设置为从 CloudTrail 触发的 CloudWatch 规则不会触发 Lambda 函数,除非我创建一个 Trail 以将 CloudTrail 日志存储在 S3 存储桶中

CloudWatch Rule set to trigger from CloudTrail doesn't trigger Lambda function unless I create a Trail to store CloudTrail logs in an S3 bucket

我正在尝试在 AWS Certificate Manager 中引发 RequestCertificate 事件时触发 Lambda 函数。

为此,我创建了一个具有以下语法的 CloudWatch 规则:

{
  "source": [
    "aws.acm"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "acm.amazonaws.com"
    ],
    "eventName": [
      "RequestCertificate"
    ]
  }
}

此规则将 Lambda 函数作为目标。我已确保 Lambda 函数具有正确执行所需的所有权限。

但是,当我在 ACM 上请求证书时,Lambda 根本没有被触发,即使 RequestCertificate 事件出现在 CloudTrail 事件历史记录中。

为了解决这个问题,我必须创建一个将 CloudTrail 日志存储在 S3 存储桶中的 Trail。完成后,Lambda 现在可以正确触发。

问题是,这里的文档中没有指定:Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail

所以,我想知道这是否是预期的行为,或者我的 CloudWatch 规则是否存在问题。

谢谢。

在联系 AWS Support 团队后,他们确认如果详细信息类型是 AWS API Call via CloudTrail,如果您不启用 CloudTrail 跟踪,您将不会收到任何事件。所以创建一个 S3 Bucket 是正确的选择。

以下是他们的完整回复,以防对其他人有所帮助:

Yes, if detail type is 'AWS API Call via CloudTrail', then cloudtrail should be enabled in order to get the events.

For event pattern where you specify 'AWS API Call via CloudTrail', if you do not enable CloudTrail trail, you will not receive the events for the same.

CloudTrail is only required with the Services/APIs which do not emit the CloudWatch events directly. In such cases only, we would need to monitor the CloudTrail API calls to trigger the CloudWatch event rules. The API operations are logged in the CloudTrail and will be available to CloudWatch events for matching. Whenever any API call is logged into the CloudTrail and the Service name and API call specified in the CloudWatch event rule matches to that of API’s logged the in CloudTrail, the CloudWatch event rule will be triggered. Eg. S3 Object Level put API operations does not emit any specific event to CloudWatch, hence in this case we would need to capture the respective API call from the CloudTrail events. However certain services emits CloudWatch events directly for any specific action they perform. In such cases we would not need to use the CloudTrail for triggering CloudWatch Events. Eg. EC2 Stop Instance operation emits a direct event to CloudWatch. In this case we need not to use CloudTrail for capturing these events for CloudWatch Event rule.

For the ACM, you will need to enable the cloudtrail events as ACM directly does not omits specific event to cloudwatch.