AWS eventbridge 事件和 cloudwatch 指标筛选器不会触发警报

问题描述 投票:0回答:1

我正在寻找用户行为的特定模式来发出警报。其中之一是当有人在 AWS 中创建或删除子网时。

事件桥模式:

{
  "source": ["aws.ec2"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["ec2.amazonaws.com"],
    "eventName": [
      "CreateRouteTable",
      "DeleteRouteTable",
      "ReplaceRouteTableAssociation"
    ]
  }
}

我的 Eventbridge 模式显示在我的 CloudWatch 日志组中。这是我的指标过滤器:

{ $.eventName = "CreateRouteTable" || $.eventName = "DeleteRouteTable" || $.eventName = "ReplaceRouteTableAssociation") }

创建路由表时从 EventBridge 获取到目标 Cloudwatch 日志流的示例负载如下:

{
    "version": "0",
    "id": "8b6c8639-2569-09da-8f6a-3b6fbaf72ef1",
    "detail-type": "AWS API Call via CloudTrail",
    "source": "aws.ec2",
    "account": "ACCOUNT_ID",
    "time": "2024-01-28T01:30:33Z",
    "region": "us-east-1",
    "resources": [],
    "detail": {
        "eventVersion": "1.09",
        "userIdentity": {
            "type": "Root",
            "principalId": "ACCOUNT_ID",
            "arn": "arn:aws:iam::ACCOUNT_ID:root",
            "accountId": "ACCOUNT_ID",
            "accessKeyId": "ASIA****************",
            "sessionContext": {
                "attributes": {
                    "creationDate": "2024-01-27T23:09:14Z",
                    "mfaAuthenticated": "true"
                }
            }
        },
        "eventTime": "2024-01-28T01:30:33Z",
        "eventSource": "ec2.amazonaws.com",
        "eventName": "CreateRouteTable",    # <--- What I'm looking for
        "awsRegion": "us-east-1",
        "sourceIPAddress": "8.8.8.8",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
        "requestParameters": {

但是我的自定义指标中没有显示任何内容,因此不会触发警报。我相当确信这是我的指标过滤器或设置,但需要一些指导。为了完整起见,我使用 AWS CLI,下面是我在 Bash 中发出的命令:

#################################
### Create/delete route table ###
#################################
SNS_TOPIC_ARN="arn:aws:sns:us-east-1:123456789012:CloudWatch-Alerts"
CLOUDWATCH_LOG_GROUP_NAME=/aws/events/aws-cis-security-alerts
CLOUDWATCH_METRIC_NAMESPACE="CISSecurityAlerts"
PROFILE=root
EVENT_BRIDGE_RULE_NAME="route-table-create-or-delete" 
CLOUDWATCH_METRIC_FILTER_NAME=CreateOrDeleteRouteTable
CLOUDWATCH_METRIC_NAME=CreateOrDeleteRouteTable
CLOUDWATCH_ALARM_NAME="Create or delete route tables"
CLOUDWATCH_ALARM_DESCRIPTION="Route table additions/deletions"

# Create EventBridge rule to detect events
aws events put-rule --name $EVENT_BRIDGE_RULE_NAME \
    --profile $PROFILE \
    --event-pattern '{
        "source": ["aws.ec2"],
        "detail-type": ["AWS API Call via CloudTrail"],
        "detail": {
            "eventSource": ["ec2.amazonaws.com"],
            "eventName": ["CreateRouteTable", 
                          "DeleteRouteTable", 
                          "ReplaceRouteTableAssociation"]
        }
    }'

# Create EventBridge target with newly create CloudWatch log group
aws events put-targets --rule $EVENT_BRIDGE_RULE_NAME \
    --profile $PROFILE \
    --targets '[
{
    "Id": "1",
    "Arn": "'"$LOG_GROUP_ARN"'"
}]'

# Create CloudWatch metric namespace/name
aws cloudwatch put-metric-data \
    --metric-name "$CLOUDWATCH_METRIC_NAME" \
    --namespace "$CLOUDWATCH_METRIC_NAMESPACE" \
    --value 1 \
    --profile "$PROFILE"

# Add a metric filter onto the cloudwatch log group for tracking events
aws logs put-metric-filter \
    --profile $PROFILE \
    --log-group-name $CLOUDWATCH_LOG_GROUP_NAME \
    --filter-name $CLOUDWATCH_METRIC_FILTER_NAME \
    --filter-pattern '{ 
        ($.eventName = "CreateRouteTable" ||
        $.eventName = "DeleteRouteTable" ||
        $.eventName = "ReplaceRouteTableAssociation")
    }' \
    --metric-transformations '{
        "metricName": "'"$CLOUDWATCH_METRIC_NAME"'",
        "metricNamespace": "'"$CLOUDWATCH_METRIC_NAMESPACE"'",
        "metricValue": "$.detail.eventName"
    }'

# Create Cloudwatch Alarm
aws cloudwatch put-metric-alarm \
    --alarm-name "$CLOUDWATCH_ALARM_NAME" \
    --actions-enabled \
    --alarm-actions "$SNS_TOPIC_ARN" \
    --metric-name "$CLOUDWATCH_METRIC_NAME" \
    --namespace "$CLOUDWATCH_METRIC_NAMESPACE" \
    --statistic Sum \
    --period 300 \
    --threshold 1 \
    --comparison-operator GreaterThanOrEqualToThreshold \
    --treat-missing-data notBreaching \
    --evaluation-periods 1 \
    --alarm-description "$CLOUDWATCH_ALARM_DESCRIPTION" \
    --profile "$PROFILE"

编辑:看到this帖子并尝试协调单位差异。还是不行。

amazon-web-services amazon-cloudwatch aws-event-bridge
1个回答
0
投票

通过对指标过滤器设置进行一些尝试和错误,我发现我需要在指标转换部分设置默认值 0:

aws logs put-metric-filter \
    --profile $PROFILE \
    --log-group-name $CLOUDWATCH_LOG_GROUP_NAME \
    --filter-name $CLOUDWATCH_METRIC_FILTER_NAME \
    --filter-pattern '{ 
        $.eventName = "CreateRouteTable" ||
        $.eventName = "DeleteRouteTable" ||
        $.eventName = "ReplaceRouteTableAssociation"
    }' \
    --metric-transformations '{
        "metricName": "'"$CLOUDWATCH_METRIC_NAME"'",
        "metricNamespace": "'"$CLOUDWATCH_METRIC_NAMESPACE"'",
        "metricValue": "'"$.detail.eventName"'",
        "defaultValue": 0  # <-- NEEDED TO ADD THIS
    }'

警报现在会在创建或删除子网时响起。我在这个答案中缺少的是“为什么”这个警报才能工作。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.