This message was deleted Pulumi Community #aws

Join Slack

This message was deleted.

# aws

sparse-intern-71089

04/26/2022, 7:11 PM

This message was deleted.

victorious-church-57397

04/26/2022, 7:18 PM

I’ve recently implemented eventbridge events shipping to lambda recently and these are the things I needed to create in Pulumi for it to work

Copy code

const sechubEventRule = new cloudwatch.EventRule('forward-sechub-events-to-jira', {
  name: 'forward-sechub-events-to-jira',
  description: 'Forwards securityhub events to Jira',
  isEnabled: true,
  roleArn: securityHubEventBridgeRole.arn,
  eventPattern: `{
      "source": ["aws.securityhub"],
      "detail-type": ["Security Hub Findings - Imported"],
      "detail": {
        "findings": {
          "Compliance": {
              "Status": ["FAILED", "WARNING"]
          }
        }
      }
    }
  `,
});

new cloudwatch.EventTarget('forward-sechub-events-target', {
  arn: securityHubJiraFunction.arn,
  rule: sechubEventRule.name,
});

new lambda.Permission(`securityhub-jira-permission`, {
  action: 'lambda:InvokeFunction',
  function: securityHubJiraFunction.arn,
  principal: '<http://events.amazonaws.com|events.amazonaws.com>',
  sourceArn: sechubEventRule.arn,
});

in the role which is referenced in the target, has the following permissions:

Copy code

const eventbridgeRolePolicy: iam.PolicyDocument = {
  Version: '2012-10-17',

  Statement: [
    {
      Sid: 'EventTrustPolicy',
      Effect: 'Allow',

      Principal: {
        Service: '<http://events.amazonaws.com|events.amazonaws.com>',
      },

      Action: ['sts:AssumeRole'],
    },
  ],
};

export const securityHubEventBridgeRole = new iam.Role('sechub-eventbridge-role', {
  name: 'sechub-eventbridge-role',
  assumeRolePolicy: eventbridgeRolePolicy,
});

const eventBridgeDefaultBusPutEventsPolicyDocument: iam.PolicyDocument = {
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'PutEventsPolicy',
      Effect: 'Allow',
      Action: ['events:PutEvents'],
      Resource: [interpolate`${defaultEventBus.arn}`],
    },
  ],
};

const securityHubEventBridgeRolePolicy = new iam.Policy('sechub-eventbridge-role-policy', {
  name: 'sechub-eventbridge-role-policy',
  policy: eventBridgeDefaultBusPutEventsPolicyDocument,
  description: 'Allows put events on the default bus',
});

new iam.RolePolicyAttachment('sechub-eventbridge-role-policy-attachment', {
  role: securityHubEventBridgeRole.name,
  policyArn: securityHubEventBridgeRolePolicy.arn,
});

average-school-38756

04/26/2022, 7:18 PM

Thank you. i discovered that for whatever reason, prefixing the log group name with "/aws/events/" did the trick.

victorious-church-57397

04/26/2022, 7:19 PM

ah ok nice find

6 Views

Open in Slack

Previous Next