Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Amazon CloudWatch Events for Amazon EBS

Amazon EBS emits notifications based on Amazon CloudWatch Events for a variety of snapshot and encryption status changes. With CloudWatch Events, you can establish rules that trigger programmatic actions in response to a change in snapshot or encryption key state. For example, when a snapshot is created, you can trigger an AWS Lambda function to share the completed snapshot with another account or copy it to another region for disaster-recovery purposes.

For more information, see Using Events in the Amazon CloudWatch User Guide.

Event Definitions and Examples

This section defines the supported Amazon EBS events and provides examples of event output for specific scenarios. Events in CloudWatch are represented as JSON objects. For more information about the format and content of event objects, see Events and Event Patterns in the Amazon CloudWatch Events User Guide.

The fields that are unique to EBS events are contained in the "detail" section of the JSON objects shown below. The "event" field contains the event name. The "result" field contains the completed status of the action that triggered the event.

Create Snapshot (createSnapshot)

The createSnapshot event is sent to your AWS account when an action to create a snapshot completes. This event can have a result of either succeeded or failed.

Event Data

The listing below is an example of a JSON object emitted by EBS for a successful createSnapshot event. The source field contains the ARN of the source volume. The StartTime and EndTime fields indicate when creation of the snapshot started and completed.

Copy
{ "version": "0", "id": "01234567-0123-0123-0123-012345678901", "detail-type": "EBS Snapshot Notification", "source": "aws.ec2", "account": "012345678901", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "us-east-1", "resources": [ "arn:aws:ec2::us-west-2:snapshot/snap-01234567" ], "detail": { "event": "createSnapshot", "result": "succeeded", "cause": "", "request-id": "", "snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567", "source": "arn:aws:ec2::us-west-2:volume/vol-01234567", "StartTime": "yyyy-mm-ddThh:mm:ssZ", "EndTime": "yyyy-mm-ddThh:mm:ssZ" } }

Copy Snapshot (copySnapshot)

The copySnapshot event is sent to your AWS account when an action to copy a snapshot completes. This event can have a result of either succeeded or failed.

Event Data

The listing below is an example of a JSON object emitted by EBS after a failed copySnapshot event. The cause for the failure was an invalid source snapshot ID. The value of snapshot_id is the ARN of the failed snapshot. The value of source is the ARN of the source snapshot. StartTime and EndTime represent when the copy-snapshot action started and ended.

Copy
{ "version": "0", "id": "01234567-0123-0123-0123-012345678901", "detail-type": "EBS Snapshot Notification", "source": "aws.ec2", "account": "123456789012", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "us-east-1", "resources": [ "arn:aws:ec2::us-west-2:snapshot/snap-01234567" ], "detail": { "event": "copySnapshot", "result": "failed", "cause": "Source snapshot ID is not valid", "request-id": "", "snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567", "source": "arn:aws:ec2::eu-west-1:snapshot/snap-76543210", "StartTime": "yyyy-mm-ddThh:mm:ssZ", "EndTime": "yyyy-mm-ddThh:mm:ssZ" } }

Share Snapshot (shareSnapshot)

The shareSnapshot event is sent to your AWS account when another account shares a snapshot with it. The result is always succeeded.

Event Data

The listing below is an example of a JSON object emitted by EBS after a completed shareSnapshot event. The value of source is the AWS account number of the user that shared the snapshot with you. StartTime and EndTime represent when the share-snapshot action started and ended. The shareSnapshot event is emitted only when a private snapshot is shared with another user. Sharing a public snapshot does not trigger the event.

Copy
{ "version": "0", "id": "01234567-01234-0123-0123-012345678901", "detail-type": "EBS Snapshot Notification", "source": "aws.ec2", "account": "012345678901", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "us-east-1", "resources": [ "arn:aws:ec2::us-west-2:snapshot/snap-01234567" ], "detail": { "event": "shareSnapshot", "result": "succeeded", "cause": "", "request-id": "", "snapshot_id": "arn:aws:ec2::us-west-2:snapshot/snap-01234567", "source": 012345678901, "StartTime": "yyyy-mm-ddThh:mm:ssZ", "EndTime": ""yyyy-mm-ddThh:mm:ssZ"" } }

Invalid Encryption Key on Volume Attach or Reattach (attachVolume, reattachVolume)

The attachVolume event is sent to your AWS account when it fails to attach or reattach a volume to an instance due to an invalid KMS key.

Note

You can use a KMS key to encrypt an EBS volume. If the key used to encrypt the volume becomes invalid, EBS will emit an event if that key is later used to create, attach, or reattach to a volume.

Event Data

The listing below is an example of a JSON object emitted by EBS after a failed attachVolume event. The cause for the failure was a KMS key pending deletion.

Note

AWS may attempt to reattach to a volume following routine server maintenance.

Copy
{ "version": "0", "id": "01234567-0123-0123-0123-0123456789ab", "detail-type": "EBS Volume Notification", "source": "aws.ec2", "account": "012345678901", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "us-east-1", "resources": [ "arn:aws:ec2:us-east-1:0123456789ab:volume/vol-01234567", "arn:aws:kms:us-east-1:0123456789ab:key/01234567-0123-0123-0123-0123456789ab" ], "detail": { "event": "attachVolume", "result": "failed", "cause": "arn:aws:kms:us-east-1:0123456789ab:key/01234567-0123-0123-0123-0123456789ab is pending deletion.", "request-id": "" } }

The listing below is an example of a JSON object emitted by EBS after a failed reattachVolume event. The cause for the failure was a KMS key pending deletion.

Copy
{ "version": "0", "id": "01234567-0123-0123-0123-0123456789ab", "detail-type": "EBS Volume Notification", "source": "aws.ec2", "account": "012345678901", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "us-east-1", "resources": [ "arn:aws:ec2:us-east-1:0123456789ab:volume/vol-01234567", "arn:aws:kms:us-east-1:0123456789ab:key/01234567-0123-0123-0123-0123456789ab" ], "detail": { "event": "reattachVolume", "result": "failed", "cause": "arn:aws:kms:us-east-1:0123456789ab:key/01234567-0123-0123-0123-0123456789ab is pending deletion.", "request-id": "" } }

Invalid Encryption Key on Create Volume (createVolume)

The createVolume event is sent to your AWS account when it fails to create a volume due to an invalid KMS key.

You can use a KMS key to encrypt an EBS volume. If the key used to encrypt the volume becomes invalid, EBS will emit an event if that key is later used to create, attach, or reattach to a volume.

Event Data

The listing below is an example of a JSON object emitted by EBS after a failed createVolume event. The cause for the failure was a disabled KMS key.

Copy
{ "version": "0", "id": "01234567-0123-0123-0123-0123456789ab", "detail-type": "EBS Volume Notification", "source": "aws.ec2", "account": "012345678901", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "sa-east-1", "resources": [ "arn:aws:ec2:sa-east-1:0123456789ab:volume/vol-01234567", ], "detail": { "event": "createVolume", "result": "failed", "cause": "arn:aws:kms:sa-east-1:0123456789ab:key/01234567-0123-0123-0123-0123456789ab is disabled.", "request-id": "01234567-0123-0123-0123-0123456789ab", } }

The following is an example of a JSON object that is emitted by EBS after a failed createVolume event. The cause for the failure was a KMS key pending import.

Copy
{ "version": "0", "id": "01234567-0123-0123-0123-0123456789ab", "detail-type": "EBS Volume Notification", "source": "aws.ec2", "account": "012345678901", "time": "yyyy-mm-ddThh:mm:ssZ", "region": "sa-east-1", "resources": [ "arn:aws:ec2:sa-east-1:0123456789ab:volume/vol-01234567", ], "detail": { "event": "createVolume", "result": "failed", "cause": "arn:aws:kms:sa-east-1:0123456789ab:key/01234567-0123-0123-0123-0123456789ab is pending import.", "request-id": "01234567-0123-0123-0123-0123456789ab", } }

Using Amazon Lambda To Handle CloudWatch Events

You can use Amazon EBS and CloudWatch Events to automate your data-backup workflow. This requires you to create an IAM policy, a AWS Lambda function to handle the event, and an Amazon CloudWatch Events rule that matches incoming events and routes them to the Lambda function.

The following procedure uses the createSnapshot event to automatically copy a completed snapshot to another region for disaster recovery.

To copy a completed snapshot to another region

  1. Create an IAM policy, such as the one shown in the following example, to provide permissions to execute a CopySnapshot action and write to the CloudWatch Events log. Assign the policy to the IAM user that will handle the CloudWatch event.

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "ec2:CopySnapshot" ], "Resource": "*" } ] }
  2. Define a function in Lambda that will be available from the CloudWatch console. The sample Lambda function below, written in Node.js, is invoked by CloudWatch when a matching createSnapshot event is emitted by Amazon EBS (signifying that a snapshot was completed). When invoked, the function copies the snapshot from us-east-2 to us-east-1.

    Copy
    // Sample Lambda function to copy an EBS snapshot to a different region var AWS = require('aws-sdk'); var ec2 = new AWS.EC2(); // define variables var destinationRegion = 'us-east-1'; var sourceRegion = 'us-east-2'; console.log ('Loading function'); //main function exports.handler = (event, context, callback) => { // Get the EBS snapshot ID from the CloudWatch event details var snapshotArn = event.detail.snapshot_id.split('/'); const snapshotId = snapshotArn[1]; const description = `Snapshot copy from ${snapshotId} in ${sourceRegion}.`; console.log ("snapshotId:", snapshotId); // Load EC2 class and update the configuration to use destination region to initiate the snapshot. AWS.config.update({region: destinationRegion}); var ec2 = new AWS.EC2(); // Prepare variables for ec2.modifySnapshotAttribute call const copySnapshotParams = { Description: description, DestinationRegion: destinationRegion, SourceRegion: sourceRegion, SourceSnapshotId: snapshotId }; // Execute the copy snapshot and log any errors ec2.copySnapshot(copySnapshotParams, (err, data) => { if (err) { const errorMessage = `Error copying snapshot ${snapshotId} to region ${destinationRegion}.`; console.log(errorMessage); console.log(err); callback(errorMessage); } else { const successMessage = `Successfully started copy of snapshot ${snapshotId} to region ${destinationRegion}.`; console.log(successMessage); console.log(data); callback(null, successMessage); } }); };

    To ensure that your Lambda function is available from the CloudWatch console, create it in the region where the CloudWatch event will occur. For more information, see the AWS Lambda Developer Guide.

  3. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  4. Choose Events, Create rule, Select event source, and Amazon EBS Snapshots.

  5. For Specific Event(s), choose createSnapshot and for Specific Result(s), choose succeeded.

  6. For Rule target, find and choose the sample function that you previously created.

  7. Choose Target, Add Target.

  8. For Lambda function, select the Lambda function that you previously created and choose Configure details.

  9. On the Configure rule details page, type values for Name and Description. Select the State check box to activate the function (setting it to Enabled).

  10. Choose Create rule.

Your rule should now appear on the Rules tab. In the example shown, the event that you configured should be emitted by EBS the next time you copy a snapshot.