# Tutorial: Create an EventBridge rule that reacts to Amazon API calls via CloudTrail
Create rule for Amazon API calls via CloudTrail

You can use Amazon EventBridge [rules](eb-rules.md) to react to API calls made by an Amazon service that are recorded by Amazon CloudTrail.

In this tutorial, you create an [Amazon CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) trail, a Lambda function, and a rule in the EventBridge console. The rule invokes the Lambda function when an Amazon EC2 instance is stopped.

**Topics**
+ [

## Step 1: Create an Amazon CloudTrail trail
](#eb-log-api-create-ct-trail)
+ [

## Step 2: Create an Amazon Lambda function
](#eb-api-create-lambda-function)
+ [

## Step 3: Create a rule
](#eb-api-create-rule)
+ [

## Step 4: Test the rule
](#eb-api-test-rule)
+ [

## Step 5: Confirm success
](#success)
+ [

## Step 6: Clean up your resources
](#cleanup)

## Step 1: Create an Amazon CloudTrail trail


If you already have a trail set up, skip to step 2.

**To create a trail**

1. Open the CloudTrail console at [https://console.amazonaws.cn/cloudtrail/](https://console.amazonaws.cn/cloudtrail/).

1. Choose **Trails**, **Create trail**.

1. For **Trail name**, type a name for the trail.

1. For **Storage location**, in **Create a new S3 bucket**.

1. For **Amazon KMS alias**, type an alias for the KMS key.

1. Choose **Next**.

1. Choose **Next**.

1. Choose **Create trail**.

## Step 2: Create an Amazon Lambda function


Create a Lambda function to log the API call events. 

**To create a Lambda function**

1. Open the Amazon Lambda console at [https://console.amazonaws.cn/lambda/](https://console.amazonaws.cn/lambda/).

1. Choose **Create function**.

1. Choose **Author from scratch**.

1. Enter a name and description for the Lambda function. For example, name the function `LogEC2StopInstance`.

1. Leave the rest of the options as the defaults and choose **Create function**.

1. On the **Code** tab of the function page, double-click **index.js**.

1. Replace the existing code with the following code.

   ```
   'use strict';
   
   exports.handler = (event, context, callback) => {
       console.log('LogEC2StopInstance');
       console.log('Received event:', JSON.stringify(event, null, 2));
       callback(null, 'Finished');
   };
   ```

1. Choose **Deploy**.

## Step 3: Create a rule


Create a rule to run the Lambda function you created in step 2 whenever you stop an Amazon EC2 instance.

**To create a rule**

1. Open the Amazon EventBridge console at [https://console.amazonaws.cn/events/](https://console.amazonaws.cn/events/).

1. In the navigation pane, choose **Rules**.

1. Choose **Create rule**.

1. Enter a name and description for the rule. For example, name the rule `TestRule`

1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select **default**. When an Amazon service in your account emits an event, it always goes to your account’s default event bus.

1. For **Rule type**, choose **Rule with an event pattern**.

1. Choose **Next**.

1. For **Event source**, choose **Amazon services**.

1. For **Event pattern**, do the following:

   1. For **Event source**, select **EC2** from the drop-down list.

   1. For **Event type**, select **Amazon API Call via CloudTrail** from the drop-down list.

   1. Choose **Specific operation(s)** and enter `StopInstances`.

1. Choose **Next**.

1. For **Target types**, choose **Amazon service**.

1. For **Select a target**, choose **Lambda function** from the drop-down list.

1. For **Function**, select the Lambda function that you created in the **Step 1: Create a Lambda function** section. In this example, select `LogEC2StopInstance`.

1. Choose **Next**.

1. Choose **Next**.

1. Review the details of the rule and choose **Create rule**.

## Step 4: Test the rule


You can test your rule by stopping an Amazon EC2 instance using the Amazon EC2 console. Wait a few minutes for the instance to stop, and then check your Amazon Lambda metrics on the CloudWatch console to verify that your function ran.

**To test your rule by stopping an instance**

1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Launch an instance. For more information, see [Launch Your Instance](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/LaunchingAndUsingInstances.html) in the *Amazon EC2 User Guide*.

1. Stop the instance. For more information, see [Stop and Start Your Instance](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Stop_Start.html) in the *Amazon EC2 User Guide*.

1. To view the output from your Lambda function, do the following:

   1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/).

   1. In the navigation pane, choose **Logs**.

   1. Select the name of the log group for your Lambda function (`/aws/lambda/function-name`).

   1. Select the name of the log stream to view the data provided by the function for the instance that you stopped.

1. (Optional) When you're finished, terminate the stopped instance. For more information, see [Terminate Your Instance](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/terminating-instances.html) in the *Amazon EC2 User Guide*.

## Step 5: Confirm success


If you see the Lambda event in the CloudWatch logs, you've successfully completed this tutorial. If the event isn't in your CloudWatch logs, start troubleshooting by verifying the rule was created successfully and, if the rule looks correct, verify the code of your Lambda function is correct.

## Step 6: Clean up your resources


You can now delete the resources that you created for this tutorial, unless you want to retain them. By deleting Amazon resources that you are no longer using, you prevent unnecessary charges to your Amazon account.

**To delete the EventBridge rule(s)**

1. Open the [Rules page](https://console.amazonaws.cn/events/home#/rules) of the EventBridge console.

1. Select the rule(s) that you created.

1. Choose **Delete**.

1. Choose **Delete**.

**To delete the Lambda function(s)**

1. Open the [Functions page](https://console.amazonaws.cn/lambda/home#/functions) of the Lambda console.

1. Select the function(s) that you created.

1. Choose **Actions**, **Delete**.

1. Choose **Delete**.

**To delete the CloudTrail trail(s)**

1. Open the [Trails page](https://console.amazonaws.cn/cloudtrail/home#/trails) of the CloudTrail console.

1. Select the trail(s) that you created.

1. Choose **Delete**.

1. Choose **Delete**.