how to trigger aws lambda function upon a new event being detected by cloudtrail

Question

I currently have a lambda function in AWS that I am trying to trigger whenever a new event is detected by Cloudtrail. In Amazon EventBridge, I have set a rule with the following event pattern:

{
   "source": ["aws.cloudtrail"]
}

I have also configured the target to be the lambda function. However, when I go to AWS WAF -> IP SETS, and edit one of the IP Sets, even though I can see the event in the Event History tab of cloudtrail, the lambda function does not get triggered. I have checked the event JSON in cloudtrail and the eventSource property is given as wafv2.amazonaws.com. Should I take this to mean that my rule in eventbridge is not working as the source is never going to be cloudtrail itself, but the service that the change actually occurs in? If so, is there any other way I could possibly configure an eventbridge rule such that any event detected by cloudtrail will trigger the lambda? (I need the lambda function to be triggered on a variety of events, not just updating IP sets, so I can't set the source as WAF)

Answer 1

I hope I can help. I have a couple of EventBridge events configured to trigger lambda.

Using Cloudformation as an example:

This event triggers the renaming of a RAM-Share from production -> dev.

The rule is as follows

    Type: AWS::Events::Rule
    Properties:
      Description: "This rule triggers a lambda that renames a ram resource share for integration lakeformation"
      Name: !FindInMap [StageMap, !Ref Stage, RenameRamShareRule]
      EventPattern:
        source:
          - "aws.ram"
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventSource:
            - "ram.amazonaws.com"
          eventName:
            - "CreateResourceShare"
            - "DeleteResourceShare"
          userIdentity:
            sessionContext:
              sessionIssuer:
                arn:
                  - !GetAtt CreateTableNotificationLambdaRole.Arn

      State: "ENABLED"
      Targets: 
        - Arn: !ImportValue LakeFormationPermissionsQueueArn
          Id: "LakeFormationPermissionsQueue"
          SqsParameters: 
            MessageGroupId: "LakeFormationMessageGroup"

The event source is from "aws.ram" You then have to specify "detail" followed by "eventSource" and "ram.amazonaws.com" If you're triggering the lambda from another resource via cloud trail, you would replace ram with the new resource.

It's pretty funky and I feel like some of the API calls get dropped silently. I'm currently testing a different one and nothing is working on the event call. It can be difficult to debug.