AWS CloudTrail Monitoring Using Event-Driven Ansible

AWS CloudTrail is a service that tracks everything happening in your AWS environment. It makes it easier to track activities like unauthorized access, configuration changes, or unusual behavior. It also supports compliance and auditing by maintaining a clear history of activity. 

When we integrate CloudTrail with Event-Driven Ansible, we can automatically respond to these events in real time without manual intervention. This integration turns monitoring into action, helping teams keep their cloud systems secure, reliable, and easier to manage as they scale.

In this article, I will walk you through a practical example of integrating Event-Driven Ansible with AWS CloudTrail. You will learn how to use the ansible.eda.aws_cloudtrail module within Ansible Event-Driven Automation to monitor RunInstances (when an EC2 instance is launched) and TerminateInstances (when an instance is shut down and permanently deleted) events, and automatically trigger a workflow in response. 

This automation can be extended to handle a wide range of security and operational events captured by AWS CloudTrail. It can run customized actions or workflows based on the specific needs and policies of the organization.

About the Module

The ansible.eda.aws_cloudtrail module allows Ansible Event-Driven Automation to directly poll and consume events from AWS CloudTrail without needing additional services. It enables real-time monitoring and automation by triggering Ansible playbooks in response to specific events, such as instance launches or IAM changes.

Demo Scripts

In this demo, I am running an Event-Driven Ansible script that monitors AWS CloudTrail events. To trigger the automation, I am launching and terminating EC2 instances through the AWS Console. 

Once a matching event like RunInstances or TerminateInstances is detected, the script triggers a playbook that prints the event name and timestamp. This setup can be extended to perform more advanced automation based on the event details.

cloud-trail-demo.yaml

In the script below, we're monitoring CloudTrail events from the us-east-2 region and checking for new events every 5 seconds. It includes two rules — when event.CloudTrailEvent.eventName matches either RunInstances or TerminateInstances, the corresponding playbook is triggered automatically.  

It will display the event name using the Ansible EDA variable, ansible_eda.event.CloudTrailEvent.eventName, along with the exact time it occurred using ansible_eda.event.CloudTrailEvent.eventTime, making it easy for users to identify which event was triggered and when.

- name: AWS CloudTrail Monitoring Demo
  hosts: localhost
  sources:
    - ansible.eda.aws_cloudtrail:
        region: 'us-east-2'
        delay_seconds: 5
  rules:
    - name: Monitor RunInstances Events
      condition: event.CloudTrailEvent.eventName == 'RunInstances'
      action:
        run_playbook:
          name: run-instances.yml
    - name: Monitor TerminateInstances Events
      condition: event.CloudTrailEvent.eventName == 'TerminateInstances'
      action:
        run_playbook:
          name: terminate-instances.yml

run-instances.yml

---
- name: Print RunInstances debug message
  hosts: localhost
  connection: local
  gather_facts: false
  tasks:
    - name: Print the RunInstance event details
      debug:
        msg: "Event Driven Ansible detected {{ ansible_eda.event.CloudTrailEvent.eventName }}  at {{ ansible_eda.event.CloudTrailEvent.eventTime }}"

terminate-instances.yml

---
- name: Print TerminateInstances debug message
  hosts: localhost
  connection: local
  gather_facts: false
  tasks:
    - name: Print the TerminateInstances event details
      debug:
        msg: "Event Driven Ansible detected {{ ansible_eda.event.CloudTrailEvent.eventName }} at {{ ansible_eda.event.CloudTrailEvent.eventTime }}"

Demo Screenshots

Below are the screenshots showing AWS CloudTrail event details for both the RunInstancesand TerminateInstances actions, which include important information like the event name, timestamp, and user identity. 

The final screenshot shows the Ansible Event-Driven Automation script running in a terminal, continuously monitoring these events. When a matching event is detected, the script will trigger the corresponding playbook to print the event name and the time it occurred in the terminal.

RunInstances

TerminateInstances

Monitoring Script

Conclusion

In this demo,  we explored how we can connect Event Driven Ansible with AWS CloudTrail using the ansible.eda.aws_cloudtrail module to automate actions based on real-time AWS events. We tracked events like launching or terminating EC2 instances and automatically ran playbooks in response. 

This integration not only reduces manual effort but also enhances security, compliance, and operational efficiency. With further customization, it can be extended to support a wide range of cloud automation use cases tailored to organizational needs. 

Note: The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.