CloudWatch Rule set to trigger from CloudTrail doesn't trigger Lambda function unless I create a Trail to store CloudTrail logs in an S3 bucket

Question

I am trying to trigger a Lambda function when a RequestCertificate event is being raised in AWS Certificate Manager.

In order to do that, I have created a CloudWatch Rule with the following syntax:

{
  "source": [
    "aws.acm"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "acm.amazonaws.com"
    ],
    "eventName": [
      "RequestCertificate"
    ]
  }
}

This rule has a Lambda function as the target. I've made sure that the Lambda function has all the permissions it needs to execute correctly.

However, when I request a certificate on ACM, the Lambda is not triggered at all, even though the RequestCertificate event appeared in CloudTrail Event history.

To resolve this, I had to create a Trail that will store CloudTrail logs in an S3 bucket. Once this is done, the Lambda now gets triggered correctly.

The thing is, this is not specified on the documentation here: Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail

So, I would like to know if this is the expected behavior, or if there was something wrong in the first place with my CloudWatch Rule.

Thanks.

Answer 1

After contacting the AWS Support team, they confirmed that if the detail type is AWS API Call via CloudTrail, you will not receive any events if you do not enable a CloudTrail trail. So creating an S3 Bucket was the way to go.

Below is the full response from them in case it can help others:

Yes, if detail type is 'AWS API Call via CloudTrail', then cloudtrail should be enabled in order to get the events.

For event pattern where you specify 'AWS API Call via CloudTrail', if you do not enable CloudTrail trail, you will not receive the events for the same.

CloudTrail is only required with the Services/APIs which do not emit the CloudWatch events directly. In such cases only, we would need to monitor the CloudTrail API calls to trigger the CloudWatch event rules. The API operations are logged in the CloudTrail and will be available to CloudWatch events for matching. Whenever any API call is logged into the CloudTrail and the Service name and API call specified in the CloudWatch event rule matches to that of API’s logged the in CloudTrail, the CloudWatch event rule will be triggered. Eg. S3 Object Level put API operations does not emit any specific event to CloudWatch, hence in this case we would need to capture the respective API call from the CloudTrail events. However certain services emits CloudWatch events directly for any specific action they perform. In such cases we would not need to use the CloudTrail for triggering CloudWatch Events. Eg. EC2 Stop Instance operation emits a direct event to CloudWatch. In this case we need not to use CloudTrail for capturing these events for CloudWatch Event rule.

For the ACM, you will need to enable the cloudtrail events as ACM directly does not omits specific event to cloudwatch.