Managing AWS Network Firewall events using Amazon EventBridge

AWS Network Firewall sends events directly to the EventBridge default event bus when firewall state changes occur. You can use these events to automate responses, send notifications, or integrate with other AWS services when your firewall configuration or attachment status changes.

Event types

The following table describes the event types that AWS Network Firewall publishes to EventBridge default event bus for firewall state changes.

Event type	Description
Firewall Configuration Changed	Published when the firewall configuration changes, such as when a firewall policy or rule group is updated.
Firewall Attachment Status Changed	Published when the status of a firewall endpoint attachment changes.
Firewall Transit Gateway Attachment Status Changed	Published when the status of a transit gateway attachment to the firewall changes.

Event examples

The following examples show the structure of events that AWS Network Firewall publishes to EventBridge.

Firewall Configuration Changed

Events published when a firewall configuration changes, such as when a firewall policy or rule group is updated.

Firewall Attachment Status Changed

Events published when the status of a firewall endpoint attachment changes during the firewall lifecycle.

Creating Events

This event is published when a firewall endpoint attachment is being created in an availability zone. The Current Attachment Status field shows CREATING.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": [
      {
        "Availability Zone": "us-east-1c",
        "Current Attachment Status": "CREATING"
      }
    ],
    "metadata": {
      "State Change ID": "ec543b4702a2f9b277ddc1edfced32f5920431fca62d83d3052be5c637360b9f"
    },
    "version": "1.0.0"
  }
}

Ready Events

This event is published when a firewall endpoint attachment completes creation and becomes ready for traffic. The status transitions from CREATING to READY.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": [
      {
        "Availability Zone": "us-east-1c",
        "Current Attachment Status": "READY",
        "Endpoint ID": "vpce-1234567890abcdefg",
        "Previous Attachment Status": "CREATING"
      }
    ],
    "metadata": {
      "State Change ID": "59d86fd2f87cf005a2d41cffa8c86980f3648e9e2359b6c21068b6fbd31f6bd4"
    },
    "version": "1.0.0"
  }
}

Deleting Events

This event is published when a firewall endpoint attachment is being deleted. The status transitions from READY to DELETING.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": [
      {
        "Availability Zone": "us-east-1c",
        "Current Attachment Status": "DELETING",
        "Endpoint ID": "vpce-1234567890abcdefg",
        "Previous Attachment Status": "READY"
      }
    ],
    "metadata": {
      "State Change ID": "b6602d36c880bd5c6e6bdd62206cc6554c162019569f2170502f85c1b9332a33"
    },
    "version": "1.0.0"
  }
}

Firewall Transit Gateway Attachment Status Changed

Events published when the status of a transit gateway attachment to the firewall changes during the attachment lifecycle.

Creating Events

This event is published when a transit gateway attachment to the firewall is being created. The Current Transit Gateway Attachment Status field shows CREATING.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Transit Gateway Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": {
      "Attachment ID": "tgw-attach-1234567890abcdefg",
      "Current Transit Gateway Attachment Status": "CREATING"
    },
    "metadata": {
      "State Change ID": "4331b74ee5b5860fe659341efd09798857de175a8a4da7128ad0439e6ef710e7"
    },
    "version": "1.0.0"
  }
}

Pending Events

This event is published when a transit gateway attachment is waiting for acceptance. The status transitions from CREATING to PENDING_ACCEPTANCE.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Transit Gateway Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": {
      "Attachment ID": "tgw-attach-1234567890abcdefg",
      "Current Transit Gateway Attachment Status": "PENDING_ACCEPTANCE",
      "Previous Transit Gateway Attachment Status": "CREATING"
    },
    "metadata": {
      "State Change ID": "ce5a91c102a91bb94527baa4290b39dd3be79a9f3452f644c11145cf4755e13c"
    },
    "version": "1.0.0"
  }
}

Ready Events

This event is published when a transit gateway attachment completes and becomes ready for traffic. The status transitions from CREATING to READY.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Transit Gateway Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": {
      "Attachment ID": "tgw-attach-1234567890abcdefg",
      "Current Transit Gateway Attachment Status": "READY",
      "Previous Transit Gateway Attachment Status": "CREATING"
    },
    "metadata": {
      "State Change ID": "466efda83ad59a8d543eac712f5ad96465ac4ad87f5dab196cbf1be92f4d9918"
    },
    "version": "1.0.0"
  }
}

Deleting Events

This event is published when a transit gateway attachment is being deleted. The status transitions from READY to DELETING.


{
  "version": "0",
  "id": "01234567-0123-0123-0123-0123456789ab",
  "detail-type": "Firewall Transit Gateway Attachment Status Changed",
  "source": "aws.network-firewall",
  "account": "111122223333",
  "time": "2026-01-28T00:39:59Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
  ],
  "detail": {
    "data": {
      "Attachment ID": "tgw-attach-1234567890abcdefg",
      "Current Transit Gateway Attachment Status": "DELETING",
      "Previous Transit Gateway Attachment Status": "READY"
    },
    "metadata": {
      "State Change ID": "5e68266934a286c64a5cc0593505f1ad2a0a959bef915e74aa6612bfb5accc6b"
    },
    "version": "1.0.0"
  }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Logging and monitoring

Logging network traffic