How can I be notified when changes are made to Route 53 hosted zone records?

4 minute read
0

How can I receive an email response with a custom notification when resource record sets are created or deleted from Amazon Route 53?

Short description

You can use a custom event pattern with an Amazon EventBridge or Amazon CloudWatch Events rule that triggers when ChangeResourceRecordSets API activity is logged in AWS CloudTrail. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

If you haven't already created an Amazon SNS topic with an email subscription, then follow the instructions for Getting started with Amazon SNS. This topic and subscription will be used later. This article breaks up the task into three parts:

  • Create an EventBridge rule to match Route 53 API calls captured by CloudTrail
  • Associate the EventBridge rule with an SNS target for email notification
  • Configure Input Transformer on the target so that the notification can be customized into a human-readable message

To be notified when changes are made to Route 53 hosted zone records, follow all the steps for each task.

Create an EventBridge Rule

Route 53 is an AWS global service that is available only in US East (N. Virginia). The EventBridge rule must be created in US East (N. Virginia).

1.    Open the EventBridge console.

2.    In the navigation pane, choose Rules, and then choose Create rule.

3.    In Name and Description fields, enter a name and description for the rule. To receive events from AWS services, select Enable the rule on the selected eventbus.

4.    Choose Rule with an event pattern. Then, choose Next.

5.    Choose AWS Events or EventBridge partner events.

6.    Under Event Pattern, choose the following:

For Event Source, choose AWS servicesFor AWS service, choose Route 53For Event Type, choose AWS API Call via CloudTrail

7.    Choose Specific Operation(s) and enter ChangeResourceRecordSets into the field. This will limit events to only match for create, delete, or updates to resource record sets.

The following event pattern appears:

{
  "source": ["aws.route53"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["route53.amazonaws.com"],
    "eventName": ["ChangeResourceRecordSets"]
  }
}

8.    Choose Next to proceed to the next step.

Associate SNS Target with EventBridge Rule

1.     In the Target types section, choose AWS Service.

2.    In the Select a target dropdown list, choose SNS topic.

3.    In the Topic dropdown list, choose the SNS topic you created previously.

Configure Input Transformer to Customize SNS Notification

By default, EventBridge forwards the entire CloudTrail event to the target. The SNS topic then delivers a notification as unformatted JSON. This might be difficult to read and quickly understand the contents.

By using the Input Transformer, specific fields in the inbound event can be selected and then integrated into a more human-readable message. The Input Path identifies the desired fields.

For this example, the eventTime, hostedZone, username, and eventID are included in the notification. The fields can be changed to align with your use case. The Input Template contains the message body of the notification and placeholders that will be dynamically updated with the desired fields.

1.    Expand the Additional settings dropdown list. In the Configure target input dropdown list, choose Input transformer.

2.    Choose Configure input transformer.

3.    In the Input path field, paste the following text:

{
    "eventTime": "$.detail.eventTime",
    "hostedZone": "$.detail.requestParameters.hostedZoneId",
    "userName": "$.detail.userIdentity.sessionContext.sessionIssuer.userName",
    "eventID": "$.detail.eventID"
}

4.    In the Template field, paste the following text:

"At <eventTime>, one or more Route 53 records within Hosted Zone <hostedZone> were modified by user <userName>. To view the event directly in your Event History and review these changes, use the following link. Note that the event may take up to 15 minutes to be available in your Event History: https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events?EventId=<eventID>"

6.    Choose Confirm.

7.    (Optional) Add tags to the EventBridge rule. Then, choose Next.

8.    Review the rule configuration. Then, choose Create rule.

After the rule is created, any changes to Route 53 resource sets will result in a notification similar to the following:

"At 2022-08-16T21:02:46Z, one or more Route 53 records within Hosted Zone ZB3A123456789 were modified by user Admin. To view the event directly in your Event History and review these changes, use the following link. Note that the event may take up to 15 minutes to be available in your Event History: https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events?EventId=04d08662-537e-4424-97c2-8bc796943b75"

Related information

How can I create a custom event pattern for an EventBridge rule?

How do I set up human-readable EventBridge notifications for API calls using input transformer?

Tutorial: Use input transformer to customize what EventBridge passes to the event target

Tutorial: Log AWS API calls using EventBridge

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago