amazon-web-servicesaws-lambdaaws-secrets-manageraws-event-bridgeamazon-cloudtrail

Create an Eventbridge rule from a Cloudtrail event in order to trigger a Lambda


I am trying to have a Lambda to trigger when a secret in aws Secrets Manager is rotated.

So I am trying to use Cloudtrail for this. I am trying to follow this AWS documentation

The documentation doesn't seem to do anything with the trail they create but anyway this is what I have done:

In Cloudtrail I can see the event history of when a secret is rotated, and it looks like this:

"eventName": "RotationSucceeded",
"awsRegion": "eu-west-1",
"sourceIPAddress": "secretsmanager.amazonaws.com",
"userAgent": "secretsmanager.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
    "SecretId": "arn:aws:secretsmanager:eu-west-1:acc_id:secret:rds!xxxxxxxx"
}

I have created a trail where i have added a Data event for CloudTrail and added these 3 custom log selectors:

Field Operator Value
eventName equals RotationSucceeded
resources.ARN startsWith [ARN]
readOnly equals false

This is done with the intention that this trail should only log events that are for "RotationSucceeded"

I then have a Eventbridge rule set up where my event pattern is like this

{
  "source": ["aws.secretsmanager"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["secretsmanager.amazonaws.com"],
    "eventName": ["RotationSucceeded"]
  }
}

I have attached this rule to a simple Lambda that just prints Hello World for testing purposes.

The issue is that i can see the Lambda is not getting triggered when I rotate the specific secret. I can see the RotationSucceeded event if I go to Cloudtrail

Does anyone know why this is - or what was the point of setting a Cloud trail like the AWS documentation states if it doesn't seem to do anything with it?

Or if anyone knows a better way of getting a Lambda to trigger when secret rotation takes place that would be appreciated.


Solution

  • The RotatationSucceeded event has the detail-type value AWS Service Event via CloudTrail. However, you've configured the wrong detail-type value in your event rule.

    The following event rule will help to filter the RotatationSucceeded events of Secrets Manager.

    {
      "source": ["aws.secretsmanager"],
      "detail-type": ["AWS Service Event via CloudTrail"],
      "detail": {
        "eventSource": ["secretsmanager.amazonaws.com"],
        "eventName": ["RotationSucceeded"]
      }
    }