By using AWS re:Post, you agree to the AWS re:Post Terms of Use

What EventBridge gets from CloudTrail?

0

Hi, how do we know what CloudTrail events are sent to EventBridge? It looks like (from here: https://repost.aws/knowledge-center/automate-eventbridge-rule-cloudtrail-api) CloudTrail sends to default bus everything for which a Trail is configured, right?

So if I stay on default config (no Trails) then API calls do not land in EventBridge - only if a given service sends it like mentioned here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html

1 Answer
0
Accepted Answer

That's correct: CloudTrail events that are captured by any of your configured trails in the region are delivered to EventBridge, and events not recorded by any of the trails you've configured do not get delivered. It's summarised in this documentation segment: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-eventbridge

The point about some events being reported both by CloudTrail and the underlying service refers to that information about certain types of events is available directly from the underlying service as well as by listening to CloudTrail events. For example, if an EC2 instance is stopped by the customer calling the StopInstances API, it can be observed either by listening to CloudTrail for that API call or by using the EC2 instance state change notification that EC2 delivers to EventBridge without involving CloudTrail: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html.

However, while both methods would detect an operator shutting down an instance, the event from EC2 wouldn't say which IAM role or user requested it, while the CloudTrail event would contain that information. On the other hand, the EC2 instance state notification would also respond to an AWS-initiated event or hardware failure, while CloudTrail would only log events requested explicitly by calling an API in your account.

EXPERT
answered 2 months ago
  • Thank you fo this clear and thorough answer. Is there also a difference in delivery time of these two mechanisms?

  • In general, both CloudTrail and other services send messages to EventBridge nearly in real time, but semantics can vary. For example, EC2 might notify about an EBS volume creation completing, while CloudTrail would produce a log entry as soon as the API request is made to create the volume. In many cases, there's no major difference in timing, but with long-lasting operations where the service only notifies about the completion, there can be.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions