Configure Amazon CloudWatch Application Insights to create AWS Systems Manager OpsItems when RDP or SSH access is detected.
Configure the EC2 instances with an IAM instance profile that has an IAM role with the AmazonSSMManagedInstanceCore policy attached.
Publish VPC flow logs to Amazon CloudWatch Logs. Create required metric filters. Create an Amazon CloudWatch metric alarm with a notification action for when the alarm is in the ALARM state.
Configure an Amazon EventBridge rule to listen for events of type EC2 Instance State-change Notification. Configure an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the operations team to the topic.
Explanations:
Amazon CloudWatch Application Insights is designed for application monitoring and does not specifically detect RDP or SSH access. It won’t create OpsItems based solely on these types of access.
While attaching the AmazonSSMManagedInstanceCore policy allows for Systems Manager capabilities, it does not directly provide notifications for RDP or SSH access events.
Publishing VPC flow logs to CloudWatch Logs allows for the creation of metric filters that can detect RDP or SSH traffic. An alarm can then notify the operations team when the specified traffic is detected, meeting the requirements for notifications.
An Amazon EventBridge rule for EC2 instance state changes will not provide notifications for RDP or SSH access events, as it only focuses on state changes (like starting or stopping an instance) rather than monitoring specific connection types.