Menu
Amazon CloudWatch Events
User Guide

Tutorial: Log AWS API Calls Using CloudWatch Events

You can use a simple AWS Lambda function that logs each AWS API call. For example, you can create a rule to log any operation within Amazon EC2, or you can limit this rule to log only a specific API call. In this tutorial, you log every time an Amazon EC2 instance is stopped.

Prerequisite

Before you can match these events, you must use AWS CloudTrail to set up a trail. If you do not have a trail, complete the following procedure.

To create a trail

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose Add new trail.

  3. For Trail name, type a name for the trail.

  4. For S3 bucket, type the name for the new bucket where CloudTrail will deliver logs.

  5. Choose Create.

Step 1: Create a Lambda Function

Create a Lambda function to log the API call events. You'll specify this function when you create your rule.

To create a Lambda function

  1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/.

  2. If you are new to Lambda, you see a welcome page; choose Get Started Now; otherwise, choose Create a Lambda function.

  3. On the Select blueprint page, type hello for the filter, and then choose the hello-world blueprint.

  4. On the Configure triggers page, choose Next.

  5. On the Configure function page, do the following:

    1. Type a name and description for the Lambda function. (For example, name the function "LogEC2StopInstance".)

    2. Edit the sample code for the Lambda function. For example:

      'use strict';
      
      exports.handler = function(event, context, callback) => {
          console.log('LogEC2StopInstance');
          console.log('Received event:', JSON.stringify(event, null, 2));
          callback(null, 'Finished');
      };
    3. For Role, choose Choose an existing role and then choose your basic execution role from Existing role. Otherwise, create a new basic execution role.

    4. Choose Next.

  6. On the Review page, choose Create function.

Step 2: Create a Rule

Create a rule to run your Lambda function whenever you stop an Amazon EC2 instance.

To create a rule

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Events.

  3. Choose Create rule.

  4. For Event selector, do the following:

    1. Choose AWS API call.

    2. For Service name, choose EC2.

    3. Choose Specific operation(s) and then choose StopInstances.

    The Event selector pane
  5. For Targets, choose Add target and then choose Lambda function.

  6. For Function, select the Lambda function that you created.

  7. Choose Configure details.

  8. For Rule definition, type a name and description for the rule.

  9. Choose Create rule.

Step 3: Test the Rule

You can test your rule by stopping an Amazon EC2 instance using the Amazon EC2 console. After waiting a few minutes for the instance to stop, check your AWS Lambda metrics in the CloudWatch console to verify that your function was invoked.

To test your rule by stopping an instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Launch an instance. For more information, see Launch Your Instance in the Amazon EC2 User Guide for Linux Instances.

  3. Stop the instance. For more information, see Stop and Start Your Instance in the Amazon EC2 User Guide for Linux Instances.

  4. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  5. To view metrics for the event, do the following:

    1. In the navigation pane, choose Events.

    2. Choose the name of the rule you created.

    3. Choose Show metrics for the rule.

  6. To view the output from your Lambda function, do the following:

    1. In the navigation pane, choose Logs.

    2. Choose the name of the log group for your Lambda function (/aws/lambda/function-name).

    3. Choose the name of log stream to view the data provided by the function for the instance you stopped.

  7. (Optional) When you are finished, you can terminate the stopped instance. For more information, see Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.