Events from Amazon services - Amazon EventBridge
Service event deliveryEvents via CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Events from Amazon services

Many Amazon services generate events that EventBridge receives. When an Amazon service in your account emits an event, it goes to your account’s default event bus.

Event delivery from Amazon services

Each Amazon service that generates events sends them to EventBridge as either best effort or guaranteed delivery.

  • Best effort delivery means that the service attempts to send all events to EventBridge, but in some rare cases an event might not be delivered.

  • Guaranteed delivery means the service will successfully attempt to deliver events to EventBridge at least once.

    EventBridge will accept all valid events under normal conditions. In cases where events cannot be delivered because of an EventBridge service disruption, they will be retried again later by the Amazon service for up to 24 hours.

Once an event is delivered to EventBridge, EventBridge matches it against rules and then follows the retry policy and any dead-letter queue specified for the event target(s).

For a list of Amazon services that generate events, see Amazon services that generate events.

Accessing Amazon service events via Amazon CloudTrail

Amazon CloudTrail is a service that automatically records events such as Amazon API calls. You can create EventBridge rules that use the information from CloudTrail. For more information about CloudTrail, see What is Amazon CloudTrail?.

All events that are delivered by CloudTrail have Amazon API Call via CloudTrail as the value for detail-type.

Note

Currently, events from API actions that start with the keywords List, Get, or Describe aren't processed by EventBridge, with a few exceptions. For example, the events from the following Amazon STS actions:

  • GetFederationToken

  • GetSessionToken

Starting April 3. 2023, EventBridge will process all read-only management events. For more information, see Filtering management events from Amazon services.

To record events with a detail-type value of Amazon API Call via CloudTrail, a CloudTrail trail with logging enabled is required.

When using CloudTrail with Amazon S3, you need to configure CloudTrail to log data events. For more information, see Enabling CloudTrail event logging for S3 buckets and objects .

Some occurrences in Amazon services can be reported to EventBridge both by the service itself and by CloudTrail. For example, an Amazon EC2 API call that starts or stops an instance generates EventBridge events as well as events through CloudTrail.

CloudTrail supports both API callers and resource owners to receive events in their Amazon S3 buckets by creating trails, and delivers events to API callers through EventBridge. Resource owners in addition to API callers can monitor cross-account API calls through EventBridge. CloudTrail’s integration with EventBridge provides a convenient way to set automated rules-based workflows in response to events.

You can't use Amazon Put*Events API call events that are larger than 256 KB in size as event patterns because the maximum size of any Put*Events requests is 256 KB. For more information about the API calls that you can use, see CloudTrail supported services and integrations.

Filtering management events from Amazon services

In general, events from Amazon service APIs calls fall into two categories:

  • Mutating events: Mutating events are those that result in a change to a given resource. These events would include those from APIs that create, update, or delete resources.

  • Management (or non-mutating) events: Management events are those that report on the current state of a resource. These events include APIs that get, describe, or list a resource or resources.

Note

Currently, events from API actions that start with the keywords List, Get, or Describe aren't processed by EventBridge (with a few exceptions). Starting April 3. 2023, EventBridge will process all read-only management events delivered by CloudTrail. Some things to consider as you update your event rules for this change:

  • Certain read-only management events, such as Amazon Key Management Service GetKeyPolicy and DescribeKey, or IAM GetPolicy and GetRole events, occur at a much higher volume than typical mutating events.

    To put rules in place to exclude read-only management events, see Example 2 below.

  • You may already be receiving read-only management events, if those events don't start with Describe, Get, or List. For a list of read-only management events that do not adhere to the Describe, Get, or List naming convention, by Amazon services, see Management events generated by Amazon services.

    To continue to receive those events, see Example 3 and Example 4 below.

You can match or exclude read-only management events using the managementEvent and readOnly fields.

Example 1: Matching read-only events

For example, the following event pattern matches for read-only events:

{
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "readOnly": [true]
  }
}

Example 2: Excluding read-only management events

While this example excludes read-only management events:

{
  "detail-type": ["AWS API Call via CloudTrail"],
    "$or": [{
        "detail": {
        "managementEvent": [false]
        }
    },
    {
        "detail": {
        "readOnly": [false]
        }
    }]
}

Example 3: Matching specific read-only management events

You can also define an event pattern that excludes management and read-only events, except for specific management events you want to receive. The following example excludes all management and read-only events except AssumeRole from Amazon Security Token Service.

Note

Best practice is to define a dedicated rule for matching specific events, for clarity and ease of editing. See Example 4 below for details.

{
  "detail-type": ["AWS API Call via CloudTrail"],
  "$or": [{
      "$or": [{
          "detail": {
            "managementEvent": [false]
          }
        },
        {
          "detail": {
            "readOnly": [false]
          }
        }
      ]
    },
    {
      "source": ["aws.sts"],
      "detail": {
        "eventName": ["AssumeRole"]
      }
    }
  ]
}

Example 4: Matching specific events using a dedicated rule

This example is a dedicated rule that matches the AssumeRole management event from Amazon Security Token Service. Best practice is to define a dedicated rule for matching specific events, for clarity and ease of editing. 

{
    "source" : [ "aws.sts" ],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail" : {
        "eventName" : ["AssumeRole"]
    }
}