EventBridge’s powerful pattern matching goes way beyond simple string equality, letting you filter events based on complex criteria, including IP address ranges defined by CIDR notation.
Let’s say you’re ingesting security logs from various sources, and you want to trigger an alert only when an event originates from a specific internal subnet or a known malicious IP range.
Here’s a sample event you might receive, representing an attempted login:
{
"version": "0",
"id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
"detail-type": "Security Event",
"source": "aws.security",
"account": "123456789012",
"time": "2023-10-27T10:30:00Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventType": "FailedLogin",
"userId": "admin",
"sourceIp": "192.168.1.105",
"timestamp": "2023-10-27T10:29:55Z"
}
}
You want to match events where detail.sourceIp falls within the 192.168.1.0/24 subnet.
To achieve this, you define an EventBridge rule with a pattern that utilizes the cidr operator.
{
"detail-type": ["Security Event"],
"source": ["aws.security"],
"detail": {
"eventType": ["FailedLogin"],
"sourceIp": [{
"cidr": "192.168.1.0/24"
}]
}
}
When an event arrives, EventBridge evaluates this pattern. If the sourceIp in the event is 192.168.1.105, it matches the 192.168.1.0/24 CIDR block, and the rule will trigger. If the sourceIp were 10.0.0.5, it would not match.
This pattern matching is not limited to a single CIDR. You can specify multiple CIDR blocks, and the event will match if its IP address falls into any of them.
{
"detail-type": ["Security Event"],
"source": ["aws.security"],
"detail": {
"eventType": ["FailedLogin"],
"sourceIp": [
{"cidr": "192.168.1.0/24"},
{"cidr": "10.0.0.0/16"}
]
}
}
This rule would trigger if the sourceIp is within 192.168.1.0/24 OR 10.0.0.0/16.
The cidr operator is a powerful tool for network-aware event filtering, abstracting away the need to manually check IP address ranges in your event processing logic. It allows you to define network boundaries directly within your EventBridge rules, simplifying your architecture and reducing the complexity of your Lambda functions or other targets.
When you use the cidr operator, EventBridge internally performs a network mask and comparison. For an IP address to match a CIDR block, the IP address must belong to the network defined by the CIDR’s network address and subnet mask. For example, 192.168.1.105 falls within 192.168.1.0/24 because when you apply the /24 mask (which is 255.255.255.0), both the IP and the CIDR block resolve to the network address 192.168.1.0.
What often trips people up is trying to use a simple string match for IP addresses when they actually need to match a range. The cidr operator is the correct and only way to do this within EventBridge patterns. Trying to construct a complex set of string patterns to cover all IPs in a subnet would be unmanageable and error-prone.
The next step after mastering IP CIDR matching is to explore how to combine it with other data points in your events using logical AND and OR operators within more complex event patterns.