En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Issue with EventBridge matching CloudTrail/EC2 Event

0

Hello,

I am having an issue where my EventBridge rule does not appear to be matching a CloudTrail log. The EB rule is looking for a cloudtrail log that the event name is "ReplaceRoute". An EC2 instance will make the call to update the route in the route table. Is anyone able to help or advise? I had this working at one point and triggering and alert via SNS but since I blew away the configuration to define in Terraform I cannot get it to work/match.

Event Pattern: { "source": ["aws.cloudtrail"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["ReplaceRoute"] } }

CloudTrail Event Log Excerpt

"eventTime": "2024-04-18T09:18:05Z", "eventSource": "ec2.amazonaws.com", "eventName": "ReplaceRoute", "awsRegion": "eu-west-2", "sourceIPAddress": "10.192.0.36", "requestParameters": { "routeTableId": "rtb-007ec00472e198134", "destinationCidrBlock": "0.0.0.0/0", "networkInterfaceId": "eni-0aea5cf0fcd11d4e9" }, "responseElements": { "requestId": "577bde8b-fb6c-4a6f-926f-a2900d341fe9", "_return": true }, "requestID": "577bde8b-fb6c-4a6f-926f-a2900d341fe9", "eventID": "567de95c-9208-4bdf-b431-f944ec1a7ff5", "readOnly": false, "eventType": "AwsApiCall",

Sujets
Sans serveurIntégration d'applicationsGestion et gouvernance
Balises
Amazon EventBridgeAmazon CloudWatchAWS CloudTrail
Langue
English
cd4v
demandé il y a un mois134 vues
1 réponse
1
Réponse acceptée

Your almost there.. You need to monitor EC2 as the source and not cloudtrail and use this pattern as the match. I have tested and this works. It only picks up if the IP Route Target changes and not the destination. If you want to detect if the destination changes, you need to also filter CreateRoute and DeleteRoute also.

Event Pattern

{
    "source": [
        "aws.ec2"
    ],
    "detail-type": [
        "AWS API Call via CloudTrail"
    ],
    "detail": {
        "eventSource": [
            "ec2.amazonaws.com"
        ],
        "eventName": [
            "ReplaceRoute"
        ]
    }
}

Side Note for terraform, instead of blowing it away, you could have imported the resource also of which it would tell you any differences from code to infrastructure

profile picture
EXPERT
Gary Mclean
répondu il y a un mois
profile picture
EXPERT
Oleksii Bebych
vérifié il y a un mois
profile picture
EXPERT
Riku_Kobayashi
vérifié il y a un mois
  • cd4v
    il y a un mois

    Thank you for this, much appreciated.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents