How can I create a custom event pattern for an EventBridge rule?

Last updated: 2022-01-26

I want to capture certain events for AWS services with an Amazon EventBridge rule. However, I'm unable to create a custom event pattern that matches the event. How can I create a custom EventBridge event pattern?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Events are generated by AWS services in a predefined JSON format and sent to Amazon EventBridge. You can create rules that use event patterns to filter incoming events and then trigger a target.

Determine the JSON format of the incoming event

There are three methods for determining the JSON format for an incoming event:

1.    Refer to this list of event examples.

2.    Use a sample event that's integrated into the Amazon EventsBridge console. To use a sample event, do the following:

For Event matching pattern, select Pre-defined pattern by service. Select a Service provider from the dropdown list. Select a Service name from the dropdown list. Select an Event type from the dropdown list. Select if the event is for Any resource or a Specific resource. Select if the event is for Any status or a Specific status. The Event pattern text box populates with the selected sample event pattern. You can copy or edit the pattern as needed.

3.    Create an EventBridge rule with a simple event pattern that matches all events for a specific service. For Define pattern, choose Event Pattern.

Note: Wildcards aren't permitted in the event pattern. Empty event patterns are also not allowed.

For example, to see all events generated by the Amazon Elastic Compute Cloud (Amazon EC2) service, use this filter:

{
 "source": [ "aws.ec2" ]
}

Attach a target to your rule, either with an SNS topic or CloudWatch Logs. As a result, all matched events are received through the SNS topic or CloudWatch Logs. You receive the exact JSON event that was sent by a particular AWS service. Based on those results, you can then create a custom event pattern. Be sure that you're using the default setting (Configure Input: Matched event) for the input transformer of the EventBridge rule so that the incoming event is forwarded as-is.

Create an event pattern in the same JSON format as the incoming event

The following rules apply to creating a valid matching event pattern:

  • Any fields that you don't specify in your event pattern are automatically matched. For example, if Detail isn't specified in the event pattern, then the event pattern matches every event with any detail.
  • To match fields that are one level down in the JSON structure, use curly brackets { }. A JSON viewer might be helpful if you're looking at larger event structures.
  • The string to be matched from the JSON event must be in square brackets [ ]. You can include multiple values in square brackets so that the event is triggered when either of the values are present in an incoming event. For example, to trigger an event based on every event sent by Amazon EC2 or Amazon DynamoDB, use this filter:
{
 "source": [ "aws.ec2", "aws.dynamodb" ]
}

Note: You must remove any square brackets in the JSON event sent by the service to be sure that the event pattern is marked as valid. For example, to be notified when a Type A record is created for a specific Amazon Route 53 hosted zone, use the following.

Event sent by Route 53 to EventBridges (received from an SNS topic or CloudWatch Logs):

{
    "version": "0",
    "id": "d857ae5c-cc83-3742-ab88-d825311ee4e9",
    "detail-type": "AWS API Call via CloudTrail",
    "source": "aws.route53",
    "account": "123456789012",
    "time": "2019-12-05T16:50:53Z",
    "region": "us-east-1",
    "resources": [

    ],
    "detail": {
        "eventVersion": "1.05",
        "userIdentity": {
            "type": "AssumedRole",
            "principalId": "AROAABCDEFGHIJKLMNOPQ:Admin",
            "arn": "arn:aws:sts::123456789012:assumed-role/Admin",
            "accountId": "123456789012",
            "accessKeyId": "ASIAABCDEFGH12345678",
            "sessionContext": {
                "sessionIssuer": {
                    "type": "Role",
                    "principalId": "AROAABCDEFGHIJKLMNOPQ",
                    "arn": "arn:aws:iam::123456789012:role/Admin",
                    "accountId": "123456789012",
                    "userName": "Admin"
                },
                "webIdFederationData": {

                },
                "attributes": {
                    "mfaAuthenticated": "false",
                    "creationDate": "2019-12-05T16:28:27Z"
                }
            }
        },
        "eventTime": "2019-12-05T16:50:53Z",
        "eventSource": "route53.amazonaws.com",
        "eventName": "ChangeResourceRecordSets",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "12.34.56.78",
        "userAgent": "console.amazonaws.com",
        "requestParameters": {
            "hostedZoneId": "Z1RP12345WXRQD",
            "changeBatch": {
                "changes": [
                    {
                        "action": "CREATE",
                        "resourceRecordSet": {
                            "type": "A",
                            "tTL": 300,
                            "resourceRecords": [
                                {
                                    "value": "4.4.4.4"
                                }
                            ],
                            "name": "test.example.us."
                        }
                    }
                ]
            }
        },
        "responseElements": {
            "changeInfo": {
                "status": "PENDING",
                "id": "/change/C271P4WIKN511J",
                "submittedAt": "Dec 5, 2019 4:50:53 PM"
            }
        },
        "additionalEventData": {
            "Note": "Do not use to reconstruct hosted zone"
        },
        "requestID": "bbbf9847-96cb-45ef-b617-d535b9fe83d8",
        "eventID": "74e2d2c8-7497-4292-94d0-348272dbc4f7",
        "eventType": "AwsApiCall",
        "apiVersion": "2013-04-01"
    }
}

Event filter pattern to be notified when a Type A record is created for your hosted zone:

{
"source": ["aws.route53"],
    "detail": {
        "eventSource": ["route53.amazonaws.com"],
        "eventName": ["ChangeResourceRecordSets"],
        "requestParameters": {
            "hostedZoneId": ["Z1RP12345WXRQD"],
            "changeBatch": {
                "changes":
                    {
                        "action": ["CREATE"],
                        "resourceRecordSet": {
                            "type": ["A"]
                        }
                    }
            }
        }
    }
}

Test the event pattern

Test using the EventBridge console

You can test the event pattern when creating your rule. Select Test event pattern to test your event.

Test using the AWS CLI

In the AWS CLI, run the test-event-pattern command. To confirm that the event pattern matches, be sure that the result is true. By doing this, you can identify the JSON events sent by the AWS service and facilitate your custom event pattern to capture specific events.