I am trying to make a rule trigger on any API call for creation, but I haven't had any success.
I have another rule that triggers whenever and ec2 instance is running which works, but this rule does not trigger for RunInstances although I see the cloudtrail logs with RunInstances in the API log.
I have made a CloudWatch log from the cloudtrail and see the events that should be triggering it, but they don't. Is there a step I am missing? What are the necessary components to have CloudWatch properly trigger on API calls?
The rule mentioned:
{
"source": [
"aws.cloudtrail"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"cloudtrail.amazonaws.com"
],
"eventName": [
"CreateUserPool",
"CreateImage",
"CreateCacheCluster",
"RunInstances",
"CreateActivation",
"RunJobFlow ",
"CreateVault",
"CreateDeliveryStream",
"CreateStream",
"CreateCluster",
"CreateDBInstance",
"CreateHostedZone",
"CreateBucket",
"CreateLaunchConfiguration",
"CreateStack",
"CreateEnvironment",
"CreateWorkspaces"
]
}
}
To add more detail here is the other rule I used to test CloudWatch
{
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"running"
]
}
}
This is the log of the startInstances and the following Lambda function running.
Cloudtrail of the the lambda function specifically which functions normally.
Here is the API call which should also initiate it according to the rule, but it does not.
Hopefully these images make it clearer as to what I am having trouble with.
P.S. I didn't know how much info I should consider confidential, so I over censored
I misunderstood the rule I created. I thought "AWS API calls from Cloudtrail" when using the cloudtrail Service meant all the information stored in Cloudtrail. That does not seem to be the case.
As I mention in my comment, I am looking for other solutions for my problem, but I will make a separate question for that. Thanks!
Related
I have an AWS lambda function that provides configuration objects. Whenever this lambda function is updated(i.e deployed again), I need to trigger another lambda function, that detects changes in those config objects and takes some action. How do I monitor this lambda deployment, which cloud watch event do I need to subscribe to?
I assume that your lambda deployments are not managed by CodeDeploy. If so, I would recommend looking into creating a CloudTrial trial.
Once CT trial is created with default settings, it will monitor all management API calls to your lambda function. One of them is UpdateFunctionCode. Thus you can create a CloudWatch rule for AWS API Call via CloudTrail. The rule would be triggered on the function update API call.
Example of such a rule:
{
"source": [
"aws.lambda"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"lambda.amazonaws.com"
],
"eventName": [
"UpdateFunctionCode"
]
}
}
Then you can trigger a second lambda, based on the captured update event of the first function.
Based on #Marcin's suggestion, used console log to print the event. The below rule helped to filter a specific function;
{
"source": [
"aws.lambda"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"lambda.amazonaws.com"
],
"eventName": [
"UpdateFunctionCode20150331v2"
],
"responseElements": {
"functionName": [
"myFunction"
]
}
}
}
I want to be able to setup an AWS CloudWatch event rule that will trigger to an SNS topic whenever one of my Step Functions completes (either success or failure). I do not want this to run for all Step Functions, but there will be an indeterminate number of them based on a common name prefix. Ideally, I'd like to be able to do something like this, but it appears that wildcards are not allowed in Event Patterns. Are there any creative ways to work around this?
{
"source": [
"aws.states"
],
"detail-type": [
"Step Functions Execution Status Change"
],
"detail": {
"status": [
"FAILED",
"SUCCEEDED"
],
"stateMachineArn": [
"arn:aws:states:us-west-1:123456789012:stateMachine:Prefix-*"
]
}
}
Wildcards are not supported in Cloudwatch event rule according to AWS official forum.
You will have to add all the arn's in the state machine ARN list. To do it easily you may write a script that does the following:
Get all the state machine names with specific prefix.
Update the Cloudwatch Event Rule to include all the state machine arn's with specific prefix.
My solution is below:
{
"source": ["aws.states"],
"detail-type": ["Step Functions Execution Status Change"],
"detail": {
"status": ["SUCCEEDED", "FAILED"],
"stateMachineArn": [ { "prefix": "arn:aws:states::us-west-1:123456789012:stateMachine:prefix-" } ]
}
}
My end goal is to start an ECS (fargate) task/Lambda based on API call (manually).
When creating the CloudWatch Rule I have to select a service to listen events on. I'm not sure what service I should use for my purpose.
What is the best thing to do? Should I create a CloudWatch alarm that I manually trigger?
Thanks
So you want to trigger a lambda function/ECS task based on an API call.This cloudwatch event rule service will depend on the type of API call you are running.
For example if there is a S3 Put event ,then you will select the S3 as the service and then the specific S3 operation you are running
{
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"PutObject"
]
}
}
If this a non-aws API call then you can use cloudwatch logs to trigger the Cloudwatch event rule.
I am trying to configure a Cloudwatch Event Rule (to trigger an SNS notification) for whenever
someone assumes a particular role:
{
"detail": {
"eventName": [
"AssumeRole"
],
"eventSource": [
"sts.amazonaws.com"
],
"requestParameters": {
"roleArn": [
"arn:aws:iam::0000:role/the_role_name"
]
}
},
"detail-type": [
"AWS API Call via CloudTrail"
]
}
Where 0000 is the account id and the_role_name is the role I want to alert on.
This is failing to trigger any notification, however when I search in Cloudtrail Insights for the
events:
filter eventName = 'AssumeRole'
| filter requestParameters.roleArn =~ 'the_role_name'
| sort #timestamp desc
| display #timestamp, requestParameters.roleSessionName, eventName, requestParameters.roleArn, userAgent, sourceIPAddress
I DO get results that SHOULD have triggered the rule:
requestParameters.roleSessionName eventName requestParameters.roleArn
my_username AssumeRole arn:aws:iam::0000:role/the_role_name
...
For the sake of trying to dumb things down and catch a broader set of events, I also tried the
following Rule (which would catch all AssumeRole events to any role):
{
"detail": {
"eventName": [
"AssumeRole"
]
},
"detail-type": [
"AWS API Call via CloudTrail"
]
}
This rule also is failing to trigger.
Does anyone have ideas on how to configure Cloudwatch Event Rules to trigger on AssumeRole events?
I read through this related question (which is trying to achieve something similar), but it did not have a solution: AWS CloudWatch Events trigger SNS on STS role assuming for cross account
First of all make sure whether the event is invoked or not by checking the monitoring metrics for the rule. It is possible that it is triggered, but it fails to invoke the target. In this case, you should check your IAM policies.
If it is not triggered, there could be issues with trail delivery to Cloudwatch Logs. Make sure that you created a trail in the same region, which delivers events to Cloudwatch Logs.
I've the following rule in us-east-1 region, which works fine:
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"sts.amazonaws.com"
],
"eventName": [
"AssumeRole"
]
},
"source": [
"aws.sts"
]
}
According an an AWS Support agent I was speaking with yesterday, and also indicated by the linked documents, Eventbridge Rules (formerly Cloudwatch Event Rules) unfortunately do not support STS events.
What's perplexing about this and might lead you down a wrong path, as it did me, is that the sts test-event-pattern api will in fact validate your event against a valid pattern and give no indication that it's an unsupported service.
Hopefully AWS adds STS event support in the future.
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html
When i create the ec2 instance the cloud watch event should trigger, But it is not working.. Below is the event Json. Could you please help.
The same event is triggered successful in other aws account, I not sure what is wrong with this account. IAM policy to lambda has complete access and when i test lambda code it is working fine.. But the problem is the event should be triggered.
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com",
"rds.amazonaws.com",
"s3.amazonaws.com"
],
"eventName": [
"CreateVolume",
"RunInstances",
"RequestSpotInstances",
"CreateSnapshot",
"CreateVpnGateway",
"CreateSecurityGroup",
"CreateInternetGateway",
"CreateNatGateway",
"CreateVpc",
"CreateSubnet",
"CreateRouteTable",
"CreateCustomerGateway",
"CreateNetworkAcl",
"CreateVpnConnection",
"CreateImage",
"CreateDBInstance",
"CreateDBSnapshot",
"CreateDBCluster",
"CreateDBClusterParameterGroup",
"CreateDBClusterSnapshot",
"CreateDBInstanceReadReplica",
"CreateDBParameterGroup",
"CreateDBSecurityGroup",
"CreateDBSubnetGroup",
"CreateEventSubscription",
"CreateOptionGroup",
"CreateBucket"
]
}
}
Are you configuring Trails from AWS CloudTrail to track API Calls?
1) Check on your Trails configuration if the Logging status is enabled or not.
2) Check again on your policies as most of the cases, we mis-configured our IAM policies so one of the services cannot work as expected.