You can edit the JSON configuration that is used when you have enabled event forwarding to Amazon SNS topics. It defines which conditions an event must meet in order to be published to a topic.
The configuration language is modeled after Amazon's Policy language for SNS.
Each field is specified below. Basic SNS configuration looks like:
{
"Version": "2014-09-24",
"Statement": [statement1, statement2, ...]
}
For examples, see Example SNS configuration.
Version
The Version element specifies the version of the configuration language.
 |
NoteThe only currently valid value of "Version" is the string "2014-09-24".
|
"Version": "2014-09-24",
Statement
The Statement element is an array of individual statements. Each individual statement is a distinct
JSON object giving the SNS topic to send to if an event meets given conditions.
"Statement": [{...}, {...}, ...]
An individual statement has the form:
{
"Topic": "destination topic",
"Condition": {conditions event must meet to be published to the destination topic}
}
Topic
The Topic element must be the Amazon Resource Name of the SNS Topic to publish to.
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic"
Condition
The Condition element is the most complex part of the configuration. It contains one or more conditions
an event must match in order to be published to the topic.
Each condition can have one or more key-value pairs that the event must match (or
not match, depending on the type of condition) to be included in the topic. Keys are
any valid event property. (For event properties, see Events in JSON format). Valid values vary by key. Some keys support multiple values.
"Condition": {
"ConditionName": {
"key1": [value1, value2],
"key2": value3
},
"ConditionName2": {
"key3": [value4]
},
...
}
Valid condition names and their syntax are described below.
Bool
The Bool condition performs Boolean matching. To match, an event must have a property with
the desired Boolean value. If the property in the event exists but is not itself a
Boolean value, the property is tested as follows:
- Numbers equal to 0 evaluate to false. Numbers not equal to 0 evaluate to true.
- Empty strings and the special strings "false" and "0" evaluate to false. Other strings evaluate to true.
- Any other property value in an event cannot be converted to a Boolean and will not match.
Allows for multiple values? No
The following example shows a configuration that publishes events that have a "DetectOnly"
property with a value false:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"Bool": {
"DetectOnly": false
}
}
}
]
}
Exists
The Exists condition tests for the existence or non-existence of a property in an event. The
value of the property is not considered.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property "Severity" but does not have the property "Title":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"Exists": {
"Severity": true,
"Title": false
}
}
}
]
}
IpAddress
The IpAddress condition tests the value of an event's property is an IP address in a range given
in CIDR format, or exactly equals a single IP address.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "DestinationIP" with an IP address in the range 10.0.1.0/24, or to 10.0.0.5:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"IpAddress": {
"DestinationIP": ["10.0.1.0/24", "10.0.0.5"]
}
}
}
]
}
NotIpAddress
The NotIpAddress condition tests the value of an event's property is not an IP address in any of the
specified IP address ranges.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "DestinationIP" with an IP address not in the range 10.0.0.0/8:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NotIpAddress": {
"DestinationIP": "10.0.0.0/8"
}
}
}
]
}
NumericEquals
The NumericEquals condition tests the numeric value of an event's property equals one or more desired
values. If the property in the event exists but is not itself a numeric value, the
property is tested as follows:
- Strings are converted to numbers. Strings that cannot be converted to numbers will not match.
- Any other property value in an event cannot be converted to a number and will not match.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "Protocol" with the value 6 or 17:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericEquals": {
"Protocol": [6, 17]
}
}
}
]
}
NumericNotEquals
The NumericNotEquals condition tests the numeric value of an event's property is not equal to any one
of an undesired set of values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "Protocol" not equal to 6, and the property "Risk" not equal to 2 or
3:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericNotEquals": {
"Protocol": 6,
"Risk" : [2, 3]
}
}
}
]
}
NumericGreaterThan
The NumericGreaterThan condition tests the numeric value of an event's property is strictly greater than
a desired value. If the property in the event exists but is not itself a numeric value
it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property "Protocol" with the value greater than 6:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericGreaterThan": {
"Protocol": 6
}
}
}
]
}
NumericGreaterThanEquals
The NumericGreaterThanEquals condition tests the numeric value of an event's property is greater than or equal
to a desired value. If the property in the event exists but is not itself a numeric
value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property "Number" with a value greater than or equal to 600:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericGreaterThanEquals": {
"Number": 600
}
}
}
]
}
NumericLessThan
The NumericLessThan condition tests the numeric value of an event's property is strictly less than a
desired value. If the property in the event exists but is not itself a numeric value
it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property "Number" with a value greater than 1000:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericLessThan": {
"Number": 1000
}
}
}
]
}
NumericLessThanEquals
The NumericLessThanEquals condition tests the numeric value of an event's property is less than or equal to
a desired value. If the property in the event exists but is not itself a numeric value
it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property "Number" with a value less than or equal to 500:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericLessThanEquals": {
"Number": 500
}
}
}
]
}
StringEquals
The StringEquals condition tests the string value of an event's property is strictly equal to or more
desired values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "EventType" equal to "SystemEvent" and property "TargetType" equal to
"User" or "Role":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringEquals": {
"EventType": ["SystemEvent"],
"TargetType" : ["User", "Role"]
}
}
}
]
}
StringNotEquals
The StringNotEquals condition tests the string value of an event's property does not equal any of an
undesired set of values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "EventType" not equal to "PacketLog" or "IntegrityEvent":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotEquals": {
"EventType": ["PacketLog", "IntegrityEvent"]
}
}
}
]
}
StringEqualsIgnoreCase
The StringEqualsIgnoreCase condition is the same as the StringEquals condition, except string matching is performed
in a case-insensitive manner.
StringNotEqualsIgnoreCase
The StringNotEqualsIgnoreCase condition is the same as the StringNotEquals condition, except string matching is
performed in a case-insensitive manner.
StringLike
The StringLike condition tests the string value of an event's property is equal to or more desired
values, where the desired values may include the wildcard '*' to match any number
of characters or '?' to match a single character. String comparisons are case-sensitive.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property "Title" which contains the string "User" or "Role":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringLike": {
"Title": ["\*User\*", "\*Role\*"]
}
}
}
]
}
StringNotLike
The StringNotLike condition tests that the string value of an event's property is not equal to any
of an undesired set of values, where the values may include the wildcard '*' to match
any number of characters or '?' to match a single character. String comparisons are
case-sensitive.
Allows for multiple values? Yes
The following example shows a configuration that publishes all events except the "System
Settings Saved" event:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike": {
"Title":"System Settings Saved"
}
}
}
]
}
The next example shows a configuration that publishes events when the event has the
property "Title" that does not start with "User" and does not end with "Created":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike": {
"Title": ["User\*", "\*Created"]
}
}
}
]
}
Multiple statements vs. multiple conditions
If you create multiple statements for the same SNS topic, those statements are evaluated
as if they are joined by "or". If a statement contains multiple conditions, those
conditions are evaluated as if they are joined by "and".
Multiple statements
This is an example of what not to do. The first statement says to forward all events
other than "System Settings Saved". The second statement says to forward all "System
Settings Saved" events. The result is that all events will be forwarded because any
event will match either the condition in the first statement or the one in the second statement:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike" : {
"Title" : "System Settings Saved"
}
}
},
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringLike" : {
"Title" : "System Settings Saved"
}
}
}
]
}
Multiple conditions
This is another example of what not to do. The first condition says to forward all
events other than "System Settings Saved". The second condition says to forward all
"System Settings Saved" events. The result is that no events will be forwarded because
no events will match both the condition in the first statement and the one in the second statement:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike" : {
"Title" : "System Settings Saved"
},
"StringLike" : {
"Title" : "System Settings Saved"
}
}
}
]
}
Example SNS configurations
These configurations send matching events for some specific scenarios. For more event
property names and values that you can use to filter SNS topics, see Events in JSON format.
Send all critical intrusion prevention events to an SNS topic
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericEquals": {
"Severity": 4
},
"StringEquals" : {
"EventType" : "PayloadLog"
}
}
}
]
}
Send different events to different SNS topics
This example shows sending all system events to one topic and all integrity monitoring
events to a different topic.
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:systemEventsTopic",
"Condition": {
"StringEquals" : {
"EventType" : "SystemEvent"
}
}
},
{
"Topic": "arn:aws:sns:us-east-1:012345678901:integrityTopic",
"Condition": {
"StringEquals" : {
"EventType" : "IntegrityEvent"
}
}
}
]
}