How to detect change in AWS Security Group and take action

Security Groups are virtual firewalls that control the traffic to your AWS resources like EC2 and RDS. Your instances must have at least one security group attached to them. Security Groups that are attached to a server that receives traffic from the internet are even more important and should be carefully monitored. This could also be a compliance requirement or an audit need.

We can control using IAM policy who has access to change these resources, however, what if we also wanted a permanent record of a change made to a Security Group.

This post explains how to detect a change in AWS security group and take some action. In this example, a lambda function publishes the event to SNS. You could modify the lambda code to take some other kind of action if needed.

This method uses a CloudWatch event which triggers only for a specific event condition and then invokes a lambda function. The event selector looks for an API event in CloudTrail that is published when a change is made to a security group.

To set up this, follow these steps:

Setup a CloudTrail if you do not have one in your account.

Create an SNS Topic and create a subscription for it.

Add a lambda execution role and policy with access to CloudWatch logs and to publish to a topic.

Create a lambda function which uses our SNS Topic.

    var eventText = JSON.stringify(event, null, 2);
    console.log("Received event:", eventText);
    var sns = new AWS.SNS();
    var params = {
        Message: eventText, 
        Subject: "Event Catcher in aws-region:",
        TopicArn: "arn:aws:sns:aws-region:account-id:email-alert"
    sns.publish(params, context.done);

You do not have to send the entire event, the information passed to SNS could be altered. It is also possible to have a different lambda function invocation by the same event.

Setup a CloudWatch Events rule that is looking for a specific API call and the target of this rule is a lambda function.
The events we are looking for are AuthorizeSecurityGroupIngress and RevokeSecurityGroupIngress.

"detail-type": [
"AWS API Call via CloudTrail"
"detail": {
"eventSource": [
"eventName": [
"requestParameters": {
"groupId": [

To match against any security group, leave out the requestParameters.

Test this, make a change to security group sg-abcdef and wait for the lambda function to trigger.

To troubleshoot,

  1. Start by checking if you can find your event in CloudTrail.
  2. Check CloudWatch logs for lambda execution messages.


You can setup CloudWatch events that look for other API calls and your target need not be a lambda. There are many other AWS services that you can select for your target.

Photo Credit

unsplash-logoBernard Hermant


  1. An interesting thing to note is that you will still get a notification if a security group change operation fails.

    “errorCode”: “Client.UnauthorizedOperation”,
    “errorMessage”: “You are not authorized to perform this operation. Encoded authorization failure message:….”

Leave a Reply