Eventbridge Event Rule Pattern for Cloudtrail logs (nested)

I'm trying to write an Eventbridge event rule to detect a Security Group inbound rule change which allows ingress on SSH or RDP from 0.0.0.0/0. However, I'm getting error "Event pattern is not valid" for ipRanges on below rule:

AWSTemplateFormatVersion: '2010-09-09'
Description: SecurityAlerting

Resources:
  SGEventRuleNew:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-SG-insecure-inbound
      Description: An Event Rule that triggers on SG changes.
      State: ENABLED
      EventBusName: default
      EventPattern:
        source:
          - aws.ec2
        detail-type:
          - AWS API Call via CloudTrail
        detail:
          eventSource:
            - ec2.amazonaws.com
          eventName:
            - AuthorizeSecurityGroupIngress
          requestParameters:
            ipPermissions:
              items:
                - fromPort:
                    numeric:
                      - 22
                      - 3389
                  toPort:
                    numeric:
                      - 22
                      - 3389
                  ipRanges:
                    items:
                      - cidrIp:
                          match: 0.0.0.0/0

A sample event is as below:

{
  "version": "0",
  "id": "xyzxyzxyz",
  "detail-type": "AWS API Call via CloudTrail",
  "source": "aws.ec2",
  "account": "123456789123",
  "time": "2023-03-31T13:44:17Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.08",
    "userIdentity": {
      "type": "AssumedRole",
      "principalId": "AROA:XYZ",
      "arn": "arn:aws:sts::123456789123:assumed-role/XYZ",
      "accountId": "123456789123",
      "accessKeyId": "XYZ",
      "sessionContext": {
        "sessionIssuer": {
          "type": "Role",
          "principalId": "XYZ",
          "arn": "arn:aws:sts::123456789123:assumed-role/XYZ",
          "accountId": "123456789123",
          "userName": "XYZ"
        },
        "webIdFederationData": {},
        "attributes": {
          "creationDate": "2023-03-31T13:15:37Z",
          "mfaAuthenticated": "false"
        }
      }
    },
    "eventTime": "2023-03-31T13:44:17Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.1.1.1",
    "userAgent": "AWS Internal",
    "requestParameters": {
      "groupId": "sg-12346789456",
      "ipPermissions": {
        "items": [{
          "ipProtocol": "tcp",
          "fromPort": 22,
          "toPort": 22,
          "groups": {},
          "ipRanges": {
            "items": [{
              "cidrIp": "0.0.0.0/0"
            }]
          },
          "ipv6Ranges": {},
          "prefixListIds": {}
        }]
      }
    },
    "responseElements": {
      "requestId": "546416541321654654164",
      "_return": true,
      "securityGroupRuleSet": {
        "items": [{
          "groupOwnerId": "123456789123",
          "groupId": "sg-12346789456",
          "securityGroupRuleId": "sg-12346789456",
          "isEgress": false,
          "ipProtocol": "tcp",
          "fromPort": 22,
          "toPort": 22,
          "cidrIpv4": "0.0.0.0/0"
        }]
      }
    },
    "requestID": "546416541321654654164",
    "eventID": "546416541321654654164",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "123456789123",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
  }
}

Please suggest how I can correct the syntax to validate the rule and match the event.