I have a simple requirement to send notification on update of WAF rules. For this I created a cloud trail event for management events. In ClouWatch eventbridge I added a new rule with Event Pattern as :
{
"source": ["aws.waf", "aws.wafv2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["waf.amazonaws.com", "wafv2.amazonaws.com"],
"eventName": ["UpdateWebACL", "CreateWebACL", "DeleteWebACL", "UpdateRule", "CreateRule", "DeleteRule", "UpdateRuleGroup", "CreateRuleGroup", "DeleteRuleGroup"]
}
}
In Target I gave my SNS topic and as Input Transformation I gave :
{
"eventName": "$.details.eventName",
"timestamp": "$.time",
"user": "$.details.userIdentity.userName",
"webACLName": "$.details.requestParameters.name"
}
And a simple template :
"EventName: <eventName>"
"WebACL: <webACLName>"
"Time: \"<timestamp>\""
"User: <user>"
When a webACL is updated it is sending me the notification but other than time the other information are empty.
I could not find API Trail under event "AWS events" as shown [![Input Configuration][1]][1]
If instead of "Input Transformation" I choose "Part of matched event" and then give $.details in "Specify the part of the matched event", I can see the below details
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "xxxxxx",
"arn": "arn:aws:iam::xxx:user/test",
"accountId": "xxxx",
"accessKeyId": "xxxx",
"userName": "test",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2024-09-03T17:45:01Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-09-04T05:44:42Z",
"eventSource": "wafv2.amazonaws.com",
"eventName": "CreateWebACL",
"awsRegion": "us-east-1",
"sourceIPAddress": "xx.xx.xx.xx",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
"requestParameters": {
"name": "testwaf",
"scope": "REGIONAL",
"defaultAction": {
"allow": {}
},
"rules": [
{
"name": "AWS-AWSManagedRulesCommonRuleSet",
"priority": 0,
"statement": {
"managedRuleGroupStatement": {
"vendorName": "AWS",
"name": "AWSManagedRulesCommonRuleSet",
"excludedRules": [],
"ruleActionOverrides": [
{
"name": "CrossSiteScripting_BODY",
"actionToUse": {
"count": {}
}
},
:
{
"name": "UserAgent_BadBots_HEADER",
"actionToUse": {
"count": {}
}
}
]
}
},
"overrideAction": {
"none": {}
},
"visibilityConfig": {
"sampledRequestsEnabled": true,
"cloudWatchMetricsEnabled": true,
"metricName": "AWS-AWSManagedRulesCommonRuleSet"
}
}
],
"visibilityConfig": {
"sampledRequestsEnabled": true,
"cloudWatchMetricsEnabled": true,
"metricName": "testwaf"
},
"associationConfig": {}
},
"responseElements": {
"summary": {
"name": "testwaf",
"id": "xxxe",
"description": "",
"lockToken": "xxxx",
"aRN": "arn:aws:wafv2:us-east-1:xxxx:regional/webacl/testwaf/xxx"
}
},
"requestID": "xxx",
"eventID": "xxx",
"readOnly": false,
"eventType": "AwsApiCall",
"apiVersion": "2019-04-23",
"managementEvent": true,
"recipientAccountId": "xxx",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "wafv2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
Is there any straightforward transformation to get the values from the event or should I use lambda and custom logic to extract the details.
Thanks [1]: https://i.sstatic.net/AoICKp8J.png
can you change your input transformation from $.details to $.detail and try:
old:
{
"eventName": "$.details.eventName",
"timestamp": "$.time",
"user": "$.details.userIdentity.userName",
"webACLName": "$.details.requestParameters.name"
}
corrected:
{
"eventName": "$.detail.eventName",
"timestamp": "$.time",
"user": "$.detail.userIdentity.userName",
"webACLName": "$.detail.requestParameters.name"
}
documentation for refernace: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html