How do I create an EventBridge rule to automate responses to CloudTrail API calls?

Short description

To configure a custom action or notification for a CloudTrail API call, create an EventBridge rule with an event pattern that matches the event.

Resolution

Create a CloudTrail trail

Note: You must configure a CloudTrail trail to capture events, and then forward the events to EventBridge. The EventBridge rule initiates only with a trail, even when you have a valid event pattern match.

To create a CloudTrail trail, complete the following steps:

1. Open the CloudTrail console.
2. Navigate to Trails.
3. If a trail already exists in the Region that you want to create your rule in, then make sure that the status is set to Logging.
4. If you don't have an existing trail, choose Create trail.
5. For Trail name, enter a name.
6. For Storage location, choose Create a new S3 bucket.
7. For AWS KMS alias, enter an alias for the AWS Key Management Service (AWS KMS) key.
8. Choose Next. Then, choose Next again.
9. Choose Create trail.

For more information, see Creating a trail with the CloudTrail console.

Create an EventBridge rule and event pattern

Note: The example in this section uses the Amazon Simple Queue Service (Amazon SQS) API operation, CreateQueue, to generate an event. When you use an Amazon SQS API operation, CloudTrail records the generated event and then forwards the event to the default EventBridge bus.

To create an EventBridge rule and event pattern, complete the following steps:

1. Open the EventBridge console.
2. In the navigation pane, choose Rules.
3. Choose Create rule.
4. Enter a name and description for the rule, for example, TestRule.
5. For Event bus, choose the event bus that you want to associate with your rule. If you want your rule to match events that come from your account, then select default.
   Note: When an AWS service in your account creates an event, the event goes to your account's default event bus.
6. For Rule type, choose Rule with an event pattern.
7. Choose Next.
8. For Event source, choose AWS services.
9. Choose Event pattern.
10. For Event source, choose SQS.
11. For Event type, choose AWS API Call via CloudTrail.
12. Choose Specific operation(s), and then enter CreateQueue. The following example shows the event pattern that results from the options that you selected:

    {  "source": ["aws.sqs"],
      "detail-type": ["AWS API Call via CloudTrail"],
      "detail": {
        "eventSource": ["sqs.amazonaws.com"],
        "eventName": ["CreateQueue"]
      }
    }

    Note: The event pattern filters on a number of fields, such as eventName and eventSource. An event match must contain all of the fields and corresponding values.
13. Choose Next.
14. For Target types, choose AWS service.
15. For Select a target, choose Lambda function.
16. In the list, choose your Function.
17. Choose Add another target.
18. In the AWS service section, choose CloudWatch log group.
19. For Select log group, choose an existing log group or create a new log group.
20. Choose Next. Then, choose Next again.
21. Choose Create rule.

Validate the EventBridge rule

Complete the following steps:

1. Open the SQS console.
2. Choose Create queue.
3. For Type, choose Standard queue type.
4. Enter a name for your queue.
5. Keep all other options as the default, and then choose Create queue.
6. Use the TriggeredRules, Invocations, and FailedInvocations metrics to confirm that your EventBridge rule triggered and invoked the targets.
7. To view the metrics, navigate to the rule that you created, and then open the Monitoring tab. Or, view the metrics in the CloudWatch console in the AWS/Events namespace.
8. Confirm that the Lambda function was successfully invoked and that the CloudWatch log group captured the event.
9. Navigate to your target log group in the CloudWatch Logs console. Note that a new log stream is visible with the corresponding log event.

Related information

Tutorial: Create an EventBridge rule that reacts to AWS API calls via CloudTrail

How do I create a custom event pattern for an EventBridge rule?