Monitoring CE Activity
The CloudFormation stack creates a dedicated CloudWatch dashboard and log group that capture only CE engineer activity - nothing else in your account. Every action taken by a CE role flows into a single place you can query, alert on, and bookmark.
The Dashboard
After deploying the stack, find the dashboard URL in your stack outputs:
aws cloudformation describe-stacks \
--stack-name ce-consultant-access \
--query "Stacks[0].Outputs[?OutputKey=='DashboardURL'].OutputValue" \
--output textThe URL format is:
https://<region>.console.aws.amazon.com/cloudwatch/home?region=<region>#dashboards/dashboard/continuous-engineering-accessBookmark it. Share it with your security team.
What the Dashboard Shows
The dashboard has 17 widgets across 10 rows. Here is what each section tells you and why it matters.
Top Row - Live Status
| Widget | What it shows |
|---|---|
| CE-Admin Assumptions alarm | Turns red the moment CE-Admin is assumed. Bell icon changes state. |
| Access Denied Spike alarm | Turns red if denied errors from CE roles exceed 10 in 5 minutes - indicates misconfiguration or probing. |
| CE Activity (24h) | Total API calls from all CE roles in the last 24 hours. A number to glance at daily. |
| CE-Admin Sessions (24h) | High-privilege sessions in the last 24 hours. Should be 0 on most days. |
Role Assumptions (Rows 2-3)
Role Assumptions: Last 30 Days - bar chart showing how many times each role was assumed over the past month. CE-ReadOnly and CE-Security should dominate. Seeing CE-Admin spike warrants a conversation.
Role Assumption Trend: Last 14 Days - daily line chart per role. Useful for spotting if activity is increasing, decreasing, or correlated with incidents.
Role Usage by Engineer - table showing which CE engineer assumed which role, and how many sessions. Lets you see if one engineer is taking on all admin sessions or if there is an unexpected pattern.
Activity Feed (Row 4)
All CE Engineer Activity - full chronological log of every API call made by any CE role. Engineer ARN, action, service, source IP, region, timestamp. This is your primary audit feed. Filter by engineer or action directly in the console.
Drill-Down Views (Rows 5-7)
CE-Admin Sessions - every CE-Admin assumption with caller identity, source IP, and region. Correlate against the SNS email alert timestamps.
Access Denied from CE Roles - denied calls with the specific error. A denied call on CE-SRE could mean the scope of a task requires CE-DevOps. A pattern of denials could indicate a misconfigured role or a permissions boundary you did not intend.
Services Accessed by CE - ranked list of AWS services called, by call count. See whether CE activity is concentrated in expected services or spreading.
Source IPs - which IPs CE engineers called from. CE uses IAM Identity Center, so IPs should originate from known office egress ranges or individual engineer IPs. An unfamiliar IP is worth investigating.
Production Access Attempts (blocked by CE-DenyProd) - denied calls where the request involved env-prod tagged resources. If you have attached CE-DenyProd, this confirms it is working. Non-empty means an engineer attempted prod access and was blocked.
After-Hours Activity - API calls made between 22:00 and 06:00 UTC. Highlights activity outside normal working hours.
Behavioral Analysis (Rows 8-10)
Unique Engineers Active (Last 30 Days) - distinct count of CE engineers who touched your account in the past month. Useful for billing attribution conversations and for knowing how many people have been active.
Week-over-Week Activity - table showing total CE actions per 7-day period, last 4 weeks. See whether engagement activity is ramping up, winding down, or holding steady.
Activity Anomaly Detection - CloudWatch anomaly detection learns the normal pattern of CE activity and draws a confidence band. Activity outside the band turns the line red. Useful for catching unusual spikes without needing to define a static threshold.
EC2 Instances Shelled Into - table of every instance CE engineers accessed via SSM StartSession, broken down by instance ID and role. Answers "which servers did they actually shell into?" with a count.
Data Resources Accessed (CE-Data) - when CE-Data is used, this table shows which S3 buckets and RDS instances were touched, which Athena queries were run, and which Glue catalog operations occurred. Granular data access trail without needing S3 server access logs.
The Log Group
All CE activity flows into a dedicated CloudWatch Logs log group:
continuous.engineering-accessThis group receives events routed by EventBridge. Only events from CE roles (ARNs matching assumed-role/CE-*) are routed there. Your full CloudTrail is unaffected and unfiltered.
Running Custom Queries
Open the log group in the CloudWatch Logs Insights console and run your own queries. Examples:
All sessions by a specific engineer:
filter userIdentity.arn like /assumed-role\/CE-/
| filter userIdentity.principalId like /alice/
| fields @timestamp, eventName, eventSource, awsRegion
| sort @timestamp descEverything CE did to a specific S3 bucket:
filter eventSource = 's3.amazonaws.com'
| filter userIdentity.arn like /assumed-role\/CE-/
| filter requestParameters.bucketName = 'your-bucket-name'
| fields @timestamp, userIdentity.arn, eventName, requestParameters
| sort @timestamp descAll destructive actions (delete/terminate/drop):
filter userIdentity.arn like /assumed-role\/CE-/
| filter eventName like /(?i)(delete|terminate|drop|remove|destroy)/
| fields @timestamp, userIdentity.arn, eventName, requestParameters
| sort @timestamp descAlerts
Two CloudWatch alarms are created automatically:
| Alarm | Triggers when | Notifies |
|---|---|---|
ce-admin-assumed | CE-Admin role is assumed | SNS topic -> AdminAlertEmail |
ce-access-denied-spike | More than 10 denied calls in 5 minutes | SNS topic -> AdminAlertEmail |
The SNS topic is ce-admin-alert. You can add additional subscriptions (PagerDuty, Slack via webhook, additional emails) in the SNS console.
Cost
The log group and metrics are low-cost additions. At typical consulting engagement volumes:
- EventBridge rule: a few cents per month per thousand events
- CloudWatch Logs ingestion: ~$0.50 per GB (API call payloads are small, typically a few KB each)
- Metric filters: 8 filters at no charge (free tier covers first 10)
- Dashboard: $3/month per dashboard
- Alarms: $0.10/month per alarm (2 alarms = $0.20/month)
For an active engagement with a few hundred API calls per day, total cost is under $5/month.