Amazon CloudWatch Events
User Guide

Event Patterns in CloudWatch Events

Events in Amazon CloudWatch Events are represented as JSON objects. For more information about JSON objects, see RFC 7159. The following is an example event:

{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "EC2 Instance State-change Notification", "source": "aws.ec2", "account": "111122223333", "time": "2015-12-22T18:43:48Z", "region": "us-east-1", "resources": [ "arn:aws:ec2:us-east-1:123456789012:instance/i-12345678" ], "detail": { "instance-id": "i-12345678", "state": "terminated" } }

It is important to remember the following details about an event:

  • They all have the same top-level fields – the ones appearing in the example above – which are never absent.

  • The contents of the detail top-level field are different depending on which service generated the event and what the event is. The combination of the source and detail-type fields serves to identify the fields and values found in the detail field. For examples of events generated by AWS services, see Event Types for CloudWatch Events.

Each event field is described below.


By default, this is set to 0 (zero) in all events.


A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed.


Identifies, in combination with the source field, the fields and values that appear in the detail field.


Identifies the service that sourced the event. All events sourced from within AWS begin with "aws." Customer-generated events can have any value here, as long as it doesn't begin with "aws." We recommend the use of Java package-name style reverse domain-name strings.

To find the correct value for source for an AWS service, see the table in AWS Service Namespaces. For example, the source value for Amazon CloudFront is aws.cloudfront.


The 12-digit number identifying an AWS account.


The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received.


Identifies the AWS region where the event originated.


This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service. For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs.


A JSON object, whose content is at the discretion of the service originating the event. The detail content in the example above is very simple, just two fields. AWS API call events have detail objects with around 50 fields nested several levels deep.

Event Patterns

Rules use event patterns to select events and route them to targets. A pattern either matches an event or it doesn't. Event patterns are represented as JSON objects with a structure that is similar to that of events, for example:

{ "source": [ "aws.ec2" ], "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "running" ] } }

It is important to remember the following about event pattern matching:

  • For a pattern to match an event, the event must contain all the field names listed in the pattern. The field names must appear in the event with the same nesting structure.

  • Other fields of the event not mentioned in the pattern are ignored; effectively, there is a "*": "*" wildcard for fields not mentioned.

  • The matching is exact (character-by-character), without case-folding or any other string normalization.

  • The values being matched follow JSON rules: Strings enclosed in quotes, numbers, and the unquoted keywords true, false, and null.

  • Number matching is at the string representation level. For example, 300, 300.0, and 3.0e2 are not considered equal.

The following event patterns would match the event at the top of this page. The first pattern matches because one of the instance values specified in the pattern matches the event (and the pattern does not specify any additional fields not contained in the event). The second one matches because the "terminated" state is contained in the event.

{ "resources": [ "arn:aws:ec2:us-east-1:123456789012:instance/i-12345678", "arn:aws:ec2:us-east-1:123456789012:instance/i-abcdefgh" ] }
{ "detail": { "state": [ "terminated" ] } }

These event patterns do not match the event at the top of this page. The first pattern does not match because the pattern specifies a "pending" value for state, and this value does not appear in the event. The second pattern does not match because the resource value specified in the pattern does not appear in the event.

{ "source": [ "aws.ec2" ], "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "pending" ] } }
{ "source": [ "aws.ec2" ], "detail-type": [ "EC2 Instance State-change Notification" ], "resources": [ "arn:aws:ec2:us-east-1::image/ami-12345678" ] }

Arrays In CloudWatch Events Patterns

The value of each field in a pattern is an array containing one or more values, and the pattern matches if any of the values in the array match the value in the event. If the value in the event is an array, then the pattern matches if the intersection of the pattern array and the event array is non-empty.

For example, an example event pattern includes the following text:

"resources": [ "arn:aws:ec2:us-east-1:123456789012:instance/i-b188560f", "arn:aws:ec2:us-east-1:111122223333:instance/i-b188560f", "arn:aws:ec2:us-east-1:444455556666:instance/i-b188560f", ]

The example pattern would match an event that includes the following text, because the first item in the pattern array matches the second item in the event array.

"resources": [ "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:eb56d16b-bbf0-401d-b893-d5978ed4a025:autoScalingGroupName/ASGTerminate", "arn:aws:ec2:us-east-1:123456789012:instance/i-b188560f" ]