I am trying to have a Lambda to trigger when a secret in aws Secrets Manager is rotated.
So I am trying to use Cloudtrail for this. I am trying to follow this AWS documentation
The documentation doesn't seem to do anything with the trail they create but anyway this is what I have done:
In Cloudtrail I can see the event history of when a secret is rotated, and it looks like this:
"eventName": "RotationSucceeded",
"awsRegion": "eu-west-1",
"sourceIPAddress": "secretsmanager.amazonaws.com",
"userAgent": "secretsmanager.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"SecretId": "arn:aws:secretsmanager:eu-west-1:acc_id:secret:rds!xxxxxxxx"
}
I have created a trail where i have added a Data event for CloudTrail and added these 3 custom log selectors:
Field | Operator | Value |
---|---|---|
eventName | equals | RotationSucceeded |
resources.ARN | startsWith | [ARN] |
readOnly | equals | false |
This is done with the intention that this trail should only log events that are for "RotationSucceeded"
I then have a Eventbridge rule set up where my event pattern is like this
{
"source": ["aws.secretsmanager"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["secretsmanager.amazonaws.com"],
"eventName": ["RotationSucceeded"]
}
}
I have attached this rule to a simple Lambda that just prints Hello World for testing purposes.
The issue is that i can see the Lambda is not getting triggered when I rotate the specific secret. I can see the RotationSucceeded event if I go to Cloudtrail
Does anyone know why this is - or what was the point of setting a Cloud trail like the AWS documentation states if it doesn't seem to do anything with it?
Or if anyone knows a better way of getting a Lambda to trigger when secret rotation takes place that would be appreciated.
The RotatationSucceeded event has the detail-type value AWS Service Event via CloudTrail
. However, you've configured the wrong detail-type value in your event rule.
The following event rule will help to filter the RotatationSucceeded events of Secrets Manager.
{
"source": ["aws.secretsmanager"],
"detail-type": ["AWS Service Event via CloudTrail"],
"detail": {
"eventSource": ["secretsmanager.amazonaws.com"],
"eventName": ["RotationSucceeded"]
}
}