How can I create a custom event pattern for a CloudWatch event rule?

Last updated: 2020-02-03

I want to capture certain events for AWS services with an Amazon CloudWatch event rule. However, I'm unable to create a custom event pattern that matches the event. How can I create a custom CloudWatch event pattern?

Resolution

Events are generated by AWS services in a predefined JSON format and sent to Amazon CloudWatch Events. You can create rules that use event patterns to filter incoming events and then trigger a target.

Determine the JSON format of the incoming event

Refer to this list of event examples. Or, complete the following to see your incoming events:

1.    Create a CloudWatch Events rule with a simple event pattern that matches all events for a specific service. For Event Source, choose Event Pattern.
Note: Wildcards aren't permitted in the event pattern. Empty event patterns are also not allowed.

For example, to see all events generated by the Amazon Elastic Compute Cloud (Amazon EC2) service, use this filter:

{
 "source": [ "aws.ec2" ]
}

2.    Attach a target to your rule, either with an SNS topic or CloudWatch Logs. As a result, all matched events are received through the SNS topic or CloudWatch Logs. You receive the exact JSON event that was sent by a particular AWS service. Based on those results, you can then create a custom event pattern. Be sure that you're using the default setting (Configure Input: Matched event) for the input transformer of the CloudWatch Rule so that the incoming event is forwarded as-is.

Create an event pattern in the same JSON format as the incoming event

The following rules apply to creating a valid matching event pattern:

  • Any fields that you don't specify in your event pattern are automatically matched. For example, if Detail isn't specified in the event pattern, the event pattern matches every event with any detail.
  • To match fields that are one level down in the JSON structure, use curly brackets { }. A JSON viewer might be helpful if you're looking at larger event structures.
  • The string to be matched from the JSON event must be in square brackets [ ]. You can include multiple values in square brackets so that the event is triggered when either of the values are present in an incoming event. For example, to trigger an event based on every event sent by Amazon EC2 or Amazon DynamoDB, use this filter:
{
 "source": [ "aws.ec2", "aws.dynamodb" ]
}

Note: You must remove any square brackets in the JSON event sent by the service to be sure that the event pattern is marked as valid. For example, to be notified when a Type A record is created for a specific Amazon Route 53 hosted zone, use the following.

Event sent by Route 53 to CloudWatch Events (Received from an SNS topic or CloudWatch Logs):

{
    "version": "0",
    "id": "d857ae5c-cc83-3742-ab88-d825311ee4e9",
    "detail-type": "AWS API Call via CloudTrail",
    "source": "aws.route53",
    "account": "756022511916",
    "time": "2019-12-05T16:50:53Z",
    "region": "us-east-1",
    "resources": [

    ],
    "detail": {
        "eventVersion": "1.05",
        "userIdentity": {
            "type": "AssumedRole",
            "principalId": "AROAIVOJE6CTAWGSJQUP2:patsusha-Isengard",
            "arn": "arn:aws:sts::756022511916:assumed-role/Admin/patsusha-Isengard",
            "accountId": "756022511916",
            "accessKeyId": "ASIA3ABTUBEWCHWLUGFI",
            "sessionContext": {
                "sessionIssuer": {
                    "type": "Role",
                    "principalId": "AROAIVOJE6CTAWGSJQUP2",
                    "arn": "arn:aws:iam::756022511916:role/Admin",
                    "accountId": "756022511916",
                    "userName": "Admin"
                },
                "webIdFederationData": {

                },
                "attributes": {
                    "mfaAuthenticated": "false",
                    "creationDate": "2019-12-05T16:28:27Z"
                }
            }
        },
        "eventTime": "2019-12-05T16:50:53Z",
        "eventSource": "route53.amazonaws.com",
        "eventName": "ChangeResourceRecordSets",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "72.21.196.66",
        "userAgent": "console.amazonaws.com",
        "requestParameters": {
            "hostedZoneId": "Z1RP9G2VYLRY8V",
            "changeBatch": {
                "changes": [
                    {
                        "action": "CREATE",
                        "resourceRecordSet": {
                            "type": "A",
                            "tTL": 300,
                            "resourceRecords": [
                                {
                                    "value": "4.4.4.4"
                                }
                            ],
                            "name": "test4.sushantpatil.us."
                        }
                    }
                ]
            }
        },
        "responseElements": {
            "changeInfo": {
                "status": "PENDING",
                "id": "/change/C271P4WIKN511J",
                "submittedAt": "Dec 5, 2019 4:50:53 PM"
            }
        },
        "additionalEventData": {
            "Note": "Do not use to reconstruct hosted zone"
        },
        "requestID": "bbbf9847-96cb-45ef-b617-d535b9fe83d8",
        "eventID": "74e2d2c8-7497-4292-94d0-348272dbc4f7",
        "eventType": "AwsApiCall",
        "apiVersion": "2013-04-01"
    }
}

Event filter pattern to be notified when a Type A record is created for your hosted zone:

{
"source": ["aws.route53"],
    "detail": {
        "eventSource": ["route53.amazonaws.com"],
        "eventName": ["ChangeResourceRecordSets"],
        "requestParameters": {
            "hostedZoneId": ["Z1RP9G2VYLRY8V"],
            "changeBatch": {
                "changes":
                    {
                        "action": ["CREATE"],
                        "resourceRecordSet": {
                            "type": ["A"]
                        }
                    }
            }
        }
    }
}

Test the event pattern using the AWS Command Line Interface (AWS CLI)

In the AWS CLI, run the test-event-pattern command. To confirm that the event pattern matches, be sure that the result is true. By doing this, you can identify the JSON events sent by the AWS service and facilitate your custom event pattern to capture specific events.


Did this article help you?

Anything we could improve?


Need more help?