Cloudwatch Input Transformer returning no data

Question

We have a CloudWatch event monitoring for changes in Route 53 and sends to an SNS topic for email notification. All of the Route53 API calls are being logged to an S3Bucket.  
  
When setting up the "Input Transformer" to clean up the mess of JSON it spits out we are not getting any results.  
  
The message section in the SNS email is empty. I was able to take the Full Event from CloudTrail and parse it with JQ and return the proper information.  
  
Input Transformer;  
{"zonename":"$.responseElements.hostedZone.name"}  
  
Input Template;  
"Hosted zone is ."  
  
From the email notification;  
  
{  
  "Type" : "Notification",  
  "MessageId" : "27346a5e-7e4a-5f4a-bda9-3e831a084b7c",  
  "TopicArn" : "arn:aws:sns:us-east-1:432254711293:blaketest",  
  **"Message" : ""Hosted zone is ."",**  
  "Timestamp" : "2019-02-13T00:17:06.434Z",  
  "SignatureVersion" : "1",  
  "Signature" : "YgCr24cPcMNoBzV6RpjDjQi74zDHcRKIFnKkKhsIPdeUienu2W5Lww7vhSJqTF7oz2D9aQ_M53voodt1VVdOO8T2Ot44qHlDKf1MibkT4/1exZGPYBLBGfgn/cg8QtjURq0Qb6/dSjRvUWLr9xk/lUSyYvBlm1hgq9bXVGvD6toP2qCuudTzgdvZ1FJ9lAEzDi8YI_xZEnATZoa6jABMBkgca56p/Ix9NZ3gkFa4CY2WoAyr2MEAqY1RrBS/DHlVT1yQDc6WpW1mWy2bDirtNwsdVR02UY788rLoTMiTsMf1z0R8osBpNMeMd7f/Pd3+4A9R9K6W6lW1qzkooPa1PQ==",  
  "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-ac565b8b1a6c5d002d285f959****.pem",  
  "UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:********:erictest:89551bd8-76d3-458a-a93c-8377486dde19"  
}

From CloudTrail Event;  
  
{  
    "eventVersion": "1.05",  
    "userIdentity": {  
        "type": "IAMUser",  
        "principalId": "********",  
        "arn": "arn:aws:iam::********:user/blakes",  
        "accountId": "**********",  
        "accessKeyId": "*************",  
        "userName": "blakes",  
        "sessionContext": {  
            "attributes": {  
                "mfaAuthenticated": "true",  
                "creationDate": "2019-02-12T18:23:55Z"  
            }  
        },  
        "invokedBy": "signin.amazonaws.com"  
    },  
    "eventTime": "2019-02-13T00:16:25Z",  
    "eventSource": "route53.amazonaws.com",  
    "eventName": "CreateHostedZone",  
    "awsRegion": "us-east-1",  
    "sourceIPAddress": "**********",  
    "userAgent": "signin.amazonaws.com",  
    "requestParameters": {  
        "hostedZoneConfig": {  
            "privateZone": false,  
            "comment": "ERIC testing"  
        },  
        "callerReference": "AB354EGG09E-FC5E-046A-A6C1-8B1815375B0C",  
        "name": "testeric.com"  
    },  
    "responseElements": {  
        "changeInfo": {  
            "status": "PENDING",  
            "id": "/change/C3TJKPOO14VP6B",  
            "submittedAt": "Feb 13, 2019 12:16:25 AM"  
        },  
        "location": "https://route53.amazonaws.com/2013-04-01/hostedzone/Z3JK3REDKJVTQZ",  
        "hostedZone": {  
            "resourceRecordSetCount": 2,  
            "config": {  
                "privateZone": false,  
                "comment": "eric testing"  
            },  
            "name": "testeric.com.",  
            "id": "/hostedzone/Z3JKGRGERGDKJVTQZ",  
            "callerReference": "AB35409E-FC5EHERH-046A-A6C1-8B1815375B0C"  
        },  
        "delegationSet": {  
            "nameServers": \[  
                "ns-942.awsdns-53.net",  
                "ns-121.awsdns-15.com",  
                "ns-1417.awsdns-49.org",  
                "ns-1927.awsdns-48.co.uk"  
            ]  
        }  
    },  
    "requestID": "99c9fb95-2f24-11e9-a419-4fc3574ffweewqb5f52",  
    "eventID": "32bbf0ffw0e-1a95-416e-9dd5-ae2eec971b41",  
    "eventType": "AwsApiCall",  
    "apiVersion": "2013-04-01",  
    "recipientAccountId": "*********"  
}

Thank you,  
  
Let me know if any additional information is needed.

Answer

Can anyone provide any updates to this issue? Still having the same problem.  
  
Even following the AWS docs and using the JSON code provided to write input transformer queries it still returns no results.

Answer

/

Answer

Hello,

An event in EventBridge has the format as defined in [1]. When you monitor an CloudTrail API call, it has the following format.

{
  "id": "",
  "account": "",
  "source": "aws., <--- the source service 
  "time": "",
  "region": "",
  "resources": "",
  "detail-type": "AWS API Call via CloudTrail"
  "detail" : {

// Contains the complete cloudtrail event
}
}

Therefore for your use case, the actual event received by EventBridge would be:

{
  "version": "0",
  "id": "b03f6e6c-1a74-4f69-e219-84e2498d7f20",
  "detail-type": "AWS API Call via CloudTrail",
  "source": "aws.route53",
  "account": "123456789012",
  "time": "2022-04-01T00:00:00Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.05",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "",
      "arn": "arn:aws:iam:::user/blakes",
      "accountId": "",
      "accessKeyId": "*",
      "userName": "blakes",
      "sessionContext": {
        "attributes": {
          "mfaAuthenticated": "true",
          "creationDate": "2019-02-12T18:23:55Z"
        }
      },
      "invokedBy": "signin.amazonaws.com"
    },
    "eventTime": "2019-02-13T00:16:25Z",
    "eventSource": "route53.amazonaws.com",
    "eventName": "CreateHostedZone",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "****",
    "userAgent": "signin.amazonaws.com",
    "requestParameters": {
      "hostedZoneConfig": {
        "privateZone": false,
        "comment": "ERIC testing"
      },
      "callerReference": "AB354EGG09E-FC5E-046A-A6C1-8B1815375B0C",
      "name": "testeric.com"
    },
    "responseElements": {
      "changeInfo": {
        "status": "PENDING",
        "id": "/change/C3TJKPOO14VP6B",
        "submittedAt": "Feb 13, 2019 12:16:25 AM"
      },
      "location": "https://route53.amazonaws.com/2013-04-01/hostedzone/Z3JK3REDKJVTQZ",
      "hostedZone": {
        "resourceRecordSetCount": 2,
        "config": {
          "privateZone": false,
          "comment": "eric testing"
        },
        "name": "testeric.com.",
        "id": "/hostedzone/Z3JKGRGERGDKJVTQZ",
        "callerReference": "AB35409E-FC5EHERH-046A-A6C1-8B1815375B0C"
      },
      "delegationSet": {
        "nameServers": [
          "ns-942.awsdns-53.net",
          "ns-121.awsdns-15.com",
          "ns-1417.awsdns-49.org",
          "ns-1927.awsdns-48.co.uk"
        ]
      }
    },
    "requestID": "99c9fb95-2f24-11e9-a419-4fc3574ffweewqb5f52",
    "eventID": "32bbf0ffw0e-1a95-416e-9dd5-ae2eec971b41",
    "eventType": "AwsApiCall",
    "apiVersion": "2013-04-01",
    "recipientAccountId": "*****"
  }
}

Based on the above, to extract the hosted zone name, you can use the following input transformer.

{"hzname":"$.detail.responseElements.hostedZone.name"}

"HZ name is "

The output:

HZ name is testeric.com.

Similarly you can extract other fields as required.

[1] https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html

Cloudwatch Input Transformer returning no data

Relevant content