Notify on tag updates in AWS using EventBridge

Posted: | Updated: | Tags: til aws cloud

You can track changes to a tag through AWS CloudTrail, AWS Config, or Amazon CloudWatch Events, these methods have already been documented but they’re too slow to respond to changes, too expensive to run, not as extensible out-of-the-box, or outdated. I haven’t seen much coverage on doing this with Amazon EventBridge, which has many integration options, is low-latency, and is fairly low cost (and in this case free). There is a page in the documentation titled Monitor tag changes with serverless workflows and Amazon EventBridge that covers just that, I’d recommend starting there.

Below I will just cover my setup to log changes of any tags on EC2 instances within my account to CloudWatch Logs using EventBridge. All-in-all, the simplest example.

  1. Navigate to the Amazon EventBridge console and create a new rule.
  2. Select “Rule with an event pattern” and on the next page click “Custom pattern (JSON editor)”. An Event pattern allows you to match events that are being sent to an EventBridge bus and comes with a lot of nifty filters. The EventBridge User Guide will give you more details. The JSON snippet below matches events sent by the aws.tag service. The detail-type value matches the “Tag Change on Resources” event type and we target all EC2 resources by matching the resource value with any ARN that starts with arn:aws:ec2 using prefix.
{
  "source": ["aws.tag"],
  "detail-type": ["Tag Change on Resource"],
  "resources": [{
    "prefix": "arn:aws:ec2"
  }]
}
  1. Lastly, set up your target, this could be an SNS topic to push to emails, a Lambda function so you can do downstream processing of the event, or a lot more. In my case, I will simply push them to a log group in CloudWatch Logs.

With those three steps complete, you will have set up an event pattern rule on the default bus listening for all tag changes on EC2 instances. In my opinion where EventBridge shines over the other methods is in its simplicity, extensibility, and low cost. In this example EventBridge costs nothing, the only charges you’ll incur will be from the CloudWatch log group if you choose to deliver your events there.


Related ramblings