6. Testing the solution

In this last step, we will be testing our solution. As CloudWatch Events is acting as a bridge between the AWS Health notification and our Lambda function, the easiest way to test our automation is to manually invoke the Lambda function using a simulated event. This can be easly achieved through the Lambda console. Testing he CloudWatch Event configuration requires the use of the AWS CLI so that we can create a fake event to send to CloudWatch Events.

Option 1: Test using Lambda Test feature


  1. Navigate to the Lambda console by clicking on the Find Services search bar, typing Lambda in the search bar, and pressing Enter.

  2. Click on the Lambda function created in Step 4.

  3. Click on Select a test event drop-down next to the Test button.

  4. Click on Configure test events.

    Configure Test Event

  5. Enter Event name. Example: testdos

  6. In the edit field, paste the input below:

Be sure to replace <<aws_account_id>> with your AWS account ID and <<Instance_ID_X>> with the ID of the instances you created as part of Step 2.

{
    "detail-type": "AWS Health Abuse Event",
    "source": "awsmock.health",
    "time": "2019-12-02T10:00:00Z",
    "resources": [
        "arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_1>>",
        "arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_2>>"
    ],
    "detail": {
        "eventArn": "arn:aws:health:global::event/AWS_ABUSE_DOS_REPORT_3223324344_3243_234_34_34",
        "service": "ABUSE",
        "eventTypeCode": "AWS_ABUSE_DOS_REPORT",
        "eventTypeCategory": "issue",
        "startTime": "Mon, 2 Dec 2019 10:00:00 GMT",
        "eventDescription": [
            {
                "language": "en_US",
                "latestDescription": "Denial of Service (DOS) attack has been reported to have been caused by AWS resources in your account."
            }
        ],
        "affectedEntities": [
            {
                "entityValue": "arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_1>>"
            },
            {
                "entityValue": "arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_2>>"
            }
        ]
    }
}
  1. Click on Create.
  2. Ensure that test_dos test event is selected in the drop-down. Click on Test.

  3. You shoudl receive a notification, and the instance with the dev tag should be now stopped. You can also check the full execution logs by clicking on the Monitoring tab and then View logs in CloudWatch.

Option 2: Test by triggering mock CloudWatch event through AWS CLI


You need to have the AWS CLI installed. Installation instructions and how to retrieve temporary credentials for your Event Engine account can be found here.

The aws. namespace is restricted to AWS services. As we will not be able to send an event in this namespace we are going to simulate our event by creating a new rule that will capture a fake event.

  1. Create another CloudWatch Events rule that will capture capture a mock Health event. Name it mock_aws_health_dos_report_cwe_rule_reinvent

    {
      "source": [
        "awsmock.health"
      ],
      "detail-type": [
        "AWS Health Abuse Event"
      ],
      "detail": {
        "service": [
          "ABUSE"
        ],
        "eventTypeCategory": [
          "issue"
        ],
        "eventTypeCode": [
          "AWS_ABUSE_DOS_REPORT"
        ]
      }
    }
    
  2. Create a file named mockpayload.json with below contents.

Be sure to replace <<aws_account_id>> with your AWS account ID and <<Instance_ID>> with the ID of the instances you created as part of Step 2.

[
    {
        "DetailType": "AWS Health Abuse Event",
        "Source": "awsmock.health",
        "Time": "2018-12-02T10:00:00Z",
        "Resources": [
            "arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_1>>",
            "arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_2>>"
        ],
        "Detail": "{\"eventArn\": \"arn:aws:health:global::event/AWS_ABUSE_DOS_REPORT_3223324344_3243_234_34_34\",\"service\": \"ABUSE\",\"eventTypeCode\": \"AWS_ABUSE_DOS_REPORT\",\"eventTypeCategory\": \"issue\",\"startTime\": \"Mon, 02 Dec 2019 10:00:00 GMT\",\"eventDescription\": [{\"language\": \"en_US\",\"latestDescription\": \"Denial of Service (DOS) attack has been reported to have been caused by AWS resources in your account.\"}],\"affectedEntities\": [{\"entityValue\": \"arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_1>>\"},{\"entityValue\": \"arn:aws:ec2:us-east-1:<<aws_account_id>>:instance/<<Instance_ID_2>>\"}]}"
    }
]
  1. Run the following command in your terminal.

    aws events put-events --entries file://mockpayload.json --region us-east-1