Configure AWS EventBridge and GCP Pub/Sub Audit Stream
Setup
Authress provides external integration for AWS EventBridge, GCP Pub/Sub, and others. With this integration, you can consume authentication and authorization events emitted by Authress to trigger custom actions or integrate with your existing SIEM (Security Information and Event Management) system.
Event catalog
AccessChanged
accessChanged.json
{
"detail-type": "AccessChanged",
"time": "2021-07-24T12:42:59Z",
"detail": {
"eventId": "uniqueDeduplicationEventId",
"triggeredBy": {
"recordId": "64dfc9d0-fced-4689-b831-5cb75839f6da",
"version": "1627130549422"
},
"changes": [
{
"userId": "userId",
"resourceUri": "/resources/resourceId-1",
"operation": "ADDED"
},
{
"userId": "userId",
"resourceUri": "/resources/resourceId-2",
"operation": "REMOVED"
}
]
}
}
Authorization Request
authorizationRequest.json
{
"detail-type": "AuthorizationRequest",
"time": "2021-07-24T12:42:06Z",
"detail": {
"eventId": "uniqueDeduplicationEventId",
"count": 1,
"user": { "userId": "userId" },
"resource": { "resourceUri": "/resources/requestedResourceId" },
"permission": { "action": "resources:read" },
"authorizationResult": "ALLOWED"
}
}
Login Request
loginRequest.json
{
"detail-type": "LoginRequest",
"time": "2021-07-24T12:42:06Z",
"detail": {
"eventId": "uniqueDeduplicationEventId",
"user": { "userId": "userId" },
"loginResult": "SUCCESS"
}
}
Additional information
AWS EventBridge does not provide automated deduplication. This causes some events to be sent multiple times. Use the unique eventId field for idempotent handling.