Invoking AWS CloudWatch Event Rule by some event

Question

I have an EventBridge rule that looks like this:

{
  "source": ["redshift.amazonaws.com"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["redshift.amazonaws.com"],
    "eventName": ["CreateCluster"],
    "requestParameters": {
      "clusterIdentifier": ["some-redshift-cluster"]
    }
  }
}

As you can see I want to invoke that rule on the Cluster Creation event. The problem is the rule above doesn't want to be invoked so it won't trigger specific Lambda that is set as a target of the rule.

As an experiment I've created a mock event on default event bus and sent it. EventBridge rule matches with this event, which looks like this:

{
  "version": "0",
  "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "detail-type": "AWS API Call via CloudTrail",
  "source": "redshift.amazonaws.com",
  "account": "xxxxxxxxxxxx",
  "time": "2023-07-04T10:13:01Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.08",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "xxxxxxxxxxxxxxxxxxxxx",
      "arn": "arn:aws:iam::xxxxxxxxxxxx:user/[email protected]",
      "accountId": "xxxxxxxxxxxx",
      "accessKeyId": "xxxxxxxxxxxxxxxxxxxx",
      "userName": "[email protected]"
    },
    "eventTime": "2023-07-04T07:03:13Z",
    "eventSource": "redshift.amazonaws.com",
    "eventName": "CreateCluster",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "xx.xx.xx.xxx",
    "userAgent": "xxx",
    "requestParameters": {
      "dBName": "xxx",
      "clusterIdentifier": "some-redshift-cluster",
      "clusterType": "single-node",
      "nodeType": "dc2.large",
      "masterUsername": "xxxxxxxxx",
      "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "vpcSecurityGroupIds": [
        "xx-xxxxxxxxxxxxxxxxx"
      ]
}

I've changed each sensitive data to x sign. There is much more info in detail key but I've skipped it.

Value of this detail key is an Event Record content from the CreateCluster event located in an Event History in the CloudTrail after the Redshit Cluster is created. The are no keys like version, id, source etc. on the higher level and I think that's the reason why that rule can't match event of Cluster Creation. How can I edit this rule to make it work on real CreateCluster event that happens while Cluster is created?

Edit: I tried with this pattern for redshift

{
  "source": ["aws.redshift"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["redshift.amazonaws.com"],
    "eventName": ["CreateCluster"],
    "requestParameters": {
      "clusterIdentifier": ["some-redshift-cluster"]
    }
  }
}

and it doesn't work too. I created even a rule triggered on S3 bucket creation:

{
  "source": ["aws.s3"],
  "detail": {
    "eventSource": ["s3.amazonaws.com"],
    "eventName": ["CreateBucket"],
    "requestParameters": {
      "bucketName": ["some-bucket"]
    }
  }
}

Even for S3 rule has no triggers.

Answer 1

The problem was with a lack of a Trail in CloudTrail. I've read some texts where was said EventBridge rules don't need the Trail enabled for a proper work. I had no better ideas, so made one and now rule matches event and successfully invokes targets.

It's a weird solutions, that I don't really understand, because in this project I have a lambda being invoked on different EventBridge rule and this one worked well (source of this rule is aws.redshift-data). Perhaps, there are events that can be matched with patterns only with an enabled trail?

Answer 2

The record visible in CloudTrail corresponds to a CreateCluster event, not an EventBridge event. This is why you were unable to view the id, source, and version fields. However, when the same CreateCluster event is sent through the EventBridge, it will contain all the mentioned fields (id, source, version), as they are mandatory for EventBridge events. In addition to that, the detail field in the EventBridge event is a placeholder for the CreateCluster event that you saw in CloudTrail.

The CreateCluster event on EventBridge resembles the sample response that you mentioned in the question. However, it's important to note that the actual CreateCluster event on EventBridge contains the value aws.redshift in the source field, not redshift.amazonaws.com.

Therefore, to invoke a lambda function for a CreateCluster event, use the following EventBridge rule:

{
  "source": ["aws.redshift"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["redshift.amazonaws.com"],
    "eventName": ["CreateCluster"],
    "requestParameters": {
      "clusterIdentifier": ["some-redshift-cluster"]
    }
  }
}

Edit:

Try the following link to troubleshoot why your EventBridge rule is not triggering your lambda target: https://repost.aws/knowledge-center/eventbridge-rules-troubleshoot

Answer 3

To invoke your EventBridge rule on resource creation, I suggest you take the source as aws.config. (with keeping in mind that in future you will move to other resources as well)

You can add AWS::Redshift::Cluster as resource type in the event pattern.

For more info please take a look at these pages -

https://medium.com/@TechStoryLines/receive-sns-alerts-when-new-resources-are-created-in-your-aws-account-db749b16445f

https://techstorylines.hashnode.dev/receive-sns-alerts-when-new-resources-are-created-in-your-aws-account