CloudSploit hooks into the AWS event bus via CloudWatch Events. If something risky happens, you'll know about it within 30 seconds.
Users can customize risk-level, acceptable behavior, trusted IPs, and more to ensure results are custom-tailored to their account.
With access to thousands of event streams, CloudSploit is able to detect and respond to suspicious behavior on a global scale.

When would you find out if
a malicious user was created
in your AWS account?

Events Dashboard

Hours later? Days? Never? We believe it should be within seconds.
The same is true for any action that has security implications:

  • CloudTrail disabled
  • Security groups changed
  • New SSH keys trusted
  • VPC peering connections initiated
  • MFA devices deactivated
  • Logs deleted or modified
  • Root user console signins
Get Started
Events Dashboard

Get notified if a security group
is changed from a suspicious IP
on a weekend.


Your business has complex rules that affect its security policies. Your security solution should understand those rules.

  • Trusted IP addresses
  • Expected time ranges
  • Root user activity
  • Cross-account access
  • MFA device requirements
Get Started

Detect the security needle
in the event-stream haystack.

Event Ingestion

Large accounts may see hundreds of thousands of API calls per hour. CloudSploit helps find the one API call that might compromise your account.

CloudSploit is one of the only security services that connects to CloudWatch Events. CloudWatch Events integrates with CloudTrail and serves as the notification point for every API call. Other services that only query CloudTrail Logs may take up to 10 minutes to detect new calls; Events is notified within seconds.

Get Started
Event Ingestion
CloudSploit Events Ecosystem

New signatures are generated
in real-time as more accounts
are connected.

CloudSploit Events Ecosystem

Bob's AWS account is experiencing an elevated level of suspicious activity from questionable IPs. Wouldn't it be great if Alice's account could be monitored for similar calls?

If Bob and Alice are both CloudSploit users, they can! CloudSploit uses its access to a massive network of events to create attack signatures in real-time and protect all of its users.

The larger the CloudSploit network grows, the more intelligent it becomes.

Get Started

Frequently Asked Questions

Our support team can answer any other questions that our help page can't.
How do I configure CloudSploit Events?

Setup is simple. You launch a CloudFormation template that creates CloudWatch rules in your account. These rules are triggered when specific API calls are made and the event content is immediately sent to CloudSploit for processing via an SNS message. CloudTrail must be enabled.

What kind of information does CloudSploit collect?

CloudSploit processes and stores the AWS API call. This includes the AWS region, caller ARN, IP address, user agent, and API call body. The contents of the body vary depending on the call made. You can view event samples from AWS here.

How is a security determination made?

CloudSploit uses a variety of factors, both account specific and globally applied, to determine the security impact of an API call. For example, security group changes are analyzed for suspicious IP ranges and may only be triggered in some contexts. However, the "cloudtrail:StopLogging" API call will always trigger an alert.

Can I choose what events are sent to CloudSploit?

Yes. You have complete control over which AWS API calls are sent to CloudSploit. You can simply adjust the CloudFormation template to only send events you have approved. This can be done on a per-region and per-service level. Keep in mind that this may affect CloudSploit's ability to detect potentially malicious API calls.

What kinds of risks can CloudSploit Events detect?

CloudSploit can detect a near-infinite number of potential risks. Examples include CloudTrail being modified, stopping the delivery of logs, changes made to ConfigService, new user accounts being created with excessive permissions, suspicious IP addresses attempting to sign into the console, failed login attempts, updates to security groups, creation of new SSL certificates or trusted SSH keys, changes to IAM users, removal of MFA device requirements, API calls made without MFA, changes to the account password policy, activity during blacklisted hours, activity from unknown IP addresses, and many more.

How does CloudSploit use the information it collects?

First, CloudSploit never shares your AWS account data in any way, shape, or form. Part of the advantage of CloudSploit Events is that we have access to millions of events from around the world. We use these events to improve the security of every user. For example, if we detect repeated failed login attempts against an AWS account, we can use that attack signature to alert other accounts in which we detect the same activity. We will never expose any information about your account, or even the fact that you exist as a customer. All information is strictly used for security determination.

Does CloudSploit Events cost extra?

Events are available with all Standard Plans at no extra charge, as long as CloudSploit processes fewer than 500k events per month. However, AWS charges for the resources that are created in your account. Specifically, you will be charged for SNS endpoints ($0.50/region/million calls), and CloudWatch Events delivery ($1.00/region/million calls). 99% of users will see less than a $5 increase from AWS per month.

Does CloudSploit Events work in every region?

CloudSploit is limited to regions where AWS CloudWatch Events is operational. Currently, that includes every public region except ca-central-1 (Canada) and eu-west-2 (London). Each region operates independently, and you will need to launch a CloudFormation template containing the SNS and Events resources in each region you wish to use. CloudSploit strongly recommends running Events in every available region, so that activity in unused regions is not missed.

Ready to test your security?

Get Started Now