I'm trying to write an Eventbridge event rule to detect a Security Group inbound rule change which allows ingress on SSH or RDP from 0.0.0.0/0. However, I'm getting error "Event pattern is not valid" for ipRanges on below rule:
AWSTemplateFormatVersion: '2010-09-09'
Description: SecurityAlerting
Resources:
SGEventRuleNew:
Type: 'AWS::Events::Rule'
Properties:
Name: detect-SG-insecure-inbound
Description: An Event Rule that triggers on SG changes.
State: ENABLED
EventBusName: default
EventPattern:
source:
- aws.ec2
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- ec2.amazonaws.com
eventName:
- AuthorizeSecurityGroupIngress
requestParameters:
ipPermissions:
items:
- fromPort:
numeric:
- 22
- 3389
toPort:
numeric:
- 22
- 3389
ipRanges:
items:
- cidrIp:
match: 0.0.0.0/0
A sample event is as below:
{
"version": "0",
"id": "xyzxyzxyz",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.ec2",
"account": "123456789123",
"time": "2023-03-31T13:44:17Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA:XYZ",
"arn": "arn:aws:sts::123456789123:assumed-role/XYZ",
"accountId": "123456789123",
"accessKeyId": "XYZ",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XYZ",
"arn": "arn:aws:sts::123456789123:assumed-role/XYZ",
"accountId": "123456789123",
"userName": "XYZ"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-03-31T13:15:37Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-03-31T13:44:17Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "AWS Internal",
"requestParameters": {
"groupId": "sg-12346789456",
"ipPermissions": {
"items": [{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges": {
"items": [{
"cidrIp": "0.0.0.0/0"
}]
},
"ipv6Ranges": {},
"prefixListIds": {}
}]
}
},
"responseElements": {
"requestId": "546416541321654654164",
"_return": true,
"securityGroupRuleSet": {
"items": [{
"groupOwnerId": "123456789123",
"groupId": "sg-12346789456",
"securityGroupRuleId": "sg-12346789456",
"isEgress": false,
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"cidrIpv4": "0.0.0.0/0"
}]
}
},
"requestID": "546416541321654654164",
"eventID": "546416541321654654164",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789123",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
}
Please suggest how I can correct the syntax to validate the rule and match the event.