# AWS services for monitoring IAM Roles Anywhere
<a name="monitoring-overview"></a>

Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Identity and Access Management Roles Anywhere and your other AWS solutions. AWS provides the following monitoring tools to watch IAM Roles Anywhere, report when something is wrong, and take automatic actions when appropriate:
+ *Amazon CloudWatch* monitors your AWS resources and the applications you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ *Amazon EventBridge* can be used to automate your AWS services and respond automatically to system events, such as application availability issues or resource changes. Events from AWS services are delivered to EventBridge in near real time. You can write simple rules to indicate which events are of interest to you and which automated actions to take when an event matches a rule. For more information, see [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
+ *Amazon EventBridge* is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and AWS services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).

# Customize notification settings in IAM Roles Anywhere
<a name="customize-notification-settings"></a>

 You can customize notification settings based on your [public key infrastructure](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/public-key-infrastructure.html). These settings are attached to your trust anchor and allow you to define custom thresholds for a notification event. IAM Roles Anywhere will consume these settings while evaluating for a notification event to send metrics/events/notifications through their respective notification channels. 

**Topics**
+ [

## Notification events
](#notification-setting-event)
+ [

## Notification channels
](#notification-setting-channel)
+ [

## IAM Roles Anywhere default notification settings
](#notification-settings-default)
+ [

## Notification evaluation criteria
](#notification-evaluation)
+ [

# Configuring custom notification threshold (console)
](how-to-configure-custom-notification-settings.md)
+ [

# Disabling a notification setting (console)
](how-to-disable-notification-for-end-entity-certificate-expiry.md)

## Notification events
<a name="notification-setting-event"></a>
+ **CA certificate expiry**: IAM Roles Anywhere sends notification when a certificate authority (CA) in your trust anchor is approaching expiry.
+ **End-entity certificate expiry**: IAM Roles Anywhere sends notification when your end-entity certificate used to vend temporary security credentials is expiring soon.

## Notification channels
<a name="notification-setting-channel"></a>

**Note**  
Notification channel with a value of `ALL` will apply the custom settings to all the channels listed below.
+ [Amazon CloudWatch metrics](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/monitoring-cloudwatch.html)
+ [Amazon EventBridge events](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/monitoring-events.html)
+ [AWS Health notifications](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/monitoring-events.html)

## IAM Roles Anywhere default notification settings
<a name="notification-settings-default"></a>

 Following are the default notification settings IAM Roles Anywhere has defined. These values are applied in the absence of custom notification settings. 


| Event | Channel | Threshold | Enabled | 
| --- | --- | --- | --- | 
| CA certificate expiry | CloudWatch, EventBridge and AWS Health | 45 days before expiry | True | 
| End entity certificate expiry | EventBridge and AWS Health | 45 days before expiry | True | 

## Notification evaluation criteria
<a name="notification-evaluation"></a>

Following are the evaluation criteria used to send notification events.

These criteria do not apply if your notification setting is in a `disabled` state.


| Event | Channel | Starts when | Ends at | 
| --- | --- | --- | --- | 
| CA certificate expiry | CloudWatch | Number of days until certificate expiry ≤ threshold | Day of certificate expiry | 
| CA certificate expiry | EventBridge and AWS Health | Number of days until certificate expiry ≤ threshold | 14 days after certificate expires | 
| End-entity certificate expiry | EventBridge and AWS Health | Number of days until certificate expiry ≤ threshold | Day of certificate expiry | 

# Configuring custom notification threshold (console)
<a name="how-to-configure-custom-notification-settings"></a>

1. Sign in to [IAM Roles Anywhere console](https://console.aws.amazon.com/rolesanywhere/home).

1. Scroll to find trust anchor table and **choose the trust anchor** to apply custom notification settings.

1. Within trust anchor detail page scroll towards **Notification settings** section and choose **Manage settings**.

1.  **Customize threshold** for the [notification event](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/customize-notification-settings.html#notification-setting-event). IAM Roles Anywhere will start sending metrics/events/notifications when number of days until your X.509 certificate expires is less than or equal this threshold. See [IAM Roles Anywhere notification evaluation criteria](). 

1. Choose **Save changes** to apply custom notification threshold.

# Disabling a notification setting (console)
<a name="how-to-disable-notification-for-end-entity-certificate-expiry"></a>

1. Sign in to [IAM Roles Anywhere console](https://console.aws.amazon.com/rolesanywhere/home).

1. Scroll to find trust anchor table and **choose the trust anchor** to apply custom notification settings.

1. Within trust anchor detail page scroll towards **Notification settings** section and choose **Manage settings**.

1. **Choose the table cell** from `Status` column for notification event name **End entity certificate expiry**.

1. From the options displayed in the selection pane choose the **Disable** option.

1. Choose **Save changes** to apply to disable notification settings for end-entity certificate expiry event.

# Monitoring IAM Roles Anywhere with Amazon CloudWatch
<a name="monitoring-cloudwatch"></a>

You can monitor AWS Identity and Access Management Roles Anywhere using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).

For IAM Roles Anywhere, you might want to watch for trust anchor and end-entity certificates expiration dates and renew your certificates when your certificates are nearing expiration.

The IAM Roles Anywhere service reports the following metrics in the `AWS/RolesAnywhere` namespace.


| Metric | Description | 
| --- | --- | 
|  `Success`  |  Gets published every time `CreateSession` succeeds in returning credentials to the user. Valid Dimensions: Operation, TrustAnchorArn Valid Statistic: Sum Units: Count  | 
|  `Failure`  |  Gets published every time `CreateSession` fails to return credentials to the user. Valid Dimensions: Operation, ErrorType Valid Statistic: Sum Units: Count  | 
|  `DaysToExpiry`  |  Gets published every time trust anchor certificates satisfies [notification evaluation criteria](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/customize-notification-settings.html#notification-evaluation). This metric will be published at most once a day. Valid Dimensions: TrustAnchorArn Units: Integer  | 

The following dimensions are supported for the IAM Roles Anywhere metrics.


|  Dimension  |  Description  | 
| --- | --- | 
|  Operation  |  The operation for which the metric applies to. This can only take on the value, CreateSession.  | 
|  TrustAnchorArn  |  The ARN of the trust anchor that is relevant for this metric.  | 
|  ErrorType  |  The type of error that `CreateSession` errors out with.  | 

# Monitoring IAM Roles Anywhere events in Amazon EventBridge
<a name="monitoring-events"></a>

You can monitor IAM Roles Anywhere events in [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/). Events from IAM Roles Anywhere are delivered to EventBridge in near-real time. You can write simple rules to indicate which events are of interest to you and the automated actions to take when an event matches a rule. With EventBridge, you can use events to trigger targets including AWS Lambda functions, AWS Batch jobs, Amazon SNS topics, and many others. For more information, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html).

The following examples show events for IAM Roles Anywhere.

**Topics**
+ [

## Trust anchor certificate expiration event
](#trust_anchor_cert_expiry_event)
+ [

## Intermediate or end-entity certificate expiration event
](#cert_expiry_event)
+ [

## Responding to an event
](#event-sns-response)

## Trust anchor certificate expiration event
<a name="trust_anchor_cert_expiry_event"></a>

IAM Roles Anywhere sends daily expiration event for each trust anchor certificate that satisfies [notification evaluation criteria](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/customize-notification-settings.html#notification-evaluation). You can use expiration events to configure Amazon SNS to send a text notification whenever IAM Roles Anywhere generates this event.

Expiration events have the following structure.

```
{
  "version": "0",
  "id": "9c95e8e4-96a4-ef3f-b739-b6aa5b193afb",
  "detail-type": "Roles Anywhere Certificate Expiration State Change",
  "source": "aws.rolesanywhere",
  "account": "123456789012",
  "time": "2022-06-10T06:51:08Z",
  "region": "us-west-1",
  "resources": [
    "arn:aws:rolesanywhere:us-west-1:123456789012:trust-anchor/61f50cd4-45b9-4259-b049-d0a53682fa4b"
  ],
  "detail": {
    "certificate-serial-number": "00936EACBE07F201DF",
    "days-to-expiry": 3,
    "issuer": "L=Seattle,CN=CA Root v1,ST=Washington,C=US"
  }
}
```

## Intermediate or end-entity certificate expiration event
<a name="cert_expiry_event"></a>

IAM Roles Anywhere sends an expiration event for intermediate or end-entity certificates when the certificate satisfies [notification evaluation criteria](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/customize-notification-settings.html#notification-evaluation) and used in createSession API. You can use expiration events to configure Amazon SNS to send a text notification whenever IAM Roles Anywhere generates this event.

Expiration events have the following structure.

```
{
  "version": "0",
  "id": "9c95e8e4-96a4-ef3f-b739-b6aa5b193afb",
  "detail-type": "Roles Anywhere Certificate Expiration State Change",
  "source": "aws.rolesanywhere",
  "account": "123456789012",
  "time": "2022-06-10T06:51:08Z",
  "region": "us-west-1",
  "detail": {
    "certificate-serial-number": "00936EACBE07F201DF",
    "days-to-expiry": 3,
    "issuer": "L=Seattle,CN=CA Root v1,ST=Washington,C=US"
  }
}
```

## Responding to an event
<a name="event-sns-response"></a>

You can configure Amazon Simple Notification Service to send a text notification whenever IAM Roles Anywhere generates an EventBridge event.

**To create an Amazon EventBridge rule that reacts to events**

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).

1. In the navigation pane, choose **Rules**.

1. Choose **Create rule**.

1. Enter a name and description for the rule.

   A rule can't have the same name as another rule in the same Region and on the same event bus.

1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select ** AWS default event bus**. When an AWS service in your account emits an event, it always goes to your account’s default event bus.

1. For **Rule type**, choose **Rule with an event pattern**.

1. Choose **Next**.

1. For **Event source**, choose **AWS services**.

1. For **Sample events**, choose an event under **IAM Roles Anywhere**.

1. For **Event pattern**, do the following:

   1. For **Event source**, choose **AWS services**.

   1. For **AWS service**, choose **IAM Roles Anywhere.**

   1. For **Event Type**, choose an **IAM Roles Anywhere** event. 

   1. Choose **Next**

1. In the **Targets** section, choose a service that can consume your event such as Amazon SNS, or choose **Lambda function** to pass the event to customized executable code.

# Monitoring IAM Roles Anywhere notifications with AWS Health
<a name="monitoring-health"></a>

You can monitor IAM Roles Anywhere health notifications in [AWS Health](https://docs.aws.amazon.com/health/latest/ug/). Notifications from IAM Roles Anywhere are delivered to AWS Health when certificates (both CA certificates in trust anchors and end-entity certificates) that are configured with IAM Roles Anywhere are nearing expiry. You can use these AWS Health notifications to take renewal actions on your certificates. For more information see [Monitoring AWS Health events with Amazon EventBridge](https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.html)

## Affected resources for trust anchor expiry notifications
<a name="affected_resources_trust_anchor"></a>

IAM Roles Anywhere sends daily expiry notifications for each trust anchor that satisfies the [notification evaluation criteria](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/customize-notification-settings.html#notification-evaluation). For these notifications, the "Affected Resources" will each be trust anchors. If you have multiple certificates within a single trust anchor, it's possible that multiple are nearing expiry. IAM Roles Anywhere will determine whether a notification should be sent for a given trust anchor based on the certificate in the trust anchor that is expiring the soonest. Thus, you'll have to check each certificate in the trust anchor and take the necessary actions so as to not cause impact to your workloads that rely on IAM Roles Anywhere for temporary security credentials.

## Affected resources for end-entity certificate expiry notifications
<a name="affected_resources_end_entity"></a>

IAM Roles Anywhere also sends daily expiry notifications for each end-entity certificate that was used to authenticate over the last day and satisfies the [notification evaluation criteria](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/customize-notification-settings.html#notification-evaluation). For these notifications, the "Affected Resources" will each be end-entity certificates. Each of these end-entity certificates will have a composite "Resource ID/ARN", of the form given below.

```
serialNumber=SerialNumber;certificateId=CertificateId
```

The `serialNumber` in the above resource identifier will contain the value of the serial number of the end-entity certificate that was used for authentication and will be expiring soon. And the `certificateId` in the above resource identifier will contain the value of the certificate ID for that certificate. The certificate ID is defined as `Hex(SHA256(ASN.1 DER Certificate Bytes))`, where the result is a lowercase hex-encoded string. If you have a PEM file that contains your certificate data, you can use OpenSSL to convert your certificate into its DER representation and then take the SHA256 hash of the resulting value.

```
openssl x509 -in end-entity-certificate.pem -inform PEM -outform DER | sha256sum
```

# Logging IAM Roles Anywhere API calls using AWS CloudTrail
<a name="logging-using-cloudtrail"></a>

AWS Identity and Access Management Roles Anywhere is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in IAM Roles Anywhere. CloudTrail captures all API calls for IAM Roles Anywhere as events. The calls captured include calls from the IAM Roles Anywhere console and code calls to the IAM Roles Anywhere API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for IAM Roles Anywhere. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to IAM Roles Anywhere, the IP address from which the request was made, who made the request, when it was made, and additional details.

To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).

## IAM Roles Anywhere information in CloudTrail
<a name="service-name-info-in-cloudtrail"></a>

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM Roles Anywhere, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).

For an ongoing record of events in your AWS account, including events for IAM Roles Anywhere, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html)
+ [Receiving CloudTrail log files from multiple regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)

All IAM Roles Anywhere actions are logged by CloudTrail and are documented in the [IAM Roles Anywhere API Reference](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/Welcome.html). For example, calls to the `CreateTrustAnchor`, `ListProfiles`, and `CreateSession` operations generate entries in the CloudTrail log files. In addition, the userIdentity element's Role Session Name property is the hex-encoded serial number of the certificate the session was created with and can be used to track a session back to it.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.

For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).

## Understanding IAM Roles Anywhere log file entries
<a name="understanding-service-name-entries"></a>

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order. 

The following example shows a CloudTrail log entry that demonstrates the `UpdateProfile` operation.

```
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAZR5EMTJKE753U4ZDS:test-session",
    "arn": "arn:aws:sts::111122223333:assumed-role/Admin/test-session",
    "accountId": "111122223333",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAZR5EMTJKE753U4ZDS",
        "arn": "arn:aws:iam::111122223333:role/Admin",
        "accountId": "111122223333",
        "userName": "Admin"
      },
      "webIdFederationData": {},
      "attributes": {
        "creationDate": "2022-03-21T22:40:46Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2022-07-01T18:11:27Z",
  "eventSource": "rolesanywhere.amazonaws.com",
  "eventName": "UpdateProfile",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "1.1.1.1",
  "userAgent": "test-agent",
  "requestParameters": {
    "durationSeconds": 3600,
    "managedPolicyArns": [
        "arn:aws:iam::aws:policy/AdministratorAccess",
        "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
    ],
    "name": "Updated Test Profile",
    "profileId": "0ace5b12-24b9-427e-a483-c55884852fbf",
    "sessionPolicy": "{\n  \"Version\":\"2012-10-17\",\n  \"Statement\":[\n    {\n      \"Effect\":\"Allow\",\n      \"Action\":\"s3:ListObjects\",\n      \"Resource\":\"*\"\n    }\n  ]\n}\n"
},
"responseElements": {
  "profile": {
      "createdAt": "2022-07-01T18:11:27.380711Z",
      "createdBy": "arn:aws:sts::111122223333:assumed-role/Admin/test-session",
      "durationSeconds": 3600,
      "enabled": false,
      "managedPolicyArns": [
          "arn:aws:iam::aws:policy/AdministratorAccess",
          "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
      ],
      "name": "Updated Test Profile",
      "profileArn": "arn:aws:rolesanywhere:us-east-1:111122223333:profile/0ace5b12-24b9-427e-a483-c55884852fbf",
      "profileId": "0ace5b12-24b9-427e-a483-c55884852fbf",
      "requireInstanceProperties": false,
      "roleArns": [
          "arn:aws:iam::111122223333:role/test-role"
      ],
      "sessionPolicy": "{\n  \"Version\":\"2012-10-17\",\n  \"Statement\":[\n    {\n      \"Effect\":\"Allow\",\n      \"Action\":\"s3:ListObjects\",\n      \"Resource\":\"*\"\n    }\n  ]\n}\n",
      "updatedAt": "2022-07-01T18:11:27.936687Z"
  }
},
  "requestID": "ca28860f-504a-4f2d-9f3f-f9cfb4ba0491",
  "eventID": "a7bb90c3-c47b-4832-88e7-aeaccda21f1a",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "111122223333",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "rolesanywhere.us-east-1.amazonaws.com"
  }
}
```

# Monitoring authentications with IAM Roles Anywhere subjects
<a name="monitoring-subjects"></a>

You can use the **Subject Activity** tab in the IAM Roles Anywhere console to visualize and audit activities for certificates that are authenticated with IAM Roles Anywhere. A *subject* represents a unique identity defined by the X.509 subject of any certificates you use to authenticate with IAM Roles Anywhere. IAM Roles Anywhere creates a subject for you at the time of authentication if there isn't one already for the X.509 subject. Each subject contains the most recent certificates you have used with IAM Roles Anywhere.

**To view the history of an X.509 subject**

1. Sign in to the [IAM Roles Anywhere console](https://console.aws.amazon.com/rolesanywhere/home). 

1. Navigate to the **Subject activity** tab. 

1. In the list of certificates records grouped by X.509 **Subject**, choose the **Subject** record that you want to check. 

1. On the **Subject details** page, view the details of the subject record. 

1. In the **Certificates** section, you can see the most recent record for certificates authenticated with IAM Roles Anywhere that have the same certificate subject. 

1. Choose the **Serial number** record to view or copy the certificate body.