You can edit the JSON configuration that is used when you have enabled event forwarding to Amazon SNS topics. It defines which conditions an event must meet to be published to a topic. The configuration
language is modeled after Amazon's Policy language for SNS.
Each field is specified below. Basic SNS configuration is as follows:
{ "Version": "2014-09-24", "Statement": [statement1, statement2, ...] }
For examples, see Example SNS configuration.
Version
The Version element specifies the version of the configuration language.
The only currently valid value of
"Version"
is the string "2014-09-24"
."Version": "2014-09-24",
Statement
The Statement element is an array of individual statements. Each individual statement
is a distinct JSON object giving the SNS topic to send to if an event meets given
conditions.
"Statement": [{...}, {...}, ...]
An individual statement has the following form:
{ "Topic": "destination topic", "Condition": {conditions event must meet to be published to the destination topic} }
Topic
The Topic element must be the Amazon Resource Name of the SNS Topic to publish to.
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic"
Condition
The Condition element is the most complex part of the configuration. It contains one
or more conditions an event must match to be published to the topic.
Each condition can have one or more key-value pairs that the event must match (or
not match, depending on the type of condition) to be included in the topic. Keys are
any valid event property. For event properties, see Events in JSON format. Valid values vary by key. Some keys support multiple values.
"Condition": { "ConditionName": { "key1": [value1, value2], "key2": value3 }, "ConditionName2": { "key3": [value4] }, ... }
The following are valid condition names and their syntax:
Bool
The Bool condition performs Boolean matching. To match, an event must have a property
with the desired Boolean value. If the property in the event exists but is not itself
a Boolean value, the property is tested as follows:
- Numbers equal to 0 evaluate to false. Numbers not equal to 0 evaluate to true.
- Empty strings and the special strings
"false"
and"0"
evaluate to false. Other strings evaluate to true. - Any other property value in an event cannot be converted to a Boolean and cannot match.
Allows for multiple values? No
The following example shows a configuration that publishes events that have a
"DetectOnly"
property with a value false:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "Bool": { "DetectOnly": false } } } ] }
Exists
The Exists condition tests for the existence or non-existence of a property in an
event. The value of the property is not considered.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Severity"
but does not have the property "Title"
:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "Exists": { "Severity": true, "Title": false } } } ] }
IpAddress
The IpAddress condition tests the value of an event's property is an IP address in
a range given in CIDR format, or exactly equals a single IP address.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"DestinationIP"
with an IP address in the range 10.0.1.0/24, or to 10.0.0.5:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "IpAddress": { "DestinationIP": ["10.0.1.0/24", "10.0.0.5"] } } } ] }
NotIpAddress
The NotIpAddress condition tests the value of an event's property is not an IP address
in any of the specified IP address ranges.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"DestinationIP"
with an IP address not in the range 10.0.0.0/8:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NotIpAddress": { "DestinationIP": "10.0.0.0/8" } } } ] }
NumericEquals
The NumericEquals condition tests the numeric value of an event's property equals
one or more desired values. If the property in the event exists but is not itself
a numeric value, the property is tested as follows:
- Strings are converted to numbers. Strings that cannot be converted to numbers will not match.
- Any other property value in an event cannot be converted to a number and will not match.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"Protocol"
with the value 6 or 17:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericEquals": { "Protocol": [6, 17] } } } ] }
NumericNotEquals
The NumericNotEquals condition tests the numeric value of an event's property is not
equal to any one of an undesired set of values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"Protocol"
not equal to 6, and the property "Risk"
not equal to 2 or 3:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericNotEquals": { "Protocol": 6, "Risk" : [2, 3] } } } ] }
NumericGreaterThan
The NumericGreaterThan condition tests the numeric value of an event's property is
strictly greater than a desired value. If the property in the event exists but is
not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Protocol"
with the value greater than 6:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericGreaterThan": { "Protocol": 6 } } } ] }
NumericGreaterThanEquals
The NumericGreaterThanEquals condition tests the numeric value of an event's property
is greater than or equal to a desired value. If the property in the event exists but
is not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Number"
with a value greater than or equal to 600:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericGreaterThanEquals": { "Number": 600 } } } ] }
NumericLessThan
The NumericLessThan condition tests the numeric value of an event's property is strictly
less than a desired value. If the property in the event exists but is not itself a
numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Number"
with a value greater than 1000:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericLessThan": { "Number": 1000 } } } ] }
NumericLessThanEquals
The NumericLessThanEquals condition tests the numeric value of an event's property
is less than or equal to a desired value. If the property in the event exists but
is not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Number"
with a value less than or equal to 500:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericLessThanEquals": { "Number": 500 } } } ] }
StringEquals
The StringEquals condition tests the string value of an event's property is strictly
equal to or more desired values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"EventType"
equal to "SystemEvent"
and property "TargetType"
equal to "User"
or "Role"
:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringEquals": { "EventType": ["SystemEvent"], "TargetType" : ["User", "Role"] } } } ] }
StringNotEquals
The StringNotEquals condition tests the string value of an event's property does not
equal any of an undesired set of values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"EventType"
not equal to "PacketLog"
or "IntegrityEvent"
:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotEquals": { "EventType": ["PacketLog", "IntegrityEvent"] } } } ] }
StringEqualsIgnoreCase
The StringEqualsIgnoreCase condition is the same as the StringEquals condition, except
string matching is performed in a case-insensitive manner.
StringNotEqualsIgnoreCase
The StringNotEqualsIgnoreCase condition is the same as the StringNotEquals condition,
except string matching is performed in a case-insensitive manner.
StringLike
The StringLike condition tests the string value of an event's property is equal to
or more desired values, where the desired values may include the wildcard '*' to match
any number of characters or '?' to match a single character. String comparisons are
case-sensitive.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"Title"
which contains the string "User"
or "Role"
:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringLike": { "Title": ["\*User\*", "\*Role\*"] } } } ] }
StringNotLike
The StringNotLike condition tests that the string value of an event's property is
not equal to any of an undesired set of values, where the values may include the wildcard
'*' to match any number of characters or '?' to match a single character. String comparisons
are case-sensitive.
Allows for multiple values? Yes
The following example shows a configuration that publishes all events except the
"System Settings Saved"
event:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike": { "Title":"System Settings Saved" } } } ] }
The next example shows a configuration that publishes events when the event has the
property
"Title"
that does not start with "User"
and does not end with "Created"
:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike": { "Title": ["User\*", "\*Created"] } } } ] }
Multiple statements vs. multiple conditions
If you create multiple statements for the same SNS topic, those statements are evaluated
as if they are joined by "or". If a statement contains multiple conditions, those
conditions are evaluated as if they are joined by "and".
Multiple statements
This is an example of what not to do. The first statement says to forward all events
other than
"System Settings Saved"
. The second statement says to forward all "System Settings Saved"
events. The result is that all events will be forwarded because any event will match
either the condition in the first statement or the one in the second statement:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike" : { "Title" : "System Settings Saved" } } }, { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringLike" : { "Title" : "System Settings Saved" } } } ] }
Multiple conditions
This is another example of what not to do. The first condition says to forward all
events other than
"System Settings Saved"
. The second condition says to forward all "System Settings Saved"
events. The result is that no events will be forwarded because no events will match
both the condition in the first statement and the one in the second statement:{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike" : { "Title" : "System Settings Saved" }, "StringLike" : { "Title" : "System Settings Saved" } } } ] }
Example SNS configurations
These configurations send matching events for some specific scenarios. For more event
property names and values that you can use to filter SNS topics, see Events in JSON format.
Send all critical intrusion prevention events to an SNS topic
{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericEquals": { "Severity": 4 }, "StringEquals" : { "EventType" : "PayloadLog" } } } ] }
Send different events to different SNS topics
This example shows sending all system events to one topic and all integrity monitoring
events to a different topic.
{ "Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:systemEventsTopic", "Condition": { "StringEquals" : { "EventType" : "SystemEvent" } } }, { "Topic": "arn:aws:sns:us-east-1:012345678901:integrityTopic", "Condition": { "StringEquals" : { "EventType" : "IntegrityEvent" } } } ] }