HomeCasesBlogsContact

AWS API Call via CloudTrail EventBridge events not firing in AWS

This article discusses why AWS API Call via CloudTrail EventBridge events not firing in AWS and what to do. Do you have any further questions after reading this article? If so, please contact me. You can reach out to me here.

To respond to changes within your AWS environments there are several ways to do this. Most of it will come down to monitoring the AWS CloudTrail logs through AWS EventBridge. Recently I ran into the problem that my CloudTrail events were not firing in AWS EventBridge.

Example pattern

You can setup the following EventBridge pattern to capture events in your AWS account:

{
  "detail": {
    "eventName": ["RunTask"],
    "eventSource": ["ecs.amazonaws.com"]
  },
  "detail-type": ["AWS API Call via CloudTrail"],
  "source": ["aws.ecs"]
}

In this case we would capture all RunTask events that are taking place in AWS. We can then store the data or start a step function. In my case I needed the RunTask request body to store the task parameters so I could replay the request. You can see this in action in my Terraform Fargate vertical scaling module.

Type of events

However you could use this approach to respond to other events in your AWS account, for example:

  1. An EC2 instance starts up
  2. The creation of a new access key
  3. A user logs in to the AWS console

CloudTrail logs all API calls made to the AWS API’s. Hence this approach is pretty flexible. You must be aware that there are two types of events:

  • Management events: These are calls that pertain to the management of AWS in the broadest sense of the word. The three examples I gave above count as management events
  • Data events: These are often high volume events, for instance S3 object created. Data events must be enabled on a trail by trail basis

Reasons why EventBridge events might not fire

An requirement is that for CloudTrail events to fire you need to have a CloudTrail trail in place that pushes this data to Amazon S3. I suspect internally these events work through S3. Without a S3 bucket the events will simply not fire. The documentation about this is hard to find on the site of AWS.

In addition, some events like eventNames that start with List, Get, or Describe are not processed by AWS EventBridge. So if you have a call like ListTasks it will not trigger any AWS EventBridge rules.

Furthermore these events will only fire on the default eventbus:

Now you know why your CloudWatch event is not firing in AWS!