Tutorial: Log AWS API Calls Using CloudWatch Events - Amazon CloudWatch Events
PrerequisiteStep 1: Create an AWS Lambda FunctionStep 2: Create a RuleStep 3: Test the Rule

Tutorial: Log AWS API Calls Using CloudWatch Events

Note

Amazon EventBridge is the preferred way to manage your events. CloudWatch Events and EventBridge are the same underlying service and API, but EventBridge provides more features. Changes you make in either CloudWatch or EventBridge will appear in each console. For more information, see Amazon EventBridge.

You can use an AWS Lambda function that logs each AWS API call. For example, you can create a rule to log any operation within Amazon EC2, or you can limit this rule to log only a specific API call. In this tutorial, you log every time an Amazon EC2 instance is stopped.

Prerequisite

Before you can match these events, you must use AWS CloudTrail to set up a trail. If you do not have a trail, complete the following procedure.

To create a trail

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose Trails, Create trail.

  3. For Trail name, type a name for the trail.

  4. For Storage location, in Create a new S3 bucket type the name for the new bucket that CloudTrail should deliver logs to.

  5. Choose Create.

Step 1: Create an AWS Lambda Function

Create a Lambda function to log the API call events. Specify this function when you create your rule.

To create a Lambda function

  1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/.

  2. If you are new to Lambda, you see a welcome page. Choose Get Started Now. Otherwise, choose Create a Lambda function.

  3. On the Select blueprint page, type hello for the filter and choose the hello-world blueprint.

  4. On the Configure triggers page, choose Next.

  5. On the Configure function page, do the following:

    1. Type a name and description for the Lambda function. For example, name the function "LogEC2StopInstance".

    2. Edit the sample code for the Lambda function. For example:

      'use strict';

exports.handler = (event, context, callback) => {
    console.log('LogEC2StopInstance');
    console.log('Received event:', JSON.stringify(event, null, 2));
    callback(null, 'Finished');
};

    3. For Role, choose Choose an existing role. For Existing role, select your basic execution role. Otherwise, create a new basic execution role.

    4. Choose Next.

  6. On the Review page, choose Create function.

Step 2: Create a Rule

Create a rule to run your Lambda function whenever you stop an Amazon EC2 instance.

To create a rule

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Events, Create rule.

  3. For Event source, do the following:

    1. Choose Event Pattern.

    2. Choose Build event pattern to match events by service.

    3. Choose EC2, AWS API Call via CloudTrail.

    4. Choose Specific operation(s) and then type StopInstances in the box below.

  4. For Targets, choose Add target, Lambda function.

  5. For Function, select the Lambda function that you created.

  6. Choose Configure details.

  7. For Rule definition, type a name and description for the rule.

  8. Choose Create rule.

Step 3: Test the Rule

You can test your rule by stopping an Amazon EC2 instance using the Amazon EC2 console. After waiting a few minutes for the instance to stop, check your AWS Lambda metrics in the CloudWatch console to verify that your function was invoked.

To test your rule by stopping an instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Launch an instance. For more information, see Launch Your Instance in the Amazon EC2 User Guide for Linux Instances.

  3. Stop the instance. For more information, see Stop and Start Your Instance in the Amazon EC2 User Guide for Linux Instances.

  4. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  5. In the navigation pane, choose Events, select the name of the rule that you created, and choose Show metrics for the rule.

  6. To view the output from your Lambda function, do the following:

    1. In the navigation pane, choose Logs.

    2. Select the name of the log group for your Lambda function (/aws/lambda/function-name).

    3. Select the name of log stream to view the data provided by the function for the instance that you stopped.

  7. (Optional) When you are finished, you can terminate the stopped instance. For more information, see Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.