   Identify resource by name or tag	Select Name if you want to match (filter the policy by) an EC2 network name. Select Tag if you want to match the EC2 network tag (key only).
   Resource name	If you chose to match the resource name, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 network name. If you select Regular expression, type a regular expression to match one or more EC2 networks. To match a tag, type the exact tag key (not the whole key:value pair).
   Action on this resource	Select CreateNetworkAclEntry. Note: the following actions can generate too many alerts: DescribeNetworkAcls, DescribeNetworkInterfaceAttribute. For a complete list of actions, see Actions for EC2 Instances and Networks.

5. Click the plus sign and add the DeleteNetworkAclEntry action for this resource.

6. Complete the policy as shown in the previous procedures.

Creating Alerts for EC2 Network ACL Changes

Create policy alerts that will flag any changes to the EC2 network ACL entries.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, select AWS as the application type, select an instance (or All), and then select the resource type EC2 Network.

5. In the resources page, Action field, select CreateNetworkAcl.

   For a complete list of actions, see Actions for EC2 Instances and Networks.

6. Enter a full or partial network ACL name as described in the procedure above.

7. Click the plus sign to configure these actions for the resource: DeleteNetworkAcl, CreateNetworkInterface, DeleteNetworkInterface, DetachNetworkInterface, ResetNetworkInterfaceAttribute.

8. Complete the alert as shown in the previous procedures.

Creating Alerts for EC2 Network ACL Rule Changes

Create policy alerts that will flag both creating and replacing EC2 network ACL entries.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, follow the steps for other EC2 network changes above, but select this resource type EC2 Network and actions CreateNetworkAclEntry.

   For a complete list of actions, see Actions for EC2 Instances and Networks.

5. Click the plus sign to create an entry for the same resource with the action ReplaceNetworkAclEntry.

6. Complete the alert as shown in the previous procedures.

Creating Alerts for EC2 Network Routing Changes

Create policy alerts that will flag any change in EC2 network routing.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, enter the following:

   Field	Value
   Application Type	AWS
   Instance	Select an instance name, or select Any to match all instances.
   Resource	EC2 Route
   Identify resource by name or tag	Select Name if you want to match (filter the policy by) an EC2 route ID. For AWS resources that use IDs instead of names (for example, routes, VPNs, VPCs, and subnets), you use the resource's ID in this field.) Select Tag if you want to match the EC2 route tag (key only).
   Resource name	If you chose to match the EC2 route ID, select Text, select Contains from the drop-down, and enter a full or partial string to match a route ID. If you select Regular expression, type a regular expression to match one or more EC2 route IDs.
   Action on this resource	Select AssociateRouteTable. For a complete list of actions, see Actions for EC2 Instances and Networks.

5. To add actions for this resource, click the plus sign and set one or more additional actions for the EC2 route: CreateRoute, DisableVgwRoutePropagation, CreateRouteTable, DeleteRoute, DeleteRouteTable, DisassociateRouteTable, ReplaceRoute, ReplaceRouteTableAssociation.

Actions for EC2 Instances and Networks

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is EC2 instance.

For additional information about EC2 actions, see Amazon's online documentation.

The table below lists the actions that are available in the Resources page of the policy creation wizard when the Resource type is EC2 instance.

Action	Description
BundleInstance	This action is related to bundling (compressing, encrypting, and otherwise prepareing a storgage-enabled) a Windows Amazon Machine Image (AMI). It is important to be sure that only authorized people perform these actions. You supply a full instance name, a partial name to match one or more instances, or type the .* regular expression to match all instances.
ImportInstance	This action refers to creating an import instance task using metadata from the disk image. It is important to be sure that only authorized people perform these actions. You supply a full instance name, a partial name to match one or more instances, or type the .* regular expression to match all instances.
ModifyInstanceAttribute | ResetInstanceAttribute	This action refers to modifying or reversing an instance characteristic (attribute). Some modify actions require stopping the image. Image definitions should be relatively stable; multiple changes to an image can indicate a security risk.
RebootInstances | RunInstances | StartInstances | StopInstances | TerminateInstances	These actions refer to starting up and stopping EC2 instances. These are critical actions on critical resources. Multiple instance starts or stops may indicate a security risk, an unstable environment, or an unwise use of resources.
UnmonitorInstances	This refers to turning off monitoring for an instance. All running instances should be monitored.
DescribeInstanceAttribute | DescribeInstances | MonitorInstances | ReportInstanceStatus	These actions display the instance. They are performed too frequently to be useful on their own. Use these actions for only particular instances, or in conjunction with additional actions on this resource type.

These actions are available in the resources page of the policy creation wizard when the resource type is EC2 network.

Action	Description
AttachNetworkInterface | CreateNetworkInterface | DeleteNetworkInterface | DetachNetworkInterface | ModifyNetworkInterfaceAttribute | ResetNetworkInterfaceAttribute	Network interfaces are a set of private IP addresses. You should make sure that anyone who performs these actions is authorized to do so and the action does not create issues with access. You supply a full interface name, a partial name to match one or more interfaces, or type the .* regular expression to match all interfaces.
CreateNetworkACL | CreateNetworkACLEntry | DeleteNetworkACL | DeleteNetworkACLEntry | ReplaceNetworkACLAssociation | ReplaceNetworkACLEntry	Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your Virtual Private Cloud (VPC). You should make sure that anyone who performs these actions is authorized and the action does not create issues with access to your VPCs. ACLs generally are stable and seldom modified.
DescribeNetworkACLs | DescribeNetworkInterfaceAttribute	These actions display the ACL or interface or its attributes. They are performed too frequently to be useful on their own. Use these actions for only particular interfaces, or in conjunction with additional actions on this resource type.

Creating Alerts for EC2 Security Groups

Create policy alerts for specified actions on EC2 security groups.

AWS EC2 security groups control access to networks and resources in your Virtual Private Clouds (VPCs). Security groups should be closed to all but required traffic.

A security group definition describes IP addresses, address ranges, ports, and protocols that are permitted to send traffic to and from a VPC.

You should know when people create ingress (inbound) and egress (outbound) rules for a security group, particularly as they relate to clouds with mission-critical or sensitive data.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	EC2 SecurityGroup
   Identify resource by name or tag	To match by security group name, select Name, and then select Contains.
   Resource name	To match the security group name, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 Security Group name. If you select Regular expression, type a regular expression to match one or more EC2 Security Group names.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified EC2 security group.
   Associate IAM instance profile	An IAM instance profile has been associated with the specified EC2 security group.
   Authorize security group egress	An egress rule has been added to the specified EC2 security group for use with a VPC.
   Authorize security group ingress	An ingress rule has been added to the specified EC2 security group for use with a VPC.
   Create security group	An EC2 security group has been created.
   Delete security group	An EC2 security group has been deleted.
   Describe security groups	An EC2 security group has been described.
   Disassociate IAM instance profile	An IAM instance profile has been disassociated from the specified EC2 security group.
   Replace IAM instance profile association	An IAM instance profile associated from the specified EC2 security group has been replaced.
   Revoke security group egress	An egress rule has been revoked from the specified EC2 security group for use with a VPC.
   Revoke security group ingress	An ingress rule has been revoked from the specified EC2 security group for use with a VPC.

   For additional information about EC2 actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for EC2 VPCs and VPNs

Create policy alerts for changes to EC2 VPS and EC2 VPNs.

You can configure alerts for such activities as changes to EC2 Virtual Private Clouds (VPCs) and EC2 Virtual Private Networks (VPNs).

EC2 VPNs are similar to network access control lists (ACLs). They control traffic into and out of AWS subnets (equivalent to access rules with a firewall). These updates can produce service interruptions and enable data breaches.

Note:

When creating an alert for an AWS EC2 route, subnet, VPC, or VPN, you need to specify an ID instead of a resource name.

Creating Alerts for EC2 VPN Changes

Configure policy alerts for specified changes to EC2 VPNs.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, set the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances
   Resource	EC2 VPN
   Identify resource by name or tag	To match by security VPN ID, select Name, select Contains, and then type the VPN ID. (VPNs have IDs instead of names.)
   Resource name	If you chose Name, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 VPN ID. (When creating an alert for an AWS EC2 route, subnet, VPC, or VPN, you need to specify an ID instead of a resource name.) If you select Regular expression, type a regular expression to match one or more EC2 VPN IDs.
   Action on this resource	Select AttachVpnGateway. For additional information about EC2 actions, see Amazon's online documentation.

5. Click the plus sign to configure additional actions for the resource: CreateVpnConnection, DetachVpnGateway, CreateVpnConnectionRoute, CreateVpnGateway, DeleteVpnConnection, DeleteVpnConnectionRoute, DeleteVpnGateway.

6. Complete the policy as shown in other AWS policy topics.

Creating Alerts for EC2 VPC Changes

Configure policy alerts for specified changes to EC2 VPCs.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, set the following:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	EC2 VPC
   Identify resource by name or tag	To match by security VPC ID, select Name, and then select Contains and then type the VPC ID. (When creating an alert for an AWS EC2 route, subnet, VPC, or VPN, you need to specify an ID instead of a resource name.)
   Resource name	To match the ID, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 VPC ID. To match the tag, enter the exact tag key (key only, not the value). If you select Regular expression, type a regular expression to match one or more EC2 VPC IDs.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified E2C security group.
   Create VPC	An E2C VPC was created.
   Create VPC peering connection	A VPC peering connection has been created between the specified EC2 VPC and another VPC.
   Delete VPC	An E2C VPC was deleted.
   Describe VPC attribute	An attribute of the specified EC2 VPC was described.
   Describe VPCs	The specified EC2 VPC was described.
   Modify VPC attribute	An attribute of the specified EC2 VPC was modified.

   For additional information about EC2 actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the policy as shown in the help for configuring other AWS policies.

Creating Alerts for EC2 Internet Gateways

Configure policy alerts for specified changes to EC2 Internet gateways.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, set the following:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	EC2 InternetGateway
   Resource name	To specify the resource name, select Text, select Contains from the drop-down, and enter a full or partial string to match a resource name. If you select Regular expression, type a regular expression to match one or more resource names.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the resource.
   CreateInternetGateway	The Internet gateway was created.
   AttachInternetGateway	The Internet gateway was attached to an AWS virtual private cloud.
   DetachInternetGateway	The Internet gateway was detached from an AWS virtual private cloud.

   For additional information about EC2 actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the policy as shown in the help for configuring other AWS policies.

Creating Alerts Based on EC2 Tags

Use EC2 tags to identify resources when you configure policy alerts.

AWS provides tagging to help you with managing instances, images, and other Amazon EC2 resources.

A general description of tagging is available on the AWS blog site. An AWS tag is a key:value pair. If you use AWS tags, you can create alerts based on either the full key:value pair or just the key in these tags. For example, you can create an alert to generate a risk event whenever someone modifies an EC2 instance with the key "production" or the key-value pair "production:server1".

You can apply a tag to specific resources in a policy (in the Resources page of the wizard) or to all of the items that you configure on the Resources page. In the latter case, you define the tag in the Condition page of the wizard.

Note:

In the following procedure, if you select an action of Any, or a common action such as DescribeInstance, you can trigger more alerts than you intended. However, this can be manageable if you filter the alert by user or group, or add other conditions in later pages of this wizard.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the resource page, do the following:

   • Application type: AWS

   • Application instance: {{snipt.Pol-AppInstance-Multi}}

   • Resource: Select an EC2 resource type, for example, EC2 Instance.

   • Identify by Name or Tag: Select Name or Tag.

     If you select Name, you still can specify a tag on a later page of this wizard. This permits filtering a resource of a particular name according to whether or not it also has a particular tag.

     If you select Tag, type the exact tag key, for example, Production. If you input a tag key on this page, the policy matches any instance with this tag key. (Although you specify the tag as a key:value pair in AWS, you only specify the key here.)Note: Do not use the Tag option with "delete" actions because AWS does not record the deleted tag in its logs.

   • Action: Select an action of interest, for example, StartInstances.

     Note:

     An action of Any, or a common action such as DescribeInstance, can trigger more alerts than you intended, unless you filter the alert by user or group, or add other conditions in later pages of this wizard. For additional information about EC2 actions, see Amazon's online documentation.

5. Repeat step 3, but this time select the action TerminateInstances.

   When you are done, click Next.

6. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

   Click Next and in the condition step:

   • If you selected Tag in step 3, you would probably not specify a tag in this step.

   • If you selected Name in step 3, click + Add condition. In the Parameter drop-down select Tag, in the Operator drop-down, select Equal to, and in the Value drop-down type a complete key:value pair for the AWS tag, or a single key name.

   If you want Oracle CASB Cloud Service to create an alert based on any of several tags, select an Operator of In and then type a comma-separated list of values. (This is a logical OR.)

   To generate the alert only when the resource contains more than one type of tag (for example, an instance with both Production and Deployment tags), click the plus sign and then add a second parameter-operator-value triplet. (This is a logical AND.)

   Note:

   If you set a tag on the resource page, do not also set a tag on this page. The Tag condition on this page allows you to select a resource type by name (for example, EC2 instances named LatAm) and further filter them by tag (for example, Production).

7. Click Next and set your Action notifications:

   • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

8. When you are done, click Next, and after reviewing your settings, click Next to submit your policy.

9. Click Done.

Creating Alerts for CloudTrail Changes

Review the actions and conditions that are available in the Resources page of the policy creation wizard when the Resource selected is CloudTrail.

Prerequisites:

• You have started creating an AWS policy alert in Creating an AWS Policy.

• On the Resource page in the policy creation wizard, you have set the Resource type to CloudTrail.

• You are ready to select the Action on this resource.

1. In the policy creation Resource page, after you have selected CloudTrail as the Resource type, select one of the options below from the Action on this resource drop-down list:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified CloudTrail.
   Add Tags	A tag has been added to the specified CloudTrail.
   Create Trail	A trail has been created in the specified CloudTrail.
   Delete Trail	A trail has been created in the specified CloudTrail.
   Put Event Selectors	An event selector has been put to the specified CloudTrail.
   Remove Tags	A tag has been removed from the specified CloudTrail.
   Start Logging	Logging has been started for the specified CloudTrail.
   Stop Logging	Logging has been started for the specified CloudTrail.
   Update Trail	A trail has been updated in the specified CloudTrail.

2. Click Next to proceed to the Username page.
3. Return to Creating an AWS Policy and continue with step 4 there.

Creating Alerts for S3 Resources

Configure policy alerts for activities that affect AWS Simple Storage Service (S3) resources.

All Amazon S3 resources, such as buckets, are by default only available to the AWS account owners who created them. Because S3 resources can contain mission-critical information, it is important to monitor operations such as creating and deleting S3 resources, and changes regarding who has permission to access these resources through changes to access control lists (ACLs).

Creating General S3 Bucket Policies

Create policies to alert for actions taken on S3 bucket objects and on the buckets themselves.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

2. Click New Policy.

3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

4. In the Resource page, do the following:

   • Application type: AWS

   • Application instance: The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

   • Resource: Select S3 Bucket or S3 Object.

   • Identify by Name or Tag: Lets you specify a full or partial name, or an entire tag name, expressed as the key part of an S3 key:value pair. Note that if you type a name on this page, you can refine the filter by a tag in a later page of this wizard.

   • Action: Select a Get (read) or Put (write) action of interest. For additional information about actions, see Amazon's reference documentation for bucket operations and S3 operations.

     Note:

     An action of Any can trigger more alerts than you intended, unless you filter the alert by user or group, or add other conditions in later pages of this wizard. These are the specific actions.

     Action	Description
     Any Get Bucket or Get Object action	Get (view) actions can be performed very often, so to make this policy meaningful you should restrict it to only buckets with highly sensitive resources, to watch users of interest, or use the equivalent Put action in the policy.
     Put Bucket | Put Object	This action can alert you when someone creates a new S3 cloud storage bucket. This type of policy can help you be sure that this operation is authorized and is worth incurring additional storage costs. Also, it can help you verify that encryption and multi-factor authentication are enabled for this bucket. This action can also alert you when someone creates a new type of S3 object. This type of policy can be useful for a particularly sensitive object (for example, a document with personally identifiable information) because you may want to investigate the user named in alerts that this type of policy generates.
     Put Bucket ACL | Put Object ACL	This action can alert you when someone adds access control list (ACL) permissions for an S3 bucket or object. This type of policy can help you be sure that the ACL conforms to your organization's policies. In general, ACLs should be stable and rarely modified.
     Put Bucket CORS	This action can alert you when someone enables cross-origin resource sharing (CORS) for an S3 bucket. This opens the bucket to requests from identified locations. For example, this type of sharing can open a bucket at my.example.bucket.com to requests from www.example.com. If a CORS configuration exists, this operations replaces it. An alert based on this policy can make sure that you verify the recipient of the shared resource. If an alert based on this policy appears multiple times for different S3 buckets, you should verify both the recipients and the user who is permitting sharing.
     Put Bucket Policy | Put Object Policy	This action can alert you when someone adds to or replaces a policy (a set of rules that control who can access resources) for an S3 bucket or object. If the bucket or object already has a policy, the one in this request completely replaces it. In general, S3 policies should be stable and rarely modified.
     Put Bucket Request Payment	This action can alert you when an owner of an S3 storage bucket modifies the payment process and is sending charges for downloads to the person who requests the download. By default, the owner of an S3 bucket pays for downloads from the bucket.
     Delete Object	This action can alert you when someone deletes an object (for example, a document) or a type of object from an S3 cloud storage bucket. The AWS administrator can restore the object if versioning was enabled for it. When you enable this policy for a particularly sensitive objects (for example, a document with personally identifiable information in it), you can then investigate users named in any alerts that this type of policy generates.
     Create Bucket	This action can alert you when someone creates a bucket.

   When you are done, click Next.

5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

6. Click Next and in the conditions page, Parameter drop-down, select any additional filter that you want to apply, an operator, and a value for the filter.

   For example, to filter the policy according to an S3 tag, select Tag, in the Operator drop-down, select an operator (for example, Equal to), and in the Value drop-down type a completekey:value pair for the AWS tag, or a single key name.

   If you want Oracle CASB Cloud Service to create an alert based on any of several tags, select an Operator of In and then type a comma-separated list of values. (This is a logical OR.)

   To generate the alert only when the resource contains more than one type of tag (for example, an instance with both Production and Deployment tags), click the plus sign and then add a second parameter-operator-value triplet. (This is a logical AND.)

   Note:

   If you set a tag on the resource page, do not also set a tag on this page. The Tag condition on this page allows you to select a resource type by name (for example, EC2 instances named LatAm) and further filter them by tag (for example, Production). For additional information about filters, see Creating a Policy

   .

7. Click Next and set your Action notifications:

   • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

8. When you are done, click Next, and after reviewing your settings, click Next to submit your policy.

9. Click Done.

Detecting when an S3 Bucket Grants Access to Users in Nonsanctioned Accounts

Understand how to configure policy alerts for S3 bucket policy changes that grant access to users in non-sanctioned AWS accounts.

In AWS, S3 bucket access is controlled by policies.

In Oracle CASB Cloud Service, you can create a policy that generates an alert when an S3 bucket policy grants access to users in non-sanctioned AWS accounts. You configure these alerts in the Oracle CASB Cloud Service console, policy Conditions page. In this page, to generate an alert when an S3 bucket policy grants access to a non-sanctioned account, you configure the condition as follows:

• Parameter: AWS account

• ID Operator: Not Equals

• Value: account ID1, account ID2

Where account ID1 and account ID2 are sanctioned (permissible) accounts (for example, 113122223861,133122223862). This is a logical OR, so that Oracle CASB Cloud Service generates an alert when it detects S3 bucket policies that contain any account ID other than the ones mentioned in the Oracle CASB Cloud Service policy.

Currently, you can select the AWS account ID parameter for resources other than S3 buckets. However, this parameter applies only to S3 buckets.

Creating Alerts for Setting AWS Roles

Create a policy alert to maintain control over role definitions, which in turn control user permissions.

For this type of policy to take effect, you must register the AWS application instance in "push controls" mode. See Using an IAM User: Creating a Dedicated Service User, or Using an IAM Role: Creating a Dedicated Service Role.

Every user defined in the Identity and Access Management (IAM) component of AWS has a role with a set of permissions.

Within the policy definition, you can set Oracle CASB Cloud Service to automatically reset the IAM role to a set of permissions that you define.

1. Get a text file with the policy definition that you want to enforce:

   In the AWS command line, type:

   aws iam get-account-authorization-details --filter Role

   Note:

   This is based on command line version 1.7.31. Earlier versions might not support this command.

   Here is an example of an AWS role and corresponding policy document. Note that the details for the role must be specific to your environment; reusing this example will not match anything in your account.

   {
     "RoleDetailList": [
       {
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",
           "Statement": [
             {
               "Action": "sts:AssumeRole",
               "Principal": {
                 "Service": "ec2.amazonaws.com"
               },
               "Effect": "Allow",
               "Sid": ""
             }
           ]
         },
         "RoleId": "AROAIQ7QZ3VGHPLAGAEE6A",
         "CreateDate": "2015-06-30T21:11:12Z",
         "InstanceProfileList": [
           {
             "InstanceProfileId": "AIPAISYI4XOL4IQAGJIRW",
             "Roles": [
               {
                 "AssumeRolePolicyDocument": {
                   "Version": "2012-10-17",
                   "Statement": [
                     {
                       "Action": "sts:AssumeRole",
                       "Principal": {
                         "Service": "ec2.amazonaws.com"
                       },
                       "Effect": "Allow",
                       "Sid": ""
                     }
                   ]
                 },
                 "RoleId": "AROAIQ7QZ4VGHPLGAEE6A",
                 "CreateDate": "2015-06-30T21:11:12Z",
                 "RoleName": "auditorRole",
                 "Path": "/",
                 "Arn": "arn:aws:iam::012345678901:role/auditorRole"
               }
             ],
             "CreateDate": "2015-06-30T21:11:12Z",
             "InstanceProfileName": "auditorRole",
             "Path": "/",
             "Arn": "arn:aws:iam::012345678901:instance-profile/auditorRole"
           }
         ],
         "RoleName": "auditorRole",
         "Path": "/",
         "AttachedManagedPolicies": [
           {
             "PolicyName": "SecurityAudit",
             "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
           }
         ],
         "RolePolicyList": [],
         "Arn": "arn:aws:iam::012345678901:role/auditorRole"
       }
     ],
     "GroupDetailList": [],
     "UserDetailList": [],
     "Policies": [],
     "IsTruncated": false
   }

2. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

3. Click New Policy.

4. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

5. In the Resources page, do the following:

   • Application type:AWS

   • Application instance: The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

   • Resource: Select IAM role.

   • Identify the name of the role (for example, auditorRole).

   • Action: Select UpdateAssumeRolePolicy, DeleteRole, DeleteRolePolicy, DetachRolePolicy, AttachRolePolicy, or PutRolePolicy.

     These actions trigger the alert when someone updates an IAM role's definition (its associated policy). This is the complete result returned from this AWS command:

     aws iam get-account-authorization-details --filter Role

     Note:

     To be able to reset the role definition in addition to generating the alert, do not configure any other actions in this policy

   • When you are done, click Next.

6. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

7. Click Next and in the conditions page, Parameter drop-down, select any additional filter that you want to apply, an operator, and a value for the filter.

   You probably want to skip this step so that this policy applies to all IAM users with this role. For additional information about filters, see Creating a Policy.

8. Click Next and set your Action notifications:

   • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

   • Send email to this address. Send email to the designated address.

9. To reset the role, in the actions page, select the Reset the role checkbox and then paste the AWS IAM role policy that you want to enforce.

10. When you are done, click Next, and after reviewing your settings, click Next.

11. Click Done. Oracle CASB Cloud Service now monitors for changes to the role.

    When it detects a change, Oracle CASB Cloud Service attempts to reset the role definition. It also creates a risk event in Risk Events.

12. To find alerts that this policy has triggered:

    1. In the Oracle CASB Cloud Service console, select Risk Events.

    2. Drop down the Status list and select:

       • Resolved - to view role updates that Oracle CASB Cloud Service resolved automatically.

       • Open - to view role updates that Oracle CASB Cloud Service was unable to resolve.

    3. If you need additional filtering for the list of events, type the policy name or action in the search field.

Creating Alerts for Cloud HSM

Create policy alerts for specified actions on Cloud Hardware Security Module (HSM).

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Cloud HSM
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below. Note: Some resources do not have a tag option.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified Cloud HSM.
   Create HSM	An HSM has been created.
   Create cluster	An HSM cluster has been created.
   Delete HSM	An HSM has been deleted.
   Delete cluster	An HSM cluster has been deleted.
   Describe backups	HSM backups have been described.
   Describe clusters	HSM clusters have been described.
   Initialize cluster	An HSM cluster has been created.
   List tags	HSM tags have been listed.
   Tag resource	An HSM resource has been tagged.
   Untag resource	An HSM resource has been untagged.

   For additional information about HSM actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for RDS

Create policy alerts for specified actions on Relational Database Service (RDS).

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Relational Database Service
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified RDS.
   Delete DB cluster	An RDS cluster has been deleted.
   Delete DB snapshot	An RDS snapshot has been deleted.
   Modify DB cluster	An RDS cluster has been modified.
   Modify DB instance	An RDS instance has been modified.

   For additional information about RDS actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for ACM

Create policy alerts for specified actions on AWS Certificate Manager (ACS).

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	AWS Certificate Manager
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified ACM.
   Delete certificate	A certificate has been deleted.

   For additional information about ACM actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for Auto Scaling

Create policy alerts for specified actions on AWS Auto Scaling.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Auto Scaling
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified Auto Scaling.
   Delete auto scaling group	An Delete auto scaling group has been deleted.

   For additional information about AWS Auto Scaling actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for ELB

Create policy alerts for specified actions on AWS Elastic Load Balancing (ELB).

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Elastic Load Balancing
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified ELB.
   Apply security groups to load balancer	One or more security groups have been applied to the ELB.
   Create listener	A listener has been created on the ELB.
   Delete listener	A listener has been deleted from the ELB.
   Modify listener	A listener has been modified on the ELB.
   Register instances with load balancer	One or more instances have been registered with the ELB.

   For additional information about ELB actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for KMS

Create policy alerts for specified actions on AWS Key Management Service (KMS).

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Key Management Service
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified RDS.
   Create key	A key has been created.
   Import key material	Key material has been imported.
   Put key policy	A key policy has been attached.

   For additional information about KMS actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for Redshift

Create policy alerts for specified actions on Redshift.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Redshift
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified Redshift.
   Delete cluster	A Redshift cluster has been deleted.

   For additional information about RDS actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for Route 53

Create policy alerts for specified actions on Route 53.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Route 53
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified RDS.
   Delete health check	A health check has been deleted.
   Delete hosted zone	A hosted zone has been deleted.
   Delete traffic policy	A traffic policy has been deleted.
   Delete traffic policy instance	A traffic policy instance has been deleted.
   Disassociate VPC from hosted zone	A VPC has been disassociated from a hosted zone.

   For additional information about Route 53 actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for Direct Connect

Create policy alerts for specified actions on Direct Connect.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Direct Connect
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified Direct Connect.
   Confirm connection	A connection has been confirmed.
   Create BGP peer	A BGP peer has been created.
   Create connection	A connection has been created.
   Create direct connect gateway	A Direct Connect gateway has been created.
   Delete BGP peer	A BGP peer has been deleted.
   Create interconnect	An interconect has been created.
   Delete connection	A connection has been deleted.
   Delete direct connect gateway	A Direct Connect gateway has been deleted.
   Delete interconnect	An interconect has been deleted.
   Describe connections	One or more connections have been described.
   Describe direct connect gateways	One or more Direct Connect gateways have been described.
   Describe interconnects	One or more interconnects have been described.

   For additional information about Direct Connect actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Creating Alerts for Elastic Search

Create policy alerts for specified actions on Elastic Search.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:

   Field	Value
   Application Type	AWS
   Instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
   Resource	Elastic Search
   Identify resource by name or tag	To identify the resource by its name, select Name, then select one of these options: Text — then select a comparison from the drop-down list, and enter text in the box below. Regular expression — then enter the regular expression in the box below. To identify the resource by a tag, select Tag, then enter the full tag name in the box below.

5. Drop down the Action on this resource list and select an action:

   Action on this Resource	Description
   Any	Any of the available actions taken on the specified Cloud HSM.
   Update elastic search domain config	An Elastic Search domain configuration has been updated.

   For additional information about Elastic Search actions, see Amazon's online documentation.

6. (Optional) Click the plus sign and repeat the step above to configure additional actions for this resource.
7. Complete the alert as shown in the previous procedures.

Condition Parameters for AWS Alerts

The table below lists the parameters you can configure in the Conditions page of an AWS policy alert.

Parameter	Operator	Value
IP address v4	Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to).	A comma-separated list of IPv4 addresses.
SSH Key Used	The drop-down list determines whether you are setting a minimum, maximum, or exact value.	The number of days SSH keys may be kept before rotating them.
Timestamp	The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame).	A value as a time in 24-hour HH:MM:SS format.
City, State, or Country	Equal to requires matching the name you enter in Value. Not Equal to requires not matching the name you enter in Value. In requires matching any one of several names you enter in Value. Not in requires matching none of several names you enter in Value.	The name of the city, or the state or province, in the physical address that’s associated with the IP address.
Tag	Include or exclude this tag (Equal to or Not equal to). Select In or Not in if you want to enter a list of tags. You do not need to repeat a selection of Tag if you already entered tags in an earlier step.	There are a few ways to specify an AWS tag: As a complete key:value pair for the AWS tag. As a single key name. As a comma-separated list of key names or key:value pairs. The list is treated as a logical OR.
Recipient (or Audience)	Include or exclude this user (Contains or Does not contain).	Available for AWS if on the Resources page of the policy wizard you selected S3 resources and the Share action. Takes a string that matches one or more users.

Sample AWS Alerts

View sample alert data as templates for your own alerts.

Name	Description	Resource	User or Group	Condition	Action (Risk Events Are Mandatory; Email Is Optional)
AWS: Track EC2 after hours instance termination	Track any after hours (after 8:00 p.m.) termination of an EC2 instance	Type: EC2 Instance Action: TerminateInstances Select: Name Regular expression: i-.*	(leave blank)	Parameter: Timestamp Operator: Greater than Value: 20:00	Create a risk event Send email
AWS: Track SSH key rotations	Monitor rotation of AWS SSH keys	Type: EC2 Instance Action: Any Select: Name Regular expression: .*	(leave blank)	Parameter: SSH Key Used Operator: Greater than Value: 14	Create a risk event
AWS: Track after hours access S3	Track after hours (after 8:00 p.m.) access to S3 resources	Type: S3 Object Action: Any Select: Name Regular expression: .*	(leave blank)	Parameter: Timestamp Operator: Greater than Value: 20:00	Create a risk event
AWS: Firewall - change to inbound configuration	Track any change to a security group (an EC2 firewall) ingress (allowed incoming ports/protocols)	Type: EC2 Security Group Resource action: AuthorizeSecurityGroupIngress Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event
AWS: Firewall - Change to outbound configuration	Track any change to a security group (an EC2 firewall) egress (allowed outgoing ports/protocols)	Type: EC2 Security Group Resource action: AuthorizeSecurityGroupEgress Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event
AWS: New firewall	Track creation of any new security group (an EC2 firewall)	Type: EC2 Security Group Action: CreateSecurityGroup Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event
AWS: New network ACL	Track creation of a network ACL (VPC firewall)	Type: EC2 Network Action: CreateNetworkAcl Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event
AWS: New network ACL rule	Track addition of a rule to network ACL (VPC firewall)	Type: EC2 Network Action: CreateNetworkAclEntry Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event Send email
AWS: Delete network ACL	Track deletion of a network ACL (VPC firewall)	Type: EC2 Network Action: DeleteNetworkAcl Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event Send email
AWS: Create SAML IdP	Track creation of any SAML Identity Provider (reminder to confirm that IdP has authorized access)	Type: IAM IdProvider Action: CreateSAMLProvider Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event Send email
AWS: Delete SSH key	Track deletion of any SSH keypair (possible loss of access to system resources)	Type: EC2 KeyPair Action: DeleteKeyPair Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event Send email
AWS: Delete VPC	Track deletion of virtual private cloud (VPC) because VPS are isolated and typically low-change configurations.	Type: EC2 VPC Action: DeleteVpc Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event Send email
AWS: Create VPC	Track creation of virtual private cloud (VPC) because VPS are isolated and typically low-change configurations.	Type: EC2 VPC Action: CreateVpc Select: Name Regular expression: .*	(leave blank)	(leave blank)	Create a risk event Send email