CloudCheckr can alert when any number of critical events occurs within your AWS account. These alerts, which can be delivered via email, SNS topic, or PagerDuty, are also logged within your CloudCheckr account to be reviewed at any time. With CloudCheckr you can be alerted when you approach your monthly budget, when someone accesses your account using the Root user account, when a publicly accessible resource is launched, plus several other important scenarios.
CloudCheckr’s alerts can be found within their own section of the report navigation within each account. From there you can choose to manage Cost, Utilization and CloudTrail alerts.
The Cost Alert Builder allows you to create user-defined alerts based on a defined billing budget.
The Utilization Alert Builder allows you to create user-defined alerts across several different alert types. Depending on the type of alert chosen, you will be presented with configuration options specific to that type of alert.
The alert types offered are:
- EC2 Number of Instances – this alert is based on the number of EC2 instances running in your AWS account.
- EC2 Resource Utilization – this alert is based on the average CPU for the last 24 hours of any instances in your AWS account.
- New Publicly Accessible Resources- this alert is based on the availability of new public resources within the last 48 hours.
- Reserved Instance Utilization- this alert will notify you if a reserved instance is under or unutilized.
- Resource Changes (via Config) – this alert shows you any changes in resources based on your AWS config data.
- S3 Storage Used – this alert is based on the total S3 storage across all of your buckets.
- S3 Total Objects – this alert is based on the total number of S3 objects stored across all of your buckets.
When building the alert you can specify to be alerted via email, SNS topic, or through PagerDuty.
The Alert Manager is where you can view and manage all of your created Alerts within the Account.
You can take the following actions on any Alert:
- Delete – click the X icon to the far-right of the Alert to delete it. NOTE: This cannot be undone.
- Disable – click ‘On’ to the right of the Alert to disable it. No Alerts will be triggered on disabled Alerts. They can be re-enabled at any time by clicking ‘Off’.
- Edit – click on the name of any Alert you would like to edit. You will be presented with the same configuration options, including email options, used when creating the Alert. Be sure to Save after you make your changes.
In addition to the notification sent when an Alert is triggered, the details of the Alert will be saved within the Alert Results page of your CloudCheckr account. You can filter this page by the Alert type, the specific alert name as well as the start date and end date of the alert.
The CloudTrail Alerts section focuses on alerts which are centered on security. They use CloudTrail data from your account in order to function. In order to be able to utilize these alerts, you must have CloudTrail enabled on your account and CloudTrail permissions must be added to your permissions policy. Although similar to the other Alerts, CloudTrail alerts also includes unique features such as pre-configured alerts.
CloudTrail Alert Manager – Built-In Alerts
The CloudTrail Alert Manager allows you to enable/disable CloudCheckr’s recommended pre-configured Built-In CloudTrail alerts, or manage your user-created Custom Alerts. Within the Built-In Alerts tab, you simply enable or disable the pre-configured alerts. You can click on any to see the specific events and parameters that will trigger the alert, as well as configure the notification method (email, SNS topic, PagerDuty, Syslog, or Slack webhook). The Built-In Alerts allow you to quickly enable alerts without having to scour through the list of events to find the correct event types for your alert.
CloudTrail Alert Manager – Custom Alerts
The CloudTrail Custom Alert Builder allows you to create alerts based on all available events that are logged by the AWS CloudTrail service, including resource creation and deletion, modifications to IAM policies, and VPC reconfigurations. You can copy any pre-existing Built-In Alert and modify its parameters, or you can click the “Create New Alert’ button to create an alert from scratch.
When creating CloudTrail alerts you can filter the alerts by events coming from specific AWS regions, services, or from specific IAM users. You can also only be alerted to events that occur within (or outside) of specific IP ranges, that occur against specific resources, or that contain specific Response and/or Request parameters.
This gives you total flexibility to be alerted to the precise activity that’s important to you. You also have the ability to ignore specific results to eliminate any noise, and review those ignored items later if necessary.
CloudTrail Alert Results
In addition to the notification sent when an Alert is triggered, the details of the Alert will be saved within the CloudTrail Alert Results page of your CloudCheckr account. This report offers several filtering options and the ability to choose which columns to show in the results. You can expand any alert to see further details, including the raw JSON of the CloudTrail event that triggered the alert. You also have the ability to ignore individual results.