Amazon EventBridge – Intercept API Calls

• EventBridge can react to specific API calls recorded by CloudTrail in near real time.

• Useful for monitoring sensitive operations and automating responses to policy violations or risky changes.

Example: Sensitive DynamoDB Action

• A DeleteTable API call is made.

• CloudTrail records the event.

• EventBridge rule matches the event and triggers:
• SNS alert to security team
• Logging in DynamoDB or S3 for auditing
• Automated remediation via Lambda

Common Monitored Actions

• AssumeRole calls for privilege escalation detection

• Security group changes like AuthorizeSecurityGroupIngress

• IAM policy or role modifications

• Resource deletions (e.g., S3 bucket, RDS instance)

Benefits

• Provides real-time security monitoring

• Automates incident response and remediation

• Integrates with SNS, Lambda, Step Functions, SQS, or custom workflows for flexible handling