AWS. Cloudwatch trigger Rule on Alarm state change - amazon-web-services

I have an issue to trigger Cloudwatch Rule on CloudWatch Alarm State Change. This is an Event pattern for a Rule. It doesn't send a message to SNS of state change.
{
"detail-type": [
"CloudWatch Alarm State Change"
],
"resources": [
!Sub "arn:aws:cloudwatch:${AWS:Region}:${AWS:AccountId}:alarm:Admin dead"
],
"source": [
"aws.cloudwatch"
],
"detail": {
"state": [
"ALARM"
]
}
}
The Alarm itself works properly and send a message to SNS in parallel. Also if I will remove this part:
"detail": {
"state": [
"ALARM"
]
}
then the Rule works properly for each state change. But I need only on it's changed to "In alarm" (as it's displayed in UI).
Thanks for any advise

A good way to debug this would be to remove the "detail" part, and subscribe to the SNS topic with email or a lambda function or similar to see the actual alarm event content.
Looks like your rule for "detail" is missing "value" parameter, the following rule works:
{
"source": [
"aws.cloudwatch"
],
"detail-type": [
"CloudWatch Alarm State Change"
],
"detail": {
"state": {
"value": [
"ALARM"
]
}
}
}
According to this, an example event looks like:
{
"version": "0",
"id": "2dde0eb1-528b-d2d5-9ca6-6d590caf2329",
"detail-type": "CloudWatch Alarm State Change",
"source": "aws.cloudwatch",
"account": "123456789012",
"time": "2019-10-02T17:20:48Z",
"region": "us-east-1",
"resources": [
"arn:aws:cloudwatch:us-east-1:123456789012:alarm:TotalNetworkTrafficTooHigh"
],
"detail": {
"alarmName": "TotalNetworkTrafficTooHigh",
"configuration": {
"description": "Goes into alarm if total network traffic exceeds 10Kb",
"metrics": [...]
},
"previousState": {
"reason": "Unchecked: Initial alarm creation",
"timestamp": "2019-10-02T17:20:03.642+0000",
"value": "INSUFFICIENT_DATA"
},
"state": {
"reason": "Threshold Crossed: 1 out of the last 1 datapoints [45628.0 (02/10/19 17:10:00)] was greater than the threshold (10000.0) (minimum 1 datapoint for OK -> ALARM transition).",
"reasonData": "{\"version\":\"1.0\",\"queryDate\":\"2019-10-02T17:20:48.551+0000\",\"startDate\":\"2019-10-02T17:10:00.000+0000\",\"period\":300,\"recentDatapoints\":[45628.0],\"threshold\":10000.0}",
"timestamp": "2019-10-02T17:20:48.554+0000",
"value": "ALARM"
}
}
}

below trick worked for me.I wanted to fetch all the alerts are in alarm state by cloud watch rule.
{
"source": [
"aws.cloudwatch"
],
"detail-type": [
"CloudWatch Alarm State Change"
],
"detail": {
"state": {
"value": [
"ALARM"
]
}
}
}

Related

Getting error on cloudwatch event rules on glue job state change

I have created cloudwatch event rule for glue job state change. I am getting notifications correctly for all glue job state change. But i need to send notifications for some particular glue jobs. i tried with adding multiple jobs but not working properly.
glue jobs:
glue_job1
glue_job2
glue_job3
event rule: with this rule i can get notifications for all jobs.
{
"source": [
"aws.glue"
],
"detail-type": [
"Glue Job State Change"
],
"detail": {
"state": [
"FAILED",
"TIMEOUT",
"SUCCEEDED"
]
}
}
event rule2: with this i am not getting proper notifications
{
"source": [
"aws.glue"
],
"detail-type": [
"Glue Job State Change"
],
"detail": {
"state": [
"FAILED",
"TIMEOUT",
"SUCCEEDED"
],
"jobName": [
"glue_job1",
"glue_job2",
"glue_job3"
]
}
}
how can we send notifications for only specific glue jobs ? how can we create event rule for this scenario. Thank you

How to get the job progression percentage for a particular job being processed by Mediaconvert?

I have found out that Status Interval Update Event is send to Cloudwatch event every minute when the job is progressing,the interval can be changed to 10 seconds as well.How to show the percentage at the client side from the Cloudwatch event sending events after every 10 seconds?
You will want to capture the STATUS_UPDATE event from CloudWatch and feed that into a service like Lambda that could update a database, or whatever data source you are using to display job stats out.
Example of the Event Pattern
{
"source": [
"aws.mediaconvert"
],
"detail-type": [
"MediaConvert Job State Change"
],
"detail": {
"status": [
"STATUS_UPDATE"
]
}
}
Example of what the Status Update event payload looks like:
{
"version": "0",
"id": "ABC",
"detail-type": "MediaConvert Job State Change",
"source": "aws.mediaconvert",
"account": "111122223333 ",
"time": "2021-02-18T17:52:32Z",
"region": "us-west-2",
"resources": [
"arn:aws:mediaconvert:us-west-2:111122223333 :jobs/1613670689802-emcngz"
],
"detail": {
"timestamp": 1613670752653,
"accountId": "111122223333 ",
"queue": "arn:aws:mediaconvert:us-west-2:111122223333 :queues/Default",
"jobId": "1613670689802-emcngz",
"status": "STATUS_UPDATE",
"userMetadata": {},
"framesDecoded": 2024,
"jobProgress": {
"phaseProgress": {
"PROBING": {
"status": "COMPLETE",
"percentComplete": 100
},
"TRANSCODING": {
"status": "PROGRESSING",
"percentComplete": 2
},
"UPLOADING": {
"status": "PENDING",
"percentComplete": 0
}
},
"jobPercentComplete": 7,
"currentPhase": "TRANSCODING",
"retryCount": 0
}
}
}
MediaConvert provides granular percentages per phases the job is in (probing input, transcoding, and uploading outputs) as well as an overall percentage. The one that is displayed on the MediaConvert Console UI is the jobPercentComplete, and would probably be the one you want to capture.
Documentation:
CloudWatch Events supported by MediaConvert:
https://docs.aws.amazon.com/mediaconvert/latest/ug/mediaconvert_cwe_events.html
How to setup CloudWatch Event:
https://docs.aws.amazon.com/mediaconvert/latest/ug/setting-up-cloudwatch-event-rules.html

CloudWatch Event Rule and SNS for updates on ECS service

I want to receive an email every time I update my ECS service (and once the update finishes or the desired state was reached)
I thought about CloudWatch Events Rules setting an SNS topic as target (which a confirmed email address). However, it doesn't work.
This is my custom Event pattern:
{
"detail-type": [
"ECS Update"
],
"resources": [
"arn:aws:ecs:us-east-1:aws-account:service/myService"
],
"source": [
"aws.ecs"
],
"detail": {
"clusterArn": [
"arn:aws:ecs:us-east-1:aws-account:cluster/myCluster"
],
"eventName": [
"SERVICE_STEADY_STATE"
],
"eventType": [
"INFO"
]
}
}
I also tried:
TASKSET_STEADY_STATE
CAPACITY_PROVIDER_STEADY_STATE
SERVICE_DESIRED_COUNT_UPDATED
I'm updating the service through the cli
aws ecs update-service --cluster myCluster --service myService --task-definition myTaskDef --force-new-deployment --desired-count 2
The status of the event rule is enabled and the target is the SNS topic. The input is matched event.
I don't have any clue. Am I using the wrong event name?
You can also set email notification on Task instead of service, also there is an issue regarding ECS notification.
I was not able to make it base on ECS status change, I controlled notification at lambda level. you can set this rule and its working for me.
{
"source": [
"aws.ecs"
],
"detail-type": [
"ECS Service Action"
]
}
you can expect a bit delay as I already experienced this and also reported in GitHub Issue.
Here is the JSON event that you will receive for above rule.
{
"version": "0",
"id": "c3c27e7b-abcd-efgh-c84e-highgclkl",
"detail-type": "ECS Service Action",
"source": "aws.ecs",
"account": "1234567890",
"time": "2020-06-27T00:00:00.00Z",
"region": "us-west-2",
"resources": [
"arn:aws:ecs:us-west-2:1234567890:service/test"
],
"detail": {
"eventType": "INFO",
"eventName": "SERVICE_STEADY_STATE",
"clusterArn": "arn:aws:ecs:us-west-2:123456789:cluster/mycluster",
"createdAt": "2020-06-27T00:00:00.00Z"
}
}
ecs_cwe_events
or the other option is so you can try task-based changes.
{
"source": [
"aws.ecs"
],
"detail-type": [
"ECS Task State Change"
],
"detail": {
"lastStatus": [
"STOPPED",
"RUNNING"
],
"clusterArn": [
"arn:aws:ecs:us-west-2:123456789:cluster/my_cluster",
]
}
}

is there any way to filter ECR image scan findings?

I have a cloudwatch event that scans ECR repository for Vulnerabilities connected to SNS topic that triggers the notification to specified end point. Here my requirement is to filter the scan findings like trigger the SNS topic only when scan finds "Critical".
{
"detail-type": [
"ECR Image Scan"
],
"source": [
"aws.ecr"
],
"detail": {
"severity": [
"CRITICAL"
]
}
}
It works with this pattern:
{
"source": [
"aws.ecr"
],
"detail-type": [
"ECR Image Scan"
],
"detail": {
"finding-severity-counts": {
"CRITICAL": [
{
"numeric": [
">",
0
]
}
]
}
}
}
Above is the Cloudwatch event pattern for filtering scan findings only on Critical count.
See https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html for more details.

AWS Scheduled Event Rule for Lambda doesn't work in CloudFormation

Having trouble configuring AWS Lambda to be triggered by a Rule->Trigger as a Scheduled Event Source using CloudFormation (in reality, using Python's Troposphere.) This has cost me a couple of days already, and any help would be appreciated.
Here's the relevant CF JSON snippet -
"DataloaderRetrier": {
"Properties": {
"Code": {
"S3Bucket": "mycompanylabs-config",
"S3Key": "v3/mycompany-component-loader-lambda-0.5.jar"
},
"FunctionName": "DataloaderRetriervitest27",
"Handler": "mycompany.ScheduledEventHandler::handleRequest",
"MemorySize": 320,
"Role": "arn:aws:iam::166662328783:role/kinesis-lambda-role",
"Runtime": "java8",
"VpcConfig": {
"SecurityGroupIds": [
"sg-2f1f6047"
],
"SubnetIds": [
"subnet-ec3c1435"
]
}
},
"Type": "AWS::Lambda::Function"
},
"DataloaderRetrierEventTriggerPermission": {
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"DataloaderRetrier",
"Arn"
]
},
"Principal": "events.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
},
"SourceArn": {
"Fn::GetAtt": [
"DataloaderRetrierEventTriggerRule",
"Arn"
]
}
},
"Type": "AWS::Lambda::Permission"
},
"DataloaderRetrierEventTriggerRule": {
"DependsOn": "DataloaderRetrier",
"Properties": {
"Description": "Reminding the lambda to read from the retry SQS",
"Name": "DataloaderRetrierEventTriggerRulevitest27",
"ScheduleExpression": "rate(1 minute)",
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"DataloaderRetrier",
"Arn"
]
},
"Id": "DataloaderRetrierEventTriggerTargetvitest27",
"Input": "{\"Hey\":\"WAKE UP!\"}"
}
]
},
"Type": "AWS::Events::Rule"
}
The AWS Lambda function shows zero invocations, and the Events->Rules metric shows the correct number of invocations, however they all fail. The Lambda shows the trigger in the Triggers section, and the Rule shows the lambda in its trigger sections. They link up fine.
However, if I go in and manually create the same trigger under the rule in the web console, it will happily start sending events to the Lambda.
PS - here's the troposphere code:
# DATALOADER RETRIER LAMBDA
dataloader_retrier = t.add_resource(awslambda.Function(
"DataloaderRetrier",
Code=awslambda.Code(
"DataloaderRetrierCode",
S3Bucket='mycompanylabs-config',
S3Key='v3/mycompany-snowplow-loader-lambda-0.5.jar'
),
FunctionName=suffix("DataloaderRetrier"),
Handler="mycompany.ScheduledEventHandler::handleRequest",
MemorySize="320",
Role="arn:aws:iam::166662328783:role/kinesis-lambda-role",
Runtime="java8",
VpcConfig=lambda_vpc_config
))
dataloader_retrier_scheduled_rule = t.add_resource(events.Rule(
"DataloaderRetrierEventTriggerRule",
Name=suffix("DataloaderRetrierEventTriggerRule"),
Description="Reminding the lambda to read from the retry SQS",
Targets=[events.Target(
Id=suffix("DataloaderRetrierEventTriggerTarget"),
Arn=tr.GetAtt("DataloaderRetrier", "Arn"),
Input='{"Hey":"WAKE UP!"}'
)],
State='ENABLED',
ScheduleExpression="rate(1 minute)",
DependsOn="DataloaderRetrier"
)),
t.add_resource(awslambda.Permission(
"DataloaderRetrierEventTriggerPermission",
Action="lambda:InvokeFunction",
FunctionName=tr.GetAtt("DataloaderRetrier", "Arn"),
Principal="events.amazonaws.com",
SourceAccount=tr.Ref("AWS::AccountId"),
SourceArn=tr.GetAtt("DataloaderRetrierEventTriggerRule", "Arn")
))
You need to remove the SourceAccount parameter from your AWS::Lambda::Permission Resource.
As described in the AddPermission API documentation, the SourceAccount parameter restricts the 'source' of the permitted invocation to the specified AWS Account ID, for example when specifying an S3 Bucket or CloudWatch Logs notification.
However (and the docs should probably be made more clear on this point), in the case of a CloudWatch Events Schedule Expression, the source of the Event is aws.events, not your own AWS Account ID, which is why adding this parameter causes the event to fail to trigger the Lambda function.