Please tell me how to configure event patterns to detect CloudTrail events with EventBridge
The issue
I am considering detecting specific events recorded in CloudTrail with EventBridge and executing Lambda function processing.
As a test, I configured the following EventBridge event pattern, but it was unable to detect event records in CloudTrail.
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"userName": ["user-name"],
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"]
}
Please tell me how to configure event patterns to detect CloudTrail events with EventBridge.
The solution
To configure event patterns, you need to understand the JSON content of events recorded in CloudTrail.
Since JSON records content in a hierarchical structure, you need to consider the hierarchical structure when configuring event patterns.
For example, let's consider a case where the following EC2 RunInstances event is recorded in CloudTrail.
We assume content where EventBridge detects only when the user who launched an EC2 instance with RunInstances is a specific user.
RunInstances event sample
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxx",
"arn": "xxx",
"accountId": "012345678901",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "xxx",
"arn": "xxx",
"accountId": "012345678901",
"userName": "xxx"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-07-23T07:51:52Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2022-07-23T08:17:05Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"imageId": "ami-0b7546e839d7ace12",
"minCount": 1,
"maxCount": 1
}
]
},
"instanceType": "t2.micro",
"blockDeviceMapping": {},
"monitoring": {
"enabled": false
},
"disableApiTermination": false,
"disableApiStop": false,
"networkInterfaceSet": {
"items": [
{
"deviceIndex": 0,
"associatePublicIpAddress": true,
"groupSet": {
"items": [
{
"groupId": "xxx"
}
]
}
}
]
},
"ebsOptimized": false,
"tagSpecificationSet": {
"items": [
{
"resourceType": "instance",
"tags": [
{
"key": "Name",
"value": "test"
}
]
}
]
},
"privateDnsNameOptions": {
"hostnameType": "ip-name",
"enableResourceNameDnsARecord": true,
"enableResourceNameDnsAAAARecord": false
}
},
"responseElements": {
"requestId": "4cc3f128-5d9b-403d-b610-b3eed74ddf3a",
"reservationId": "r-04a009282de1aa984",
"ownerId": "012345678901",
"groupSet": {},
"instancesSet": {
"items": [
{
"instanceId": "i-0eff910f31cc85ee3",
"imageId": "ami-0b7546e839d7ace12",
"instanceState": {
"code": 0,
"name": "pending"
},
"privateDnsName": "ip-172-31-1-9.ap-northeast-1.compute.internal",
"amiLaunchIndex": 0,
"productCodes": {},
"instanceType": "t2.micro",
"launchTime": 1658564225000,
"placement": {
"availabilityZone": "ap-northeast-1c",
"tenancy": "default"
},
"monitoring": {
"state": "disabled"
},
"subnetId": "xxx",
"vpcId": "xxx",
"privateIpAddress": "172.31.1.9",
"stateReason": {
"code": "pending",
"message": "pending"
},
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/xvda",
"blockDeviceMapping": {},
"virtualizationType": "hvm",
"hypervisor": "xen",
"tagSet": {
"items": [
{
"key": "Name",
"value": "test"
}
]
},
"groupSet": {
"items": [
{
"groupId": "xxx",
"groupName": "default"
}
]
},
"sourceDestCheck": true,
"networkInterfaceSet": {
"items": [
{
"networkInterfaceId": "eni-05fae8e171b36e104",
"subnetId": "xxx",
"vpcId": "xxx",
"ownerId": "012345678901",
"status": "in-use",
"macAddress": "0a:47:8e:d7:f0:d9",
"privateIpAddress": "172.31.1.9",
"privateDnsName": "ip-172-31-1-9.ap-northeast-1.compute.internal",
"sourceDestCheck": true,
"interfaceType": "interface",
"groupSet": {
"items": [
{
"groupId": "xxx",
"groupName": "default"
}
]
},
"attachment": {
"attachmentId": "eni-attach-0939111d62cc6f699",
"deviceIndex": 0,
"networkCardIndex": 0,
"status": "attaching",
"attachTime": 1658564225000,
"deleteOnTermination": true
},
"privateIpAddressesSet": {
"item": [
{
"privateIpAddress": "172.31.1.9",
"privateDnsName": "ip-172-31-1-9.ap-northeast-1.compute.internal",
"primary": true
}
]
},
"ipv6AddressesSet": {},
"tagSet": {}
}
]
},
"ebsOptimized": false,
"enaSupport": true,
"cpuOptions": {
"coreCount": 1,
"threadsPerCore": 1
},
"capacityReservationSpecification": {
"capacityReservationPreference": "open"
},
"enclaveOptions": {
"enabled": false
},
"metadataOptions": {
"state": "pending",
"httpTokens": "optional",
"httpPutResponseHopLimit": 1,
"httpEndpoint": "enabled",
"httpProtocolIpv4": "enabled",
"httpProtocolIpv6": "disabled",
"instanceMetadataTags": "disabled"
},
"maintenanceOptions": {
"autoRecovery": "default"
},
"privateDnsNameOptions": {
"hostnameType": "ip-name",
"enableResourceNameDnsARecord": true,
"enableResourceNameDnsAAAARecord": false
}
}
]
}
},
"requestID": "4cc3f128-5d9b-403d-b610-b3eed74ddf3a",
"eventID": "cde16a06-946a-48b8-b552-046ed8a22d99",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "012345678901",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
When the above CloudTrail event is linked to EventBridge, it becomes the following content.
{
"id": "6aa6af88-8ba7-b409-2d24-93f157bcd326",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.ec2",
"account": "012345678901",
"time": "2022-07-23T08:17:05Z",
"region": "ap-northeast-1",
"resources": [],
"detail": {
"CloudTrail event record"
}
}
As shown above, the CloudTrail event record becomes content included within the key called "detail".
In this state, when configuring an EventBridge event pattern to detect only a specific username that performed RunInstances, it would be as follows:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"userIdentity": {
"sessionContext": {
"sessionIssuer": {
"userName": ["user-name"]
}
}
},
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"]
}
}
As shown above, you need to describe eventSource, eventName, userName, etc., taking into consideration the hierarchical structure of JSON.
Replace the ["user-name"] part with the actual username you want to detect.
With this event pattern, EventBridge can detect only when it matches a user named "user-name" who performed EC2 RunInstances.
