Skip to main content

Amazon EventBridge Alert Channel

Configure an Amazon EventBridge Event bus (formerly CloudWatch Event bus) as a Lacework alert channel called Amazon CloudWatch . For more information about sending and receiving events between AWS accounts, see Amazon CloudWatch EventBridge.

You can create an event rule with a custom pattern rule and forward the Lacework events to an SQS queue as described in the following example. If you don't already have an SQS queue configured, create one before you proceed.

After an event is received in the EventBridge instance, you can create an event rule with a custom pattern rule, and forward the Lacework events to an Amazon SQS queue, as described in the example below. If you do not already have an Amazon SQS queue configured, create one before you proceed.

Create Resources within Your AWS Account

To connect an Amazon CloudWatch alert channel to an SQS queue, you must create the following resources within your account:

  • SQS queue
  • An event bus
  • Event bus rules

Create an SQS Instance

Follow these steps to create a minimal SQS queue:

  1. Open the Amazon SQS service and select Create Queue.
  2. Enter a Name (for example, Lacework_CloudWatch_Alerts).
  3. Leave all other configurations settings with default values, for a 'standard' type SQS queue.

Create an Event Bus

Follow these steps:

  1. Open the Amazon EventBridge Service and select Amazon EventBridge > Event Buses.
  2. Click Create event bus.
  3. Enter a Name (for example, Lacework_CloudWatch_Alerts_Bus).
  4. Add a resource-based policy to allow Lacework AWS account number 434813966438 to push events to your event bus:
Expand to view resource-based policy
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "allow_account_to_put_events",
        "Effect": "Allow",
        "Principal": {
          "AWS": "434813966438"
        },
        "Action": "events:PutEvents",
        "Resource": "arn:aws:events:<REGION>:<YOUR-ACCOUNT-ID>:event-bus/<YOUR-EVENT-BUS-NAME>"
      }
    ]
}

Create an Event Rule

Follow these steps:

  1. Select Amazon EventBridge > Rules.

  2. In the Select event bus pane, select the newly created event bus by name (for example, Lacework_CloudWatch_Alerts_Bus ).

  3. Click Create rule.

  4. Enter a Name (for example, Lacework_CloudWatch_Alerts_Events_Rule).

  5. For Define Pattern, select Event pattern and Custom pattern.

  6. In the Event Pattern pane, copy the follow JSON pattern snippet:

    {
      "account": ["434813966438"]
    }

  7. Click Save.

  8. In the Select event bus pane, choose Custom or partner event bus and select your newly created event bus (for example, Lacework_CloudWatch_Alerts_Bus).

  9. Toggle Enable the rule on the selected event bus to on.

  10. In the Select targets pane, choose Target and select SQS queue

  11. For Queue, select your created queue (for example, Lacework_CloudWatch_Alerts).

  12. Click Create rule.

    The Amazon EventBridge > Rules page is displayed, showing your newly created rule.

Create an Amazon CloudWatch Alert Channel

Do the following:

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Amazon CloudWatch.
  5. Click Next.
  6. Verify that you have completed the preparatory steps described in Create Resources within Your AWS Account.
  7. Enter the Name name of the integration.
  8. In Group Issues by, select one of the options:
    • Events - Select this option if you want to create a single Amazon CloudWatch event when compliance events of the same type but from different resources are detected by Lacework. For example, if three different Amazon S3 resources are generating a similar compliance event, only one AWS event is created on the Amazon CloudWatch event bus.
    • Resources - Select this option if you want multiple Amazon CloudWatch events to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, three AWS events are created on the Amazon CloudWatch event bus.
  9. Enter the ARN of your Amazon CloudWatch event bus, which uses the following format. Replace _REGION_, _YOUR-ACCOUNT-ID_, and _YOUR-EVENT-BUS-NAME_ with your values.
        arn:aws:events:<REGION>:<YOUR-ACCOUNT-ID>:event-bus/<YOUR-EVENT-BUS-NAME>
  10. Click Save.
  11. Click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.

Lacework events will now appear in your SQS queue.

Create an Amazon CloudWatch Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

resource "lacework_alert_channel_aws_cloudwatch" "all_events" {
  name            = "All events to default event-bus"
  event_bus_arn   = "arn:aws:events:<REGION>:<YOUR-ACCOUNT-ID>:event-bus/<YOUR-EVENT-BUS-NAME>"
  group_issues_by = "Events"
}

Additional information on the lacework_alert_channel_aws_cloudwatch resource can be found on the Terraform Registry.

Lacework events will now appear in your SQS queue.

Last updated on