AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Issue with EventBridge matching CloudTrail/EC2 Event

0

Hello,

I am having an issue where my EventBridge rule does not appear to be matching a CloudTrail log. The EB rule is looking for a cloudtrail log that the event name is "ReplaceRoute". An EC2 instance will make the call to update the route in the route table. Is anyone able to help or advise? I had this working at one point and triggering and alert via SNS but since I blew away the configuration to define in Terraform I cannot get it to work/match.

Event Pattern: { "source": ["aws.cloudtrail"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["ec2.amazonaws.com"], "eventName": ["ReplaceRoute"] } }

CloudTrail Event Log Excerpt

"eventTime": "2024-04-18T09:18:05Z", "eventSource": "ec2.amazonaws.com", "eventName": "ReplaceRoute", "awsRegion": "eu-west-2", "sourceIPAddress": "10.192.0.36", "requestParameters": { "routeTableId": "rtb-007ec00472e198134", "destinationCidrBlock": "0.0.0.0/0", "networkInterfaceId": "eni-0aea5cf0fcd11d4e9" }, "responseElements": { "requestId": "577bde8b-fb6c-4a6f-926f-a2900d341fe9", "_return": true }, "requestID": "577bde8b-fb6c-4a6f-926f-a2900d341fe9", "eventID": "567de95c-9208-4bdf-b431-f944ec1a7ff5", "readOnly": false, "eventType": "AwsApiCall",

주제
서버리스애플리케이션 통합관리 및 거버넌스
태그
아마존 EventBridge아마존 CloudWatchAWS CloudTrail
언어
English
cd4v
질문됨 한 달 전128회 조회
1개 답변
1
수락된 답변

Your almost there.. You need to monitor EC2 as the source and not cloudtrail and use this pattern as the match. I have tested and this works. It only picks up if the IP Route Target changes and not the destination. If you want to detect if the destination changes, you need to also filter CreateRoute and DeleteRoute also.

Event Pattern

{
    "source": [
        "aws.ec2"
    ],
    "detail-type": [
        "AWS API Call via CloudTrail"
    ],
    "detail": {
        "eventSource": [
            "ec2.amazonaws.com"
        ],
        "eventName": [
            "ReplaceRoute"
        ]
    }
}

Side Note for terraform, instead of blowing it away, you could have imported the resource also of which it would tell you any differences from code to infrastructure

profile picture
전문가
Gary Mclean
답변함 한 달 전
profile picture
전문가
Oleksii Bebych
검토됨 한 달 전
profile picture
전문가
Riku_Kobayashi
검토됨 한 달 전
  • cd4v
    한 달 전

    Thank you for this, much appreciated.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠