Last active
February 9, 2026 14:52
-
-
Save atheiman/11d0f05c1d4294ab56b36ef6803eb9c9 to your computer and use it in GitHub Desktop.
CloudFormation template creating an EventBridge rule to send events to a CloudWatch Logs log group for review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # aws cloudformation deploy \ | |
| # --stack-name LogEvents \ | |
| # --template-file ./cloudformation-eventbridge-cloudwatch-logs.yml \ | |
| # --parameter-overrides EventSources=aws.ec2,aws.ecs | |
| # | |
| # Use this EventBridge rule to send events to a CloudWatch Logs log group for review. An example | |
| # use case is to review CloudTrail logs w/ CloudWatch Logs Insights. Recently used this to identify | |
| # service and CloudTrail events from DRS to trigger custom automation (Lambda). | |
| # | |
| # Example CloudWatch Logs Insights query for the log group: | |
| # | |
| # fields @timestamp, @message, `detail-type`, `detail.eventName` | |
| # | filter detail.eventName in ["CreateSourceServerForDrs", "CreateRecoveryInstanceForDrs", "ReverseReplication"] | |
| # | sort @timestamp desc | |
| # | limit 1000 | |
| Parameters: | |
| EventSources: | |
| Type: CommaDelimitedList | |
| Description: > | |
| Required. Comma-delimited list of event sources to capture. Example: | |
| "aws.ec2,aws.ecs,aws.s3". See https://docs.aws.amazon.com/eventbridge/latest/ref/events.html | |
| for a list of AWS event sources. Edit the template directly to add more | |
| EventPattern filtering fields (detail, detail-type). | |
| Resources: | |
| Rule: | |
| Type: 'AWS::Events::Rule' | |
| Properties: | |
| Description: !Sub 'Log events - created by CloudFormation stack ${AWS::StackId}' | |
| State: ENABLED | |
| EventPattern: | |
| # https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-pattern.html | |
| source: !Ref EventSources | |
| # detail-type: | |
| # - AWS API Call via CloudTrail | |
| # - Some other service-specific event | |
| # detail: | |
| # someAttribute: | |
| # - some value | |
| Targets: | |
| - Id: LogGroup | |
| Arn: !Sub '${LogGroup.Arn}' | |
| LogGroup: | |
| Type: AWS::Logs::LogGroup | |
| Properties: | |
| LogGroupName: !Sub '/${AWS::StackName}/events' | |
| RetentionInDays: 14 | |
| Tags: | |
| - Key: CfnStackId | |
| Value: !Ref AWS::StackId | |
| # Allow EventBridge rule to write to the log group. | |
| # https://repost.aws/knowledge-center/cloudwatch-log-group-eventbridge | |
| LogsResourcePolicy: | |
| Type: AWS::Logs::ResourcePolicy | |
| Properties: | |
| PolicyName: !Sub '${AWS::StackName}-Events' | |
| PolicyDocument: !Sub >- | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "TrustEventsToStoreLogs", | |
| "Effect":"Allow", | |
| "Principal": { | |
| "Service": [ | |
| "events.amazonaws.com", | |
| "delivery.logs.amazonaws.com" | |
| ] | |
| }, | |
| "Action": [ | |
| "logs:CreateLogStream", | |
| "logs:PutLogEvents" | |
| ], | |
| "Resource": "${LogGroup.Arn}" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment