I am trying to have a Lambda to trigger when a secret in aws Secrets Manager is rotated.
So I am trying to use Cloudtrail for this. I am trying to follow this AWS documentation
The documentation doesn’t seem to do anything with the trail they create but anyway this is what I have done:
In Cloudtrail I can see the event history of when a secret is rotated, and it looks like this:
"eventName": "RotationSucceeded",
"awsRegion": "eu-west-1",
"sourceIPAddress": "secretsmanager.amazonaws.com",
"userAgent": "secretsmanager.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"SecretId": "arn:aws:secretsmanager:eu-west-1:acc_id:secret:rds!xxxxxxxx"
}
I have created a trail where i have added a Data event for CloudTrail and added these 3 custom log selectors:
| Field | Operator | Value |
|---|---|---|
| eventName | equals | RotationSucceeded |
| resources.ARN | startsWith | [ARN] |
| readOnly | equals | false |
This is done with the intention that this trail should only log events that are for "RotationSucceeded"
I then have a Eventbridge rule set up where my event pattern is like this
{
"source": ["aws.secretsmanager"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["secretsmanager.amazonaws.com"],
"eventName": ["RotationSucceeded"]
}
}
I have attached this rule to a simple Lambda that just prints Hello World for testing purposes.
The issue is that i can see the Lambda is not getting triggered when I rotate the specific secret. I can see the RotationSucceeded event if I go to Cloudtrail
Does anyone know why this is – or what was the point of setting a Cloud trail like the AWS documentation states if it doesn’t seem to do anything with it?
Or if anyone knows a better way of getting a Lambda to trigger when secret rotation takes place that would be appreciated.
2
Answers
So I tried a different eventName that takes place during a secret rotation. I tried with "PutSecretValue" and this worked for triggering my lambda.
I'm not sure why "RotationSucceeded" doesn't work. The only thing I can see as a clear difference is that there is no User name associated with "RotationSucceeded" in Cloudtrail. Whereas for "PutSecretValue" the user name that did this action is "SLRSession"
"RotationSucceeded" would have been ideal so I have that confirmation the lambda only runs if it was successful but "PutSecretValue" will be sufficient
The RotatationSucceeded event has the detail-type value
AWS Service Event via CloudTrail. However, you’ve configured the wrong detail-type value in your event rule.The following event rule will help to filter the RotatationSucceeded events of Secrets Manager.