Match AWS Secrets Manager events with Amazon EventBridge - AWS Secrets Manager

Match AWS Secrets Manager events with Amazon EventBridge

In Amazon EventBridge, you can match Secrets Manager events from CloudTrail log entries. You can configure EventBridge rules that look for these events and then send new generated events to a target to take action. For a list of CloudTrail entries that Secrets Manager logs, see CloudTrail entries. For instructions to set up EventBridge, see Getting started with EventBridge in the EventBridge User Guide.

Match all changes to a specified secret

Note

Because some Secrets Manager events return the ARN of the secret with different capitalization, in event patterns that match more than one action, to specify a secret by ARN, you may need to include both the keys arn and aRN. For more information, see AWS re:Post.

The following example shows an EventBridge event pattern that matches log entries for changes to a secret.

{ "source": ["aws.secretsmanager"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["secretsmanager.amazonaws.com"], "eventName": ["DeleteResourcePolicy", "PutResourcePolicy", "RotateSecret", "TagResource", "UntagResource", "UpdateSecret"], "responseElements": { "arn": ["arn:aws:secretsmanager:us-west-2:012345678901:secret:mySecret-a1b2c3"] } } }

Match events when a secret value rotates

The following example shows an EventBridge event pattern that matches CloudTrail log entries for secret value changes that occur from manual updates or automatic rotation. Because some of these events are from Secrets Manager operations and some are generated by the Secrets Manager service, you must include the detail-type for both.

{ "source": ["aws.secretsmanager"], "$or": [ { "detail-type": ["AWS API Call via CloudTrail"] }, { "detail-type": ["AWS Service Event via CloudTrail"] } ], "detail": { "eventSource": ["secretsmanager.amazonaws.com"], "eventName": ["PutSecretValue", "UpdateSecret", "RotationSucceeded"] } }