CloudWatch EventRule for Anomaly Detection Alerting

Question

Pulumi · Accepted Answer

To create a CloudWatch Event Rule for Anomaly Detection Alerting in AWS, we can use the `aws.cloudwatch.EventRule` resource from the Pulumi AWS package. This resource allows you to define a CloudWatch Event Rule that responds to AWS service events or custom events.

First, we will create an Event Rule that triggers on a specific schedule or when certain AWS service events occur. Then, we will configure it to take action when an anomaly is detected, such as notifying an SNS topic, invoking a Lambda function, or auto-remediation with Systems Manager.

Below is a detailed Pulumi program in Python that sets up:

1. An Event Rule to detect anomalies using a specified event pattern or schedule.
2. An Event Target to describe what action to take when the Event Rule is triggered. In this example, I'm using an SNS topic as the target, which can then notify subscribers such as email addresses or Lambda functions.
3. An SNS topic serves as the communication channel to notify users or systems about the anomaly detection.

Make sure you have AWS credentials configured for Pulumi to use. Otherwise, you can set them up via the AWS CLI with `aws configure` or pass them as environment variables. The Pulumi CLI should be installed and logged in.

Here's the Pulumi code:

```python
import pulumi
import pulumi_aws as aws

# Create an SNS topic that will receive notifications
anomaly_notification_topic = aws.sns.Topic("anomalyNotificationTopic")

# Define the event pattern for Anomaly Detection.
# This is where you would specify the source and detail-type or any other event pattern to match your use-case
event_pattern = {
    "source": ["aws.lookoutmetrics"],
    "detail-type": ["LookoutMetrics Anomaly Detection"],
}

# Create the CloudWatch Event Rule for the anomaly detection alerting
anomaly_detection_event_rule = aws.cloudwatch.EventRule("anomalyDetectionEventRule",
    event_pattern=pulumi.Output.all(event_pattern).apply(lambda pattern: json.dumps(pattern)),
    description="Triggers an alert when an anomaly is detected",
    # Use a scheduled expression like 'cron(0 20 * * ? *)' or define event pattern
    # schedule_expression="rate(5 minutes)",
    state="ENABLED"
)

# Link the rule to the SNS topic to send the anomaly alert notification
anomaly_event_target = aws.cloudwatch.EventTarget("anomalyEventTarget",
    rule=anomaly_detection_event_rule.name,
    arn=anomaly_notification_topic.arn,
)

# To allow CloudWatch Events Rule to publish to the SNS topic, 
# we need to create an SNS Topic Policy that allows this interaction
sns_topic_policy = aws.sns.TopicPolicy("snsTopicPolicy",
    arn=anomaly_notification_topic.arn,
    policy=anomaly_notification_topic.arn.apply(lambda arn: json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {"Service": "events.amazonaws.com"},
            "Action": "SNS:Publish",
            "Resource": arn,
        }],
    })),
)

# Export the name of the event rule and the SNS topic
pulumi.export("event_rule_name", anomaly_detection_event_rule.name)
pulumi.export("sns_topic_arn", anomaly_notification_topic.arn)
```

In this program:

- We create an SNS Topic (`anomaly_notification_topic`) that will be used to send notifications of detected anomalies.
- We set up an Event Rule (`anomaly_detection_event_rule`) with an event pattern that looks for specific LookoutMetrics Anomaly Detection event types (you would customize this pattern to fit your specific triggering events).
- We create an Event Target (`anomaly_event_target`) that links the Event Rule to the SNS Topic, so that when an event matching the rule pattern occurs, the Event Target sends a message to the SNS Topic.
- We apply a Topic Policy (`sns_topic_policy`) to the SNS Topic to allow the CloudWatch Events service to publish events to the SNS Topic.
- We export the event rule name and the SNS topic ARN for easy access if we need them outside of Pulumi, for instance, to set up additional monitoring or logging through the AWS Management Console.

This is a simplification, typical use-cases might involve more complex event patterns or multiple actions. You can also handle the notifications within AWS Lambda, to trigger custom remediation actions or forward the alert to other monitoring systems.