Open-source CloudFormation templates for monitoring AWS Organizations with CloudWatch alarms and automated email notifications.
Cloudwatcher is an AWS security monitoring solution that automatically detects and alerts on suspicious activities in your AWS Organization. It monitors CloudTrail logs for security-relevant events and sends formatted email notifications when alarms are triggered.
- Access Denied - Failed authorization attempts
- GetCallerIdentity - Identity verification calls
- AttachUserPolicy - Policy attachment to users
- Authenticate - SSO authentication events
- CreateUser - New IAM user creation
- DeleteUser - IAM user deletion
- IAMUserActivity - General IAM user activity monitoring
- AWS Organization with CloudTrail enabled
- Must be deployed in the root account of your AWS Organization
- CloudTrail logs sent to CloudWatch Log Group (by default, events flow into the
aws-controltower/CloudTrailLogslog group) - Email addresses for receiving alerts
Click the button below to launch the stack with pre-configured parameters:
Or use this direct link:
https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/quickcreate?templateURL=https%3A%2F%2Fcloudwatcher-cloudformation-prod.s3.eu-central-1.amazonaws.com%2Ftemplates%2Forganisation%2F0.1%2FRootStack.yaml&stackName=CLOUDWATCHER¶m_EmailRecipient=¶m_EnableCreateUserAlarm=true¶m_EnableGetCallerIdentityAlarm=true¶m_EnableAccessDeniedAlarm=true¶m_EnableAuthenticateAlarm=true¶m_EnableAttachUserPolicyAlarm=true¶m_LogGroupName=aws-controltower%2FCloudTrailLogs¶m_EnableDeleteUserAlarm=true¶m_EnableIAMUserActivityAlarm=true
Template URL:
https://cloudwatcher-cloudformation-prod.s3.eu-central-1.amazonaws.com/templates/organisation/0.1/RootStack.yaml
After deployment, you will receive an AWS SNS confirmation email at the address you provided.
- You must click the confirmation link in the email to start receiving alerts
- The confirmation email may land in your spam/junk folder - please check there if you don't see it
- You will not receive any alarm notifications until you confirm the subscription
| Parameter | Description | Default |
|---|---|---|
EmailRecipient |
Email address for notifications | Required |
| Parameter | Description | Default |
|---|---|---|
LogGroupName |
CloudWatch Log Group name | aws-controltower/CloudTrailLogs |
EnableAccessDeniedAlarm |
Enable Access Denied alarm | true |
EnableGetCallerIdentityAlarm |
Enable GetCallerIdentity alarm | true |
EnableAttachUserPolicyAlarm |
Enable AttachUserPolicy alarm | true |
EnableAuthenticateAlarm |
Enable Authenticate alarm | true |
EnableCreateUserAlarm |
Enable CreateUser alarm | true |
EnableDeleteUserAlarm |
Enable DeleteUser alarm | true |
EnableIAMUserActivityAlarm |
Enable IAMUserActivity alarm | true |
Main orchestration template that deploys:
- CloudWatch Alarms Stack - Metric filters and alarms for security events
- Forwarding Lambda Stack - Processes alarms and sends email notifications
CloudTrail Logs
↓
CloudWatch Log Group
↓
Metric Filters
↓
CloudWatch Alarms
↓
Lambda Function (Forwarding)
↓
SNS Topic
↓
Email Recipients
When an alarm triggers, you'll receive an email with:
═══════════════════════════════════════════════════════════
🚨 CloudWatch Alarm: iam:AccessDeniedAlarm
═══════════════════════════════════════════════════════════
Status: OK → ALARM
Timestamp: 2025-10-29 22:15:30 UTC
Account: Production Account (123456789012)
────────────────────────────────────────────────────────────
📋 CloudWatch Log Entries (3 found)
────────────────────────────────────────────────────────────
[1] 2025-10-29 22:15:28 UTC
Event: DeleteUser
User: AIDAI3EXAMPLE
Source IP: 203.0.113.42
Error: AccessDenied
[2] 2025-10-29 22:15:29 UTC
Event: AttachUserPolicy
User: AIDAI3EXAMPLE
Source IP: 203.0.113.42
Error: AccessDenied
────────────────────────────────────────────────────────────
Generated by Cloudwatcher
═══════════════════════════════════════════════════════════
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Test your changes with
./tests/validate-templates.sh - Submit a pull request
This project is open source and available under the MIT License.
After deployment, the email recipient will receive a confirmation email from AWS SNS. You must confirm the subscription to receive alerts.
Note: To add additional email recipients, subscribe them manually to the SNS topic Cloudwatcher-AlarmNotifications via the AWS SNS Console.
This solution uses:
- AWS Lambda (minimal cost, mostly free tier eligible)
- CloudWatch Logs (depends on log volume)
- CloudWatch Alarms (first 10 alarms free, then $0.10/alarm/month)
- SNS (first 1,000 emails free, then $2/100,000 emails)
- Templates are publicly readable in S3 (required for CloudFormation)
- No sensitive data is stored in templates
- Lambda execution role has minimal required permissions
- All resources are encrypted at rest
For questions or issues:
- Open a GitHub Issue
- Check existing documentation in
/tests/README.md - Review CloudFormation events for deployment errors
Made with ❤️ for AWS security monitoring