Cloudwatch event for out of region creation

Question

I am trying to create a auto-remediation process that will stop/delete any VPC, Cloudformation Stack, VPC, Lambda, Internet Gateway or EC2 created outside of the eu-central-1 region. My first step is to parameter a CloudWatch event rule to detect any of the previously mentioned event.

{
  "source": [
    "aws.cloudtrail"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com",
      "cloudformation.amazonaws.com",
      "lambda.amazonaws.com"
    ],
    "eventName": [
      "CreateStack",
      "CreateVpc",
      "CreateFunction20150331",
      "CreateInternetGateway",
      "RunInstances"
    ],
    "awsRegion": [
      "us-east-1",
      "us-east-2",
      "us-west-1",
      "us-west-2",
      "ap-northeast-1",
      "ap-northeast-2",
      "ap-south-1",
      "ap-southeast-1",
      "ap-southeast-2",
      "ca-central-1",
      "ap-south-1",
      "eu-west-1",
      "eu-west-2",
      "eu-west-3"
      "sa-east-1"
    ]
  }
}

For now, the event should only trigger an SNS topic that will send me an email, but in the future there will be a lambda fonction to do the remediation.

Unfortunately, when I go create an Internet Gateway in another region (let's say eu-west-1), no notification occur. The Event does not appear if I want to set an alarm on it either, while it does appear in CloudWatch Events).

Any idea what could be wrong with my event config?

Answer 1

OK, I figured it out. The source of the event changes even if the notification comes from CloudTrail. The "source" parameters should therefore be:

"source": [
    "aws.cloudtrail",
    "aws.ec2",
    "aws.cloudformation",
    "aws.lambda"
  ]