Reputation: 21
Resource handler returned message: "invalid request provided: AWS::Logs::MetricFilter"
I am trying to set up a system in my log archive account that will send me an email notification when the RootTest IAM role is used to access my QA account.
To do this, In my log archive account, I am using CloudFormation to create a log group called CloudTrailLogs, and a CloudTrail trail that delivers CloudTrail log events to this log group. I also want to create a metric filter that searches the log events in the CloudTrailLogs log group for log events with the eventName field set to AssumeRole and the requestParameters.roleArn field set to arn:aws:iam::[QAAccountID]:role/RootTest. When the metric filter finds one or more matching log events, it will trigger a CloudWatch alarm. Finally, am creating an SNS topic and subscription that will send an email notification to a specified email address when the CloudWatch alarm is triggered.
Unfortunately, when I deploy the cloudformation template I have, it gives me the following error:
Resource handler returned message: "invalid request provided: AWS::Logs::MetricFilter"
The deployment errors out when trying to create the metric filter. Not sure where I am going wrong. Things with "[]" are redactions just in case. This is my template so far:
AWSTemplateFormatVersion: 2010-09-09
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: CloudTrailLogs
Trail:
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName: [Bucket Name]
CloudWatchLogsLogGroupArn: !Ref LogGroup
CloudWatchLogsRoleArn: !GetAtt CloudWatchLogsRole.Arn
CloudWatchLogsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref LogGroup
FilterPattern: "{ $.eventName = 'AssumeRole' && $.requestParameters.roleArn = 'arn:aws:iam::[QAAccountID]:role/RootTest' }"
MetricTransformations:
- MetricValue: 1
MetricNamespace: RootTestAccess
MetricName: RootTestAccess
Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: RootTestAccessAlarm
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
MetricName: RootTestAccess
Namespace: RootTestAccess
Period: 60
Statistic: Sum
Threshold: 1
ActionsEnabled: true
AlarmActions:
- !Ref SNS
SNS:
Type: AWS::SNS::Topic
Properties:
DisplayName: RootTestAccessNotification
TopicName: RootTestAccessNotification
Subscription:
Type: AWS::SNS::Subscription
Properties:
Protocol: email
Endpoint: [email protected]
TopicArn: !Ref SNS
Upvotes: 2
Views: 1549
Answers (1)
Reputation: 2176
Your filter pattern is the problem. First you need to wrap the two terms separate in brackets (). You also need to use (") double quotes around the values, and not single quotes. So the FilterPattern key in the template should look like this:
FilterPattern: '{($.eventName = "AssumeRole") && ($.requestParameters.roleArn = "arn:aws:iam::012345678909:role/RootTest")}'
Upvotes: 1
Related Questions
- Python - Selenium: How to find input element with a nested label inside as span tag via XPATH
- How do I create an XPATH to retrieve the text within span using Python and Selenium
- How to locate a nested element by using Selenium webdriver?
- Find sibling/parent of a span tag with Python Selenium
- How do I obtain the text inside a label which is inside a span using Selenium with Python?
- Selenium Webdriver: find a span that has an inner span with specific text
- How to find input inside label ? - Python Selenium
- How to find element in nested span using Selenium WebDriver?
- Xpath - Target text inside a span
- Selenium XPATH how to get text from Span tag underneath the input id tag