Amazon EventBridge Intercepting API Calls - Deep Dive.
Scope:
- Intro,
- How EventBridge Intercepts API Calls,
- Event Source: “AWS API Call via CloudTrail”,
- Types of API Calls Can EventBridge Detect,
- Common Use Cases for API Interception with
EventBridge,
- EventBridge Rule Examples for API Interception,
- Architecture Pattern,
- Advanced Techniques,
- Lambda Remediation Sample,
- Security Considerations,
- Final
thoughts.
Intro:
- EventBridge
can intercept AWS API calls by
consuming AWS CloudTrail events.
- Then, CloudTrail records nearly all management-plane API calls made in AWS.
- EventBridge consumes those events near real-time when CloudTrail is configured for EventBridge integration.
- This architecture allows twtech to:
- Detect,
- Filter,
- React to API activity across its AWS environment.
1. How EventBridge Intercepts API Calls
- EventBridge does not observe API calls directly. Instead:
1. AWS CloudTrail logs management API events (create, modify, delete, list, etc.).
2. CloudTrail publishes these events into EventBridge's “AWS API Call via CloudTrail” event bus.
3. twtech creates EventBridge rules to match specific API calls.
4. EventBridge sends those events to targets:
- Lambda
- SQS
- SNS
- Step Functions
- Security Hub
- EventBridge Pipes
- Kinesis, Firehose, etc.
NB:
- Essentially, EventBridge =
real-time event
router for API calls.
2. Event Source: “AWS API Call via CloudTrail”
- This is the key source for API interception:
source="aws.cloudtrail"detail-type="AWS API Call via CloudTrail"
The
event format includes:
- userIdentity
- eventSource
- eventName
- requestParameters
- responseElements
- AWS Region
- Resource ARNs
- Time of
action
- IP address /
invokedBy
Sample
EventBridge event for an S3 bucket deletion:
# json{"detail-type":"AWS API Call via CloudTrail","source":"aws.cloudtrail","detail":{"eventName":"twtechDeleteBucket","eventSource":"s3.amazonaws.com","userIdentity":{xxxxxxxxxxx},"requestParameters":{"bucketName":"twtech-s3bucket"},"awsRegion":"us-east-2"}}
3. Types of API Calls Can EventBridge Detect
✔ Management (Control Plane) API calls
- CloudTrail captures these, so EventBridge can detect them.
Samples:
- IAM changes (CreateUser, DeleteRole, AttachPolicy)
- EC2 lifecycle events (StartInstances, CreateImage)
- S3 API actions (PutBucketPolicy, DeleteBucket)
- KMS API calls (DisableKey, Encrypt, Decrypt)
- RDS, Lambda, ECS, CloudFormation, Route53 changes
- Console logins, MFA failures, credential usage
❌ Data Plane (e.g., GetObject, PutObject)
- CloudTrail only captures some data-plane events:
- S3 (optional)
- DynamoDB streams (separate)
- API Gateway logs (separate)
For
full data-plane visibility, you need:
- S3 Data
Events
- DynamoDB
Streams
- VPC Flow Logs
- API Gateway
Access Logs
- Lambda
Function URLs logs
4. Common Use Cases for API Interception with EventBridge
Security & Governance
- Detect IAM
role or policy changes
- Alert on root
login events
- Detect
disabling CloudTrail
- Detect S3
bucket becomes public
- Detect
deletion of security controls
- Detect
creation of access keys
Operational Automation
- Automatically
tag resources on creation
- Enforce
naming standards
- Create CMDB
records
- Synchronize
cloud changes into ServiceNow or Jira
Compliance & Auditing
- Real-time
evidence of API activity
- Automated
remediation workflows
- Enforce
organization-wide guardrails
Cost Optimization
- Detect
expensive resource creation
- Auto-stop
idle EC2 instances
5. EventBridge Rule Examples for API Interception
# Detect creation of new IAM user
# json{"source":["aws.cloudtrail"],"detail-type":["AWS API Call via CloudTrail"],"detail":{"eventSource":["iam.amazonaws.com"],"eventName":["CreateUser"]}}# Detect S3 bucket policy changes
# json{"source":["aws.cloudtrail"],"detail-type":["AWS API Call via CloudTrail"],"detail":{"eventSource":["s3.amazonaws.com"],"eventName":["PutBucketPolicy","DeleteBucketPolicy"]}}
# Detect CloudTrail being disabled
# json{"source":["aws.cloudtrail"],"detail":{"eventSource":["cloudtrail.amazonaws.com"],"eventName":["StopLogging"]}}
6. Architecture Pattern
API Call → CloudTrail → EventBridge → Targets
- User/AWS
Service makes an API call.
- CloudTrail
logs the event.
- CloudTrail
streams the event to EventBridge.
- EventBridge
filters and routes the event.
- Targets
execute automation or alerts.
Targets
may include:
- Lambda for
remediation
- SQS for
queueing
- SNS for
notifications
- EventBridge
Pipes → Step Functions workflows
- Firehose → S3 data lake
- Kinesis → SIEM ingestion
7. Advanced Techniques
- Event Transformation (Input Transformer)
- Extracts only the fields needed before passing to the target.
Replay API Call Events
- Using EventBridge Archive + Replay:
- Monitor
historical security or API activity
- Re-test new
automation on past events
Cross-Account Event Bus
- Send API-call events from all accounts to a central security account.
Schema Registry
- CloudTrail event schemas can be discovered automatically.
EventBridge Pipes + Enrichment
- Enrich intercepted events with:
- DynamoDB
metadata
- API
Gateway endpoints
- Lambda
functions
8. Lambda Remediation Sample
- Auto-remediate if an S3 bucket becomes public:
Flow:
1. EventBridge
detects PutBucketAcl → public
2. Lambda:
- Removes public ACL
- Applies standard policy
- Sends Slack/SNS alert
9. Security Considerations
- Ensure
CloudTrail is enabled org-wide
- Use
EventBridge resource policies for cross-account
- Use KMS for
encryption
- Avoid overly
broad rules to reduce cost/noise
- Apply least
privilege IAM roles for EventBridge and Lambda
Final thoughts
- Amazon EventBridge, combined with CloudTrail, provides a real-time interception system for AWS API calls,
- Thus enabling:
- Security
monitoring
- Compliance
enforcement
- Automated
remediation
- Operational
governance
- Centralized
observability
NB:
- This is foundational in modern:
- CloudOps,
- SecOps,
- DevSecOps environments.
No comments:
Post a Comment