How to automatically create CloudWatch alerts with CloudTrail, Lambda, and Serverless

athena.sql

SELECT DISTINCT eventname
FROM cloudtrail_logs_chargedup_cloudtrail

aws_cloudtrail.tf

resource "aws_cloudtrail" "example" {
  # ... other configuration ...

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda"]
    }
  }
}

cloud-trail.js

module.exports.handler = async (event, _context, cb) => {
  const {
    detail: {
      responseElements: { functionArn = 'missing' },
      eventName = 'missing',
    },
  } = event;

  const [, functionName = ''] = functionArn.match(/^.*function:(.*)$/) || [];

  console.log({ eventName, functionName });

  if (functionName.includes(stage)) {
    await publishToSns(functionName, eventName, stage);
    await createAlarmsForEndpoints(functionName);
  }

  cb(null, 'ok');
};

serverless.yml

  cloud-trail-listener:
    handler: cloud-trail.handler
    events:
      - cloudwatchEvent:
          event:
            source:
              - aws.lambda
            detail-type:
              - AWS API Call via CloudTrail
            detail:
              eventSource:
                - lambda.amazonaws.com
              eventName:
                - UpdateFunctionCode20150331v2
                - CreateFunction20150331