Why isn’t my EventBridge capturing AWS WorkSpaces login events?

By
William Rossbach
-
0
8
Asked By CuriousCoder42 On

I'm trying to capture the sign-in events from Amazon WorkSpaces, but I've run into some issues. I set up an EventBridge rule on the default bus, aiming to use a CloudWatch log group as the target, but I don't see any activity registered in EventBridge or the CloudWatch log group. Everything is in the same region (us-west-2). Here's the rule pattern I created:

{
"source": ["aws.workspaces"],
"detail-type": ["WorkSpaces Access"],
"detail": {
"actionType": ["successfulLogin"],
"clientPlatform": ["Windows"]
}
}

I've also followed the AWS documentation linked here:
- https://docs.aws.amazon.com/workspaces/latest/adminguide/cloudwatch-events.html
- https://docs.aws.amazon.com/eventbridge/latest/ref/events-ref-workspaces.html

For troubleshooting, I've checked:
1. CloudTrail management events are active for both read and write activities.
2. All WorkSpaces are in active state.
3. The EventBridge rule is set in the correct region, and everything is in us-west-2.
4. Since EventBridge should capture the events before they reach CloudWatch Logs, it seems like EventBridge itself isn't capturing anything.
5. I tried expanding the rule to just include "source": "aws.workspaces", but that didn't yield any results either.

Any ideas on what might be going wrong?

3 Answers

Answered By CloudExpert123 On

Definitely check the CloudWatch metrics under the monitoring tab for your EventBridge rule. If you see data points for triggered rules, but also some failed invocations, that can indicate permission issues with your target. If there are zero data points for triggered rules, the rule itself might need revisiting. It’s worth spending some more time on that.

Answered By NetworkNinja99 On

It does sound like you have covered a lot of the bases already. Since you're not getting any metrics for TriggeredRules, it appears the event isn't reaching or matching your rule. I'd suggest simplifying your rule down to only "source": "aws.workspaces" and see if that gets you any events. Also, verify that all regions for WorkSpaces and EventBridge are aligned, and that the default bus is being used.

Answered By TechSavvyDude On

First, make sure that your CloudWatch Logs resource policy permits EventBridge to write to your log group. That’s a common oversight, especially when setting things up manually instead of through the console, which typically does this for you. Check if EventBridge has permissions configured correctly!

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.