0

I have a cloudwatch event that scans ECR repository for Vulnerabilities connected to SNS topic that triggers the notification to specified end point. Here my requirement is to filter the scan findings like trigger the SNS topic only when scan finds "Critical".

{ "detail-type": [ "ECR Image Scan" ], "source": [ "aws.ecr" ], "detail": { "severity": [ "CRITICAL" ] } }

P Nisanth Reddy
  • 11
  • 2
  • I don't think you can do it directly just by SNS. You will need something that does the filtering between CW event and SNS, or between SNS and the endpoint. Possible candidates could be a Lambda function, kinesis firehose, cloudwatch log filters. – Marcin May 07 '20 at 08:58
  • 1
    We can do it using content based filtering. Here look at https://docs.aws.amazon.com/eventbridge/latest/userguide/content-filtering-with-event-patterns.html#filtering-numeric-matching – P Nisanth Reddy May 07 '20 at 09:56

1 Answers1

1

It works with this pattern:

{
  "source": [
    "aws.ecr"
  ],
  "detail-type": [
    "ECR Image Scan"
  ],
  "detail": {
    "finding-severity-counts": {
      "CRITICAL": [
        {
          "numeric": [
            ">",
            0
          ]
        }
      ]
    }
  }
}

Above is the Cloudwatch event pattern for filtering scan findings only on Critical count.

See https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html for more details.

poolsideDev
  • 390
  • 4
  • 13
P Nisanth Reddy
  • 11
  • 2