Skip to main content

Configure AWS EventBridge and GCP Pub/Sub Audit Stream

Setupโ€‹

Authress provides external integration for AWS EventBridge, GCP Pub/Sub, and others. With this integration, you can consume authentication and authorization events emitted by Authress to trigger custom actions or integrate with your existing SIEM (Security Information and Event Management) system.

Event catalogโ€‹

AccessChangedโ€‹

accessChanged.json
{
"detail-type": "AccessChanged",
"time": "2021-07-24T12:42:59Z",
"detail": {
"eventId": "uniqueDeduplicationEventId",
"triggeredBy": {
"recordId": "64dfc9d0-fced-4689-b831-5cb75839f6da",
"version": "1627130549422"
},
"changes": [
{
"userId": "userId",
"resourceUri": "/resources/resourceId-1",
"operation": "ADDED"
},
{
"userId": "userId",
"resourceUri": "/resources/resourceId-2",
"operation": "REMOVED"
}
]
}
}

Authorization Requestโ€‹

authorizationRequest.json
{
"detail-type": "AuthorizationRequest",
"time": "2021-07-24T12:42:06Z",
"detail": {
"eventId": "uniqueDeduplicationEventId",
"count": 1,
"user": { "userId": "userId" },
"resource": { "resourceUri": "/resources/requestedResourceId" },
"permission": { "action": "resources:read" },
"authorizationResult": "ALLOWED"
}
}

User Loginโ€‹

userLogin.json
{
"detail-type": "UserLogin",
"time": "2021-07-24T12:42:06Z",
"detail": {
"eventId": "uniqueDeduplicationEventId",
"subType": "Login" | "SignUp" | null,
"user": { "userId": "userId" },
"loginResult": "SUCCESS"
}
}

Additional informationโ€‹

AWS EventBridge does not provide automated deduplication. This causes some events to be sent multiple times. Use the unique eventId field for idempotent handling.