Description:
AWS Directory Service provides a way to manage user identities and access to resources in the AWS cloud. It is important to be notified of events in Directory Service, such as user logins, changes to group memberships, and failed authentication attempts.
This policy ensures that Directory Service is configured to send notifications to an Amazon SNS topic. This allows you to be notified of events in Directory Service in real time, so that you can take action as needed.
Rationale:
Setting up Directory Service SNS notifications can help to:
- Be notified of security issues, such as unauthorized access to resources.
- Troubleshoot problems with Directory Service.
- Meet compliance requirements.
Impact:
If Directory Service is not configured to send notifications to an Amazon SNS topic, then you may not be aware of events in Directory Service until it is too late. This could lead to unauthorized access to resources, data breaches, or other security vulnerabilities.
Default Value:
AWS will recommend that Directory Service is configured to send notifications to an Amazon SNS topic. This means that you will receive notifications of events in Directory Service in real time.
Pre-requisites:
- Access to the AWS Directory Service console or the AWS CLI.
- Knowledge of Amazon SNS topics.
Remediation Steps:
- Go to the AWS Directory Service console or the AWS CLI.
- Select the Directory Service that you want to configure for SNS notifications.
- Click on the "Notifications" tab.
- Click on the "Create notification" button.
- Select the "Amazon SNS topic" notification type.
- Enter the ARN of the Amazon SNS topic that you want to receive notifications from.
- Click on the "Save" button.
Test Plan:
- Verify that the Amazon SNS topic is receiving notifications from Directory Service.
- Simulate an event in Directory Service, such as a user login or a change to group memberships.
- Verify that the Amazon SNS topic receives a notification of the event.
Implementation Plan:
- Follow the remediation steps to configure SNS notifications for Directory Service.
- Test the notifications to make sure that they are working correctly.
AWS CLI Process:
To configure SNS notifications for a Directory Service using the AWS CLI, you can use the following command:
aws directoryservice create-notification --directory-id <directory-id> --notification-type "AmazonSNS" --topic-arn <topic-arn>
Using AWS GUI:
To configure SNS notifications for a Directory Service using the AWS GUI, you can follow these steps:
- Go to the AWS Directory Service console.
- Select the Directory Service that you want to configure for SNS notifications.
- Click on the "Notifications" tab.
- Click on the "Create notification" button.
- Select the "Amazon SNS topic" notification type.
- Enter the ARN of the Amazon SNS topic that you want to receive notifications from.
- Click on the "Save" button.
Backout Plan:
To backout the changes to the SNS notification configuration, you can follow these steps:
- Go to the AWS Directory Service console or the AWS CLI.
- Select the Directory Service that you want to disable SNS notifications for.
- Click on the "Notifications" tab.
- Click on the "Delete notification" button next to the notification that you want to disable.
- Click on the "Save" button.
Note:
- This policy is only applicable to Directory Services that are running in the AWS cloud.
- If you are not sure whether a Directory Service is running in the AWS cloud, you can check the "Region" field in the AWS Directory Service console.
Reference:
- AWS Directory Service documentation on SNS notifications: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_enable_notifications.html