By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EventBridge is not capturing the AWS WorkSpaces login events

0

I want to capture the sign-in events of the Amazon WorkSpaces.To that end, I created an EventBridge rule using the default bus, with the CloudWatch log group set as its target. However, I can't see any activity in the EventBridge monitoring graphs or the CloudWatch log group. All the resources are in the same region, too. The EventBridge rule pattern is as below:

{
  "source": ["aws.workspaces"],
  "detail-type": ["WorkSpaces Access"],
  "detail": {
    "actionType": ["successfulLogin"],
    "clientPlatform": ["Windows"]
  }
}
  1. WorkSpaces are in active state.
  2. Rule is in the correct region. All the services are in Oregon.
  3. First, the EventBridge rule should receive the event before the CloudWatch Logs. So the point is - EventBridge itself is not capturing the events.
  4. Tried broadening the rule pattern without "detail" and "detail-type" sections, but it didn't work. Although the other events related to the other activities, such as start/stop workspaces are received (without detail-type and detail field).

I am following these AWS documentations for that: https://docs.aws.amazon.com/workspaces/latest/adminguide/cloudwatch-events.html https://docs.aws.amazon.com/eventbridge/latest/ref/events-ref-workspaces.html

Topics
End User ComputingServerlessApplication IntegrationManagement & GovernanceNetworking & Content Delivery
Tags
Amazon WorkSpacesAmazon EventBridgeAmazon CloudWatchAmazon CloudWatch LogsMonitoring
Language
English
Kandarp Dave
asked 14 days ago75 views
2 Answers
0
Accepted Answer

One thing I observed here with hands-on activity: when we use the Amazon WorkSpaces client to log in to the WorkSpaces, the EventBridge rule successfully captures the events and sends them to the target. But, when we use a third-party platform, in my case, it is Windows App (previously known as Remote Desktop) - the EventBridge rule fails to capture the login event, not as a failed invocation event, either.

As per this documentation,workspacesClientProductNamefield supports only the following values:

  • Amazon WorkSpaces Mobile client — iOS client
  • WorkSpaces Mobile Client — Android clients
  • WorkSpaces Chrome Client — Chromebook client
  • WorkSpacesWebClient — Web Access client
  • AmazonWorkSpacesThinClient — Amazon WorkSpaces Thin Client device
  • Teradici PCoIP Zero Client, Teradici PCoIP Desktop Client, or Dell Wyse PCoIP Client — Zero Client

As a solution, we can configure the CloudWatch agent on AWS WorkSpaces and enable security events (Windows) to capture authentication-related events.

Kandarp Dave
answered 12 days ago
0

Your assertion that EventBridge cannot capture AWS WorkSpaces login events is incorrect. Amazon WorkSpaces can indeed send events to Amazon EventBridge, including user login events. However, there are a few things to consider that might explain why you're not seeing the expected results:

  1. Event Source: WorkSpaces sends events to EventBridge both directly and through AWS CloudTrail. The event pattern you've provided is correct for events sent directly by WorkSpaces.

  2. Region Specificity: EventBridge rules and the events they monitor must be in the same AWS region. Ensure that your rule is created in the same region where your WorkSpaces are running.

  3. Permissions: Make sure that EventBridge has the necessary permissions to write to your CloudWatch log group. This is typically handled automatically when you set up the rule through the AWS Management Console, but if you're using the AWS CLI, you might need to set up a resource-based policy manually.

  4. Event Delivery: Events are delivered on a best-effort basis. There might be a slight delay in event delivery or processing.

  5. Activity Level: If there haven't been any successful logins from Windows clients to your WorkSpaces, you won't see any events.

To troubleshoot:

  1. Double-check that you have active WorkSpaces and that users are logging in from Windows clients.
  2. Verify that your rule is in the correct region.
  3. Check the CloudWatch Logs resource-based policy to ensure EventBridge has write permissions.
  4. Consider broadening your rule pattern temporarily (e.g., remove the "detail" section) to see if you're receiving any WorkSpaces events at all.

If you've verified all these points and are still not seeing events, you may want to contact AWS support for further assistance.
Sources
Amazon WorkSpaces events - Amazon EventBridge
Using resource-based policies for Amazon EventBridge - Amazon EventBridge
Monitor WorkSpaces Personal - Amazon WorkSpaces

profile picture
re:Post Agent
answered 14 days ago
  • Kandarp Dave
    13 days ago
    1. WorkSpaces are in active state.
    2. Rule is in the correct region. All the services are in us-west-2.
    3. First, the EventBridge rule should receive the event before the CloudWatch Logs. So the point is - EventBridge itself is not capturing the events.
    4. Tried the broadening the rule pattern without "detail" section, but it didn't work.

    All these troubleshooting methods are not working.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content