Capturing CloudTrail events

m0ltar · June 8, 2023, 12:44pm

I am trying to catch the CloudTrail events into EventBridge. I am following this article:

Which also uses this code base:

aws-samples/amazon-quicksight-sdk-proserve/blob/master/Administrative_Dashboard/administrative_dashboard/administrative_dashboard_stack.py

import aws_cdk
from aws_cdk import (
    core,
    aws_iam as iam,
    aws_s3 as s3,
    aws_lambda as _lambda,
    aws_events as events,
    aws_events_targets as targets
)
from aws_cdk.core import Aws
import boto3
import json
import os


current_dir = os.path.dirname(__file__)

class QuickSightStack(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

This file has been truncated. show original

I am pretty much doing everything the same, except in TypeScript:

    Trail.onEvent(this, 'OnEvent', {
      description: 'Catch QuickSight CloudTrail events.',
      target: new aws_events_targets.CloudWatchLogGroup(new LogGroup(this, 'EventLog')),
      eventPattern: {
        source: ['aws.quicksight'],
        detail: {
          eventSource: ['quicksight.amazonaws.com'],
          eventName: ['CreateGroup'],
        },
      },
    })

Yet, I am not getting any events in my log.

I do see them in the CloudTrail UI though.

The final EventBridge rule is:

{
  "detail-type": ["AWS API Call via CloudTrail"],
  "source": ["aws.quicksight"],
  "detail": {
    "eventSource": ["quicksight.amazonaws.com"],
    "eventName": ["CreateGroup"]
  }
}

QuickSight and everything is in the same region
I am using AWS CDK, so I can almost rule out any permission issue, as all of that is handled
I am using the same rules as the linked codebase above, just in TS

Is there anything else that needs to be done on the account to be able to pipe these events to EventBridge?

Thanks.

m0ltar · June 9, 2023, 10:36am

Hey @ying_wang since you were there author of that blog post, I thought maybe you have some ideas? Thanks!

apjvinod · August 2, 2023, 2:37pm

Hi @m0ltar

Please update the event pattern rule like below (source first and then detail-type ) and try . And ensure you are using Custom Pattern with prefix event matching for event method.

{
“source”: [“aws.quicksight”],
“detail-type”: [“AWS API Call via CloudTrail”],
“detail”: {
“eventSource”: [“quicksight.amazonaws.com”],
“eventName”: [“CreateGroup”]
}
}

m0ltar · August 2, 2023, 2:51pm

@apjvinod Thank you for your suggestion. However, ordering in JSON does not matter. Also, this JSON is produced by CDK, and I have no control over it. If AWS cards about prop ordering, then I think we have a much bigger issue, and this certainly needs to be documented by CloudTrail.

apjvinod · August 2, 2023, 3:22pm

@m0ltar You are right its works without ordering as well, think you might need to check the destination/target in eventbridge rule. Can you try changing target to SNS email topic and check by creating new QuickSight group. Just to isolate the problem is on the triggering event or at the target side .