How can I create a CloudWatch log group to use as a target for an EventBridge rule?

3 minute read
0

I want to add an Amazon CloudWatch log group as a target to an Amazon EventBridge rule. How can I do this?

Short description

When you create an EventBridge rule, you must specify the target where events that are matched to the rule are sent. For a list of available targets for EventBridge, see Targets available in the EventBridge console. One of the targets that you can add to the EventBridge rule is a CloudWatch log group.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Use these steps to configure a CloudWatch log group to be used as a target for an EventBridge rule:

1.    Open the EventBridge console, and choose the Region that you want to create a rule in.

2.    Choose Create rule, and then enter any information about that rule, such as the event pattern or schedule details.

3.    On the Select target page, choose CloudWatch as your target.

Note: To add a CloudWatch log group as a target, you can either:

Be sure that the log group that you use as a target for the EventBridge rule starts with /aws/events. If you create a new log group using the console when you create a rule, then EventBridge automatically creates the log group for you. If you want to add an existing log group, be aware that only log groups that start with /aws/events appear in the dropdown list.

4.    To deliver the event data to the target log group, EventBridge needs permission to access the target log group. It uses this permission to create log streams and push events to those log streams. For CloudWatch log groups, EventBridge uses a resource-based policy in order to access the log group.

If you use the console to add log groups to an EventBridge rule, then the resource-based policy for your log group is updated automatically. But, if you use the AWS SDK/API/CDK/CLI, then you must manually update the log group's resource-based policy. This example policy document demonstrates the permissions you must define in the resource-based policy of your log group:

{
  "Statement": [
    {
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "events.amazonaws.com",
          "delivery.logs.amazonaws.com"
        ]
      },
      "Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
      "Sid": "TrustEventsToStoreLogEvent"
    }
  ],
  "Version": "2012-10-17"
}

You can't configure a log group's resource-based policy using the console. To add these permissions to a resource-based policy, use the PutResourcePolicy API call. Then, use the describe-resource-policies command to check that your policy applied correctly.

Note: The current limit is 10 policies per Region, per account. If you hit this limit, then delete any unused policies or combine multiple policies.

5.    The EventBridge service uses the PutRule CLI command to create rules. It then uses the PutTargets API or put-targets CLI command to add targets to an EventBridge rule. When using the AWS SDK, CDK, or CLI, you must use the PutTargets API or put-targets CLI command to add the log group to EventBridge rules.


Related information

CloudWatch Logs permissions

AWS OFFICIAL
AWS OFFICIALUpdated a year ago