Amazon EventBridge
User Guide

Tutorial: Log AWS API Calls Using EventBridge

You can use an AWS Lambda function that logs each AWS API call. For example, you can create a rule to log any operation in Amazon EC2, or you can limit this rule to log only a specific API call. In this tutorial, you log every time an Amazon EC2 instance is stopped.

Prerequisite

Before you can match these events, you must use AWS CloudTrail to set up a trail. If you don't have a trail, complete the following procedure.

To create a trail

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose Trails, Create trail.

  3. For Trail name, type a name for the trail.

  4. For Storage location, in Create a new S3 bucket type the name for the new bucket that CloudTrail should deliver logs to.

  5. Choose Create.

Step 1: Create an AWS Lambda Function

Create a Lambda function to log the API call events. Specify this function when you create your rule.

To create a Lambda function

  1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/.

  2. If you're new to Lambda, you see a welcome page. Choose Get Started Now. Otherwise, choose Create a Lambda function.

  3. On the Select blueprint page, enter hello for the filter and choose the hello-world blueprint.

  4. On the Configure triggers page, choose Next.

  5. On the Configure function page, do the following:

    1. Enter a name and description for the Lambda function. For example, name the function LogEC2StopInstance.

    2. Edit the sample code for the Lambda function. For example:

      'use strict'; exports.handler = (event, context, callback) => { console.log('LogEC2StopInstance'); console.log('Received event:', JSON.stringify(event, null, 2)); callback(null, 'Finished'); };
    3. For Role, choose Choose an existing role. For Existing role, select your basic execution role. Otherwise, create a basic execution role.

    4. Choose Next.

  6. On the Review page, choose Create function.

Step 2: Create a Rule

Create a rule to run your Lambda function whenever you stop an Amazon EC2 instance.

To create a rule

  1. Open the Amazon EventBridge console at https://console.aws.amazon.com/events/.

  2. In the navigation pane, choose Rules.

  3. Choose Create rule.

  4. Enter a name and description for the rule.

  5. For Define pattern, do the following:

    1. Choose Event pattern.

    2. Choose Pre-defined pattern by service.

    3. For Service provider, choose AWS.

    4. For Service Name, choose EC2.

    5. For Event type, choose AWS API Call via CloudTrail.

    6. Choose Specific operations(s) and enter StopInstances in the box.

    7. By default, the rule matches any Amazon EC2 Auto Scaling group in the Region. To make the rule match a specific group, choose Specific group name(s) and select one or more groups.

  6. For Select event bus, choose AWS default event bus. When an AWS service in your account emits an event, it always goes to your account’s default event bus.

  7. For Targets, choose Add target, Lambda function.

  8. For Function, select the Lambda function that you created.

  9. Choose Create.

Step 3: Test the Rule

You can test your rule by stopping an Amazon EC2 instance using the Amazon EC2 console. After waiting a few minutes for the instance to stop, check your AWS Lambda metrics on the CloudWatch console to verify that your function was invoked.

To test your rule by stopping an instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Launch an instance. For more information, see Launch Your Instance in the Amazon EC2 User Guide for Linux Instances.

  3. Stop the instance. For more information, see Stop and Start Your Instance in the Amazon EC2 User Guide for Linux Instances.

  4. Open the Amazon EventBridge console at https://console.aws.amazon.com/events/.

  5. In the navigation pane, choose Rules, choose the name of the rule that you created, and choose Metrics for the rule.

  6. To view the output from your Lambda function, do the following:

    1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

    2. In the navigation pane, choose Logs.

    3. Select the name of the log group for your Lambda function (/aws/lambda/function-name).

    4. Select the name of the log stream to view the data provided by the function for the instance that you stopped.

  7. (Optional) When you're finished, terminate the stopped instance. For more information, see Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.