twtech Deep Dive into Amazon EventBridge –
Intercepting API Calls.
Focus:
- How
EventBridge captures,
- Route,
- Transform,
- Act
on AWS API activity in real time.
Breakdown:
- How EventBridge Intercepts API Calls,
- Event Source: “AWS API Call via CloudTrail”,
- Types of API Calls Can EventBridge Detect,
- Common Use Cases for API Interception with
EventBridge,
- EventBridge Rule Examples for API Interception,
- Architecture Pattern,
- Advanced Techniques,
- Lambda Remediation Sample,
- Security Considerations,
- Final
thoughts.
Intro:
- EventBridge
can intercept AWS API calls by
consuming AWS CloudTrail events.
- Then, CloudTrail
records nearly all
management-plane API calls made in AWS.
- EventBridge consumes those
events in (near) real-time when CloudTrail is configured for EventBridge integration.
- This architecture
allows twtech to detect, filter, and react to API activity across its AWS environment.
1. How EventBridge Intercepts API Calls
EventBridge
does not observe API calls directly. Instead:
1.
AWS
CloudTrail logs management API events (create,
modify, delete, list, etc.).
2.
CloudTrail
publishes these events into EventBridge's
“AWS API Call via CloudTrail” event bus.
3.
twtech creates
EventBridge rules to match specific API calls.
4.
EventBridge
sends those events to targets:
- Lambda
- SQS
- SNS
- Step Functions
- Security Hub
- EventBridge Pipes
- Kinesis, Firehose, etc.
NB:
- Essentially, EventBridge =
real-time event
router for API calls.
2. Event Source: “AWS API Call via CloudTrail”
- This is the key source for API interception:
source = "aws.cloudtrail"detail-type = "AWS API Call via CloudTrail"The
event format includes:
- userIdentity
- eventSource
- eventName
- requestParameters
- responseElements
- AWS Region
- Resource ARNs
- Time of
action
- IP address /
invokedBy
Sample
EventBridge event for an S3 bucket deletion:
# json{ "detail-type": "AWS API Call via CloudTrail", "source": "aws.cloudtrail", "detail": { "eventName": "DeleteBucket", "eventSource": "s3.amazonaws.com", "userIdentity": { xxxxxxxxxxx }, "requestParameters": { "bucketName": "twtech-s3bucket" }, "awsRegion": "us-east-2" }} 3. Types of API Calls Can EventBridge Detect
✔ Management (Control Plane) API calls
- CloudTrail captures these, so EventBridge can detect them.
Samples:
- IAM changes (CreateUser,
DeleteRole, AttachPolicy)
- EC2 lifecycle events (StartInstances,
CreateImage)
- S3 API actions (PutBucketPolicy,
DeleteBucket)
- KMS API calls (DisableKey,
Encrypt, Decrypt)
- RDS, Lambda, ECS, CloudFormation, Route53 changes
- Console logins, MFA failures, credential usage
❌ Data Plane (e.g., GetObject, PutObject)
CloudTrail only captures some data-plane events:
- S3 (optional)
- DynamoDB streams (separate)
- API Gateway logs (separate)
For
full data-plane visibility, you need:
- S3 Data
Events
- DynamoDB
Streams
- VPC Flow Logs
- API Gateway
Access Logs
- Lambda
Function URLs logs
4. Common Use Cases for API Interception with EventBridge
Security & Governance
- Detect IAM
role or policy changes
- Alert on root
login events
- Detect
disabling CloudTrail
- Detect S3
bucket becomes public
- Detect
deletion of security controls
- Detect
creation of access keys
Operational Automation
- Automatically
tag resources on creation
- Enforce
naming standards
- Create CMDB
records
- Synchronize
cloud changes into ServiceNow or Jira
Compliance & Auditing
- Real-time
evidence of API activity
- Automated
remediation workflows
- Enforce
organization-wide guardrails
Cost Optimization
- ·
Detect
expensive resource creation
- ·
Auto-stop
idle EC2 instances
5. EventBridge Rule Examples for API Interception
Detect creation of new IAM user
# json{ "source": ["aws.cloudtrail"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["iam.amazonaws.com"], "eventName": ["CreateUser"] }}Detect S3 bucket policy changes
# json{ "source": ["aws.cloudtrail"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["PutBucketPolicy", "DeleteBucketPolicy"] }}Detect CloudTrail being disabled
# json{ "source": ["aws.cloudtrail"], "detail": { "eventSource": ["cloudtrail.amazonaws.com"], "eventName": ["StopLogging"] }} 6. Architecture Pattern
API Call → CloudTrail → EventBridge → Targets
- User/AWS
Service makes an API call.
- CloudTrail
logs the event.
- CloudTrail
streams the event to EventBridge.
- EventBridge
filters and routes the event.
- Targets
execute automation or alerts.
Targets
may include:
- Lambda for
remediation
- SQS for
queueing
- SNS for
notifications
- EventBridge
Pipes → Step Functions workflows
- Firehose → S3 data lake
- Kinesis → SIEM ingestion
7. Advanced Techniques
Event Transformation (Input
Transformer)
- Extract only the fields you need before passing to the target.
Replay API Call Events
Using
EventBridge Archive + Replay:
·
Monitor
historical security or API activity
·
Re-test new
automation on past events
Cross-Account Event Bus
Send API-call events from all accounts to a central security
account.
Schema Registry
CloudTrail event schemas can be discovered automatically.
EventBridge Pipes + Enrichment
Enrich
intercepted events with:
- DynamoDB
metadata
- API
Gateway endpoints
- Lambda
functions
8. Lambda Remediation Sample
Auto-remediate
if an S3 bucket becomes public:
Flow:
1.
EventBridge
detects PutBucketAcl → public
2.
Lambda:
- Removes public ACL
- Applies standard policy
- Sends Slack/SNS alert
9. Security Considerations
- Ensure
CloudTrail is enabled org-wide
- Use
EventBridge resource policies for cross-account
- Use KMS for
encryption
- Avoid overly
broad rules to reduce cost/noise
- Apply least
privilege IAM roles for EventBridge and Lambda
Final thoughts
Amazon
EventBridge, combined with CloudTrail, provides a real-time
interception system for AWS API calls,
enabling:
- Security
monitoring
- Compliance
enforcement
- Automated
remediation
- Operational
governance
- Centralized
observability
NB:
This is foundational in modern CloudOps, SecOps, and DevSecOps environments.
No comments:
Post a Comment