You can edit the JSON configuration that is used when you have enabled event forwarding to Amazon SNS topics. It defines which conditions an event must meet to be published to a topic. The configuration
language is modeled after Amazon's Policy language for SNS.
Each field is specified below. Basic SNS configuration is as follows:
{
"Version": "2014-09-24",
"Statement": [statement1, statement2, ...]
}
For examples, see Example SNS configuration.
Version
The
Version element specifies the version of the configuration language.The only currently valid value of
"Version" is the string "2014-09-24"."Version": "2014-09-24",
Statement
The
Statement element is an array of individual statements. Each individual statement is a distinct
JSON object giving the SNS topic to send to if an event meets given conditions."Statement": [{...}, {...}, ...]
An individual statement has the following form:
{
"Topic": "destination topic",
"Condition": {conditions event must meet to be published to the destination topic}
}
Topic
The
Topic element must be the Amazon Resource Name of the SNS Topic to which to publish."Topic": "arn:aws:sns:us-east-1:012345678901:myTopic"
Condition
The
Condition element is the most complex part of the configuration. It contains one or more conditions
an event must match to be published to the topic.Each condition can have one or more key-value pairs that the event must match (or
not match, depending on the type of condition) to be included in the topic. Keys are
any valid event property (see Events in JSON format). Valid values vary by key. Some keys support multiple values.
"Condition": {
"ConditionName": {
"key1": [value1, value2],
"key2": value3
},
"ConditionName2": {
"key3": [value4]
},
...
}
The following are valid condition names and their syntax:
Bool
The
Bool condition performs Boolean matching. To match, an event must have a property with
the desired Boolean value. If the property in the event exists but is not itself a
Boolean value, the property is tested as follows:- Numbers equal to 0 evaluate to false. Numbers not equal to 0 evaluate to true.
- Empty strings and the special strings
"false"and"0"evaluate to false. Other strings evaluate to true. - Any other property value in an event cannot be converted to a Boolean and cannot match.
Allows for multiple values? No
The following example shows a configuration that publishes events that have a
"DetectOnly" property with a value false:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"Bool": {
"DetectOnly": false
}
}
}
]
}
Exists
The
Exists condition tests for the existence or non-existence of a property in an event. The
value of the property is not considered.Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Severity", but does not have the property "Title":{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"Exists": {
"Severity": true,
"Title": false
}
}
}
]
}
IpAddress
The
IpAddress condition tests the value of an event's property is an IP address in a range given
in CIDR format, or exactly equals a single IP address.Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"DestinationIP" with an IP address in the range 10.0.1.0/24, or to 10.0.0.5:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"IpAddress": {
"DestinationIP": ["10.0.1.0/24", "10.0.0.5"]
}
}
}
]
}
NotIpAddress
The
NotIpAddress condition tests the value of an event's property is not an IP address in any of the
specified IP address ranges.Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"DestinationIP" with an IP address not in the range 10.0.0.0/8:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NotIpAddress": {
"DestinationIP": "10.0.0.0/8"
}
}
}
]
}
NumericEquals
The
NumericEquals condition tests the numeric value of an event's property equals one or more desired
values. If the property in the event exists but is not itself a numeric value, the
property is tested as follows:- Strings are converted to numbers. Strings that cannot be converted to numbers do not match.
- Any other property value in an event cannot be converted to a number and do not match.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"Protocol" with the value 6 or 17:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericEquals": {
"Protocol": [6, 17]
}
}
}
]
}
NumericNotEquals
The
NumericNotEquals condition tests the numeric value of an event's property is not equal to any one
of an undesired set of values.Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"Protocol" not equal to 6, and the property "Risk" not equal to 2 or 3:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericNotEquals": {
"Protocol": 6,
"Risk" : [2, 3]
}
}
}
]
}
NumericGreaterThan
The
NumericGreaterThan condition tests the numeric value of an event's property is strictly greater than
a desired value. If the property in the event exists but is not itself a numeric value
it is converted to a number as described for NumericEquals.Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Protocol" with the value greater than 6:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericGreaterThan": {
"Protocol": 6
}
}
}
]
}
NumericGreaterThanEquals
The
NumericGreaterThanEquals condition tests the numeric value of an event's property is greater than or equal
to a desired value. If the property in the event exists but is not itself a numeric
value it is converted to a number as described for NumericEquals.Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Number" with a value greater than or equal to 600:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericGreaterThanEquals": {
"Number": 600
}
}
}
]
}
NumericLessThan
The
NumericLessThan condition tests the numeric value of an event's property is strictly less than a
desired value. If the property in the event exists but is not itself a numeric value
it is converted to a number as described for NumericEquals.Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Number" with a value greater than 1000:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericLessThan": {
"Number": 1000
}
}
}
]
}
NumericLessThanEquals
The
NumericLessThanEquals condition tests the numeric value of an event's property is less than or equal to
a desired value. If the property in the event exists but is not itself a numeric value
it is converted to a number as described for NumericEquals.Allows for multiple values? No
The following example shows a configuration that publishes events when the event has
the property
"Number" with a value less than or equal to 500:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericLessThanEquals": {
"Number": 500
}
}
}
]
}
StringEquals
The
StringEquals condition tests the string value of an event's property is strictly equal to or more
desired values.Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"EventType" equal to "SystemEvent" and property "TargetType" equal to "User" or "Role":{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringEquals": {
"EventType": ["SystemEvent"],
"TargetType" : ["User", "Role"]
}
}
}
]
}
StringNotEquals
The
StringNotEquals condition tests the string value of an event's property does not equal any of an
undesired set of values.Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"EventType" not equal to "PacketLog" or "IntegrityEvent":{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotEquals": {
"EventType": ["PacketLog", "IntegrityEvent"]
}
}
}
]
}
StringEqualsIgnoreCase
The
StringEqualsIgnoreCase condition is the same as the StringEquals condition, except string matching is performed
in a case-insensitive manner.StringNotEqualsIgnoreCase
The
StringNotEqualsIgnoreCase condition is the same as the StringNotEquals condition, except string matching is performed in a case-insensitive manner.StringLike
The
StringLike condition tests the string value of an event's property is equal to or more desired
values, where the desired values may include the wildcard * to match any number of characters, or ? to match a single character. String comparisons are case-sensitive.Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has
the property
"Title" which contains the string "User" or "Role":{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringLike": {
"Title": ["\*User\*", "\*Role\*"]
}
}
}
]
}
StringNotLike
The
StringNotLike condition tests that the string value of an event's property is not equal to any
of an undesired set of values, where the values may include the wildcard * to match any number of characters, or ? to match a single character. String comparisons are case-sensitive.Allows for multiple values? Yes
The following example shows a configuration that publishes all events except the
"System Settings Saved" event:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike": {
"Title":"System Settings Saved"
}
}
}
]
}
The next example shows a configuration that publishes events when the event has the
property
"Title" that does not start with "User" and does not end with "Created":{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike": {
"Title": ["User\*", "\*Created"]
}
}
}
]
}
Multiple statements vs. multiple conditions
If you create multiple statements for the same SNS topic, those statements are evaluated
as if they are joined by
or. If a statement contains multiple conditions, those conditions are evaluated as if
they are joined by and.Multiple statements
This is an example of what not to do. The first statement says to forward all events
other than
"System Settings Saved". The second statement says to forward all "System Settings Saved" events. The result is that all events are forwarded because any event matches either
the condition in the first statement or the one in the second statement:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike" : {
"Title" : "System Settings Saved"
}
}
},
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringLike" : {
"Title" : "System Settings Saved"
}
}
}
]
}
Multiple conditions
This is another example of what not to do. The first condition says to forward all
events other than
"System Settings Saved". The second condition says to forward all "System Settings Saved" events. The result is that no events are forwarded because no events match both the
condition in the first statement and the one in the second statement:{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike" : {
"Title" : "System Settings Saved"
},
"StringLike" : {
"Title" : "System Settings Saved"
}
}
}
]
}
Example SNS configurations
These configurations send matching events for some specific scenarios. For more event
property names and values that you can use to filter SNS topics, see Events in JSON format.
Send all critical intrusion prevention events to an SNS topic
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericEquals": {
"Severity": 4
},
"StringEquals" : {
"EventType" : "PayloadLog"
}
}
}
]
}
Send different events to different SNS topics
This example shows sending all system events to one topic and all integrity monitoring
events to a different topic:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:systemEventsTopic",
"Condition": {
"StringEquals" : {
"EventType" : "SystemEvent"
}
}
},
{
"Topic": "arn:aws:sns:us-east-1:012345678901:integrityTopic",
"Condition": {
"StringEquals" : {
"EventType" : "IntegrityEvent"
}
}
}
]
}