2

I am trying to make a rule trigger on any API call for creation, but I haven't had any success.

I have another rule that triggers whenever and ec2 instance is running which works, but this rule does not trigger for RunInstances although I see the cloudtrail logs with RunInstances in the API log.

I have made a CloudWatch log from the cloudtrail and see the events that should be triggering it, but they don't. Is there a step I am missing? What are the necessary components to have CloudWatch properly trigger on API calls?

The rule mentioned:

 {
      "source": [
        "aws.cloudtrail"
      ],
      "detail-type": [
        "AWS API Call via CloudTrail"
      ],
      "detail": {
        "eventSource": [
          "cloudtrail.amazonaws.com"
        ],
        "eventName": [
          "CreateUserPool",
          "CreateImage",
          "CreateCacheCluster",
          "RunInstances",
          "CreateActivation",
          "RunJobFlow ",
          "CreateVault",
          "CreateDeliveryStream",
          "CreateStream",
          "CreateCluster",
          "CreateDBInstance",
          "CreateHostedZone",
          "CreateBucket",
          "CreateLaunchConfiguration",
          "CreateStack",
          "CreateEnvironment",
          "CreateWorkspaces"
        ]
      }
    }

To add more detail here is the other rule I used to test CloudWatch

{
  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "EC2 Instance State-change Notification"
  ],
  "detail": {
    "state": [
      "running"
    ]
  }
}

This is the log of the startInstances and the following Lambda function running. enter image description here

Cloudtrail of the the lambda function specifically which functions normally.

Lambda function log

Here is the API call which should also initiate it according to the rule, but it does not. enter image description here

Hopefully these images make it clearer as to what I am having trouble with.

P.S. I didn't know how much info I should consider confidential, so I over censored

RandyA
  • 49
  • 1
  • 7
  • I had a misundertanding of what AWS API calls from Cloudtrail meant when looking at cloudtrail. I now believe it is only commands associated with that service in this case cloudtrail, which would not have RunInstances at all. I'm testing other options to get the results I want. – RandyA Jul 07 '17 at 14:33
  • If anyone is still interested in doing this, it is possible to have multiple events within a rule. They do have to be explicitly stated, e.g. ec2, s3, and etc. There is no wildcard functionality. Also the JSON formats will differ between events of different resources, so retrieving a specific parameter will require hard coding. – RandyA Jul 13 '17 at 18:21

1 Answers1

0

I misunderstood the rule I created. I thought "AWS API calls from Cloudtrail" when using the cloudtrail Service meant all the information stored in Cloudtrail. That does not seem to be the case.

As I mention in my comment, I am looking for other solutions for my problem, but I will make a separate question for that. Thanks!

RandyA
  • 49
  • 1
  • 7