Match AWS Secrets Manager events with Amazon EventBridge
In Amazon EventBridge, you can match Secrets Manager events from CloudTrail log entries. You can configure EventBridge rules that look for these events and then send new generated events to a target to take action. For a list of CloudTrail entries that Secrets Manager logs, see CloudTrail entries. For instructions to set up EventBridge, see Getting started with EventBridge in the EventBridge User Guide.
Match all changes to a specified secret
Note
Because some Secrets Manager events return the ARN of the
secret with different capitalization, in event patterns that match more than one
action, to specify a secret by ARN, you may need to include both the keys
arn and aRN.
For
more information, see AWS
re:Post
The following example shows an EventBridge event pattern that matches log entries for changes to a secret.
{ "source": ["aws.secretsmanager"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["secretsmanager.amazonaws.com"], "eventName": ["DeleteResourcePolicy", "PutResourcePolicy", "RotateSecret", "TagResource", "UntagResource", "UpdateSecret"], "responseElements": { "arn": ["arn:aws:secretsmanager:us-west-2:012345678901:secret:mySecret-a1b2c3"] } } }
Match events when a secret value rotates
The following example shows an EventBridge event pattern that matches CloudTrail log entries for secret value changes that occur from manual updates or automatic rotation. Because some of these events are from Secrets Manager operations and some are generated by the Secrets Manager service, you must include the detail-type for both.
{ "source": ["aws.secretsmanager"], "$or": [ { "detail-type": ["AWS API Call via CloudTrail"] }, { "detail-type": ["AWS Service Event via CloudTrail"] } ], "detail": { "eventSource": ["secretsmanager.amazonaws.com"], "eventName": ["PutSecretValue", "UpdateSecret", "RotationSucceeded"] } }
