How to configure notifications via AWS S3 in custom rules #
As a first step, you need to create an integration between the Cloud8 Platform and an AWS S3 Bucket , as described in the linked document, if you haven’t done so already. After that, follow these steps:
Configure new notification with S3 #
After registering an integration of the “S3 Bucket” type, in “Integrations” on the platform, a synchronization will be made with Best Practices. With this, it will be possible to view a new “S3” type notification in Best Practices, as shown below:
1. Within Best Practices , access “ Global Notifications ”
2. Select the “ Config Notifications ” tab. The integrated S3 notification will be listed with the name.
NOTE: Since it is synchronized, it will not be possible to edit or delete the registration. To do this, use the “ Integrations ” screen within the Cloud8 platform.
Configure S3 integration in custom rule notifications #
1. Locate the icon in the image below to open the watering notifications customization screen.
2. Select the AWS S3 notification previously registered in the previous step
3. When selecting an AWS S3 notification, the scheduler must be selected as “ Immediately ”.
From this point on, Best Practices will upload the notification JSON files related to the alerts generated by the rule executions to the previously configured S3 Bucket.
Below is an example of the S3 Bucket notification JSON file:
Configuring Notification with S3 in Filter Group Notification Customizations #
1. Open the group notification customization screen (as shown in the image)
2. Select the previously registered AWS S3 notification
When selecting an AWS S3 notification, the scheduler must be selected as “ Immediately ”.
From this point on, Best Practices will upload the notification JSON files related to the alerts generated by the rule filter executions to the S3 Bucket, previously configured in step 1.
The file will have the suffix group-filter–.json’. Below is an example of the S3 Bucket notification JSON file:
Global Notifications #
Configuration for all providers #
To configure all rules once, simply use the “Global Notifications” menu, as shown in the example below:
Configuration by provider
It is also possible to configure global notifications by provider. To do this, simply click – in the same “ Global Notifications ” menu – the “ All Providers ” option and select the desired provider.
This will produce a file in the Bucket (with each execution of a rule supported by the provider) with the result lines only from the selected provider. The file will have the suffix ‘provider–.json’. See the example:
[image]
AWS S3 Notification – JSON Format File #
File directory structure in AWS S3 bucket #
Best Practices will upload the notification JSON files into the following directory structure in the bucket:
bestpractices/yyyy/MM/dd/rules/- bestpractices/ – root directory;
- yyyy/MM/dd/ – generation subdirectories by year, month and day – date (UTC format);
- rules/ – subdirectory indicating rules notification files;
Example of file generated in directory structure:
bestpractices/2024/11/12/rules/ecs-container-account-settings-arn-format-disabled-17-36-27_702.jsonFile structure in JSON format #
providers #
List of providers with rule results. Each item in the list has two fields:
- id : AWS, Azure, GCP, or OCI provider identifier
- name : name of the AWS, Azure, GCP or OCI provider
Example:
"providers": [
{
"id": "xxxxxxxxxxxx",
"name": "Provedor 1 (aws)"
},
{
"id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"name": "Provedor 2 (azure)"
}
]reports #
List of rules, results, settings, and unmonitored items that make up the notification. Each item in the list has the following fields:
- category : rule category
- product : name of the cloud provider product/service (AWS, Azure, GCP or OCI)
- id : rule identifier
- rule : rule name
- description : rule description
- instant : date and time of execution in milliseconds
- executionDateTimeUtc : date and time of rule execution in ISO and UTC
- headers : name of the columns in the results table
Example :
{
"category": "Compliance & Availability",
"product": "ECS - Container",
"id":
"ECS_CONTAINER_ACCOUNT_SETTINGS_ARN_FORMAT_DISABLED",
"rule": "ECS settings with ARN new format disabled",
"description": "Checks if your ECS effective settings for container, service or task resources with ARN new format is disabled. Notice this settings are obtained using the provided credentials with effective settings on for the API call. For more information, see \t<a href=\"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids\" target=\"_blank\"> \tAmazon Resource Names (ARNs) and IDs \t",
"instant": 1731417439624,
"executionDateTimeUtc": "2024-11-12T13:17:19.624",
"headers":
[
"Region",
"Enabled for services?",
"Enabled for container instances?",
"Enabled for tasks?"
],
….- changes : details of the changes that occurred in the execution of the rule
- new : new items that are now being alerted
- unchanged : items unchanged
- removed : items removed by filter, manually or because the problem was actually resolved.
- results : list of items that make up the results table, with the following fields:
- provider : provider identifier (same id as the providers field detailed above)
- results : results table, which contains the fields:
- columns : result items (follow the order of the columns defined in headers)
- kind : severity identifier of the provider line, with the worst result for it, which can be:
- DANGER : critical
- WARN : alert
- INFO : suggestion
- CREDENTIAL_ISSUE : Issues with provider credentials
- identifier : Unique identifier of the result row within the rule in question. Note that this identifier is unique only per rule, and may collide in different rules.
Example :
"changes":
{
"new": [
{
"provider": "212283722463",
"results": [
{
"columns": [
"ap-northeast-2",
"false",
"false",
"false"
],
"kind": "DANGER",
"identifier": "3ff034de2c21a29c45028ca174022320da3dc52806cbc30dbd61a5ed8e13ee8fd61c
611a453acd79da2c7baa9a4554cc7f4d4e59509d1ec3753007bba6dcbe3a"
},
{
"columns": [
"ap-northeast-1",
"false",
"false",
"false"
],
"kind": "DANGER",
"identifier": "2d2d410aec1e6687af5932ce60ddb431a982e69f27a4e5b97fa86bdc7d48694e96e32
8e0c1cae49e4761c12bc1ad4a5a28d1ebd5a991b9122cc13fefe77c963e"
}
]
}
],
"unchanged": [
{
"provider": "445156452954",
"results": [
{
"columns": [
"us-east-1",
"false",
"false",
"false"
],
"kind": "DANGER",
"identifier": "0158bf11f1f79560ee367934350d5b33965ca8711e77352ae7a51c6469b7f7b33e386e627b
6ab300352b96d3f50815174f8150c89a8a7fc785c559037ae78b82"
},
{
"columns": [
"us-west-1",
"false",
"false",
"false"
],
"kind": "DANGER",
"identifier": "ed4025a67ea72b201eeec3d7f02d84603261f99e0d5df9778e309e59c75b7f6f05ed
76bfd98f84af2f3c9db341b084a3bced70e5687b8c70b2b23790301257a5"
}
]
}
],
"removed": [
{
"provider": "212283722463",
"results": [
{
"columns": [
"us-west-2",
"false",
"false",
"false"
],
"kind": "DANGER",
"identifier": "2dca98b5b52ff9bf692822143ee6e26c7c0a347014e6ce5b86dee23c5db117e2c1e01
49eaf7c093cdb7c65e73e926fb3def592868cb8a56aef97365e0846cbc3"
},
{
"columns": [
"us-east-1",
"false",
"false",
"false"
],
"kind": "DANGER",
"identifier": "a289365994a8004a7db465d383fdf4721c1befbed238c5a8c5657546c300d8b3e1
7adceba75c5b937af24e6550f887136ad34f8b33e00fa34e796647731948af"
}
]
}
]
},
"kind": "DANGER"conditions #
List of filter settings in the rule, containing the following fields:
- name : filter name
- option : name of the field to filter the result
- operation : operator that will be used when filtering the result
- value : value to be filtered out of the result
Example :
"conditions": [
{
"name": "Filter 1",
"option": "ContainerAccountSettings.region",
"operation": "=",
"value": "ap-northeast-1"
}
],
…- kind : rule severity identifier, with the worst result for it, which can be:
- DANGER : critical
- WARN : alert
- INFO : suggestion
- CREDENTIAL_ISSUE : Issues with provider credentials
Name of the generated file #
The notification files will be generated in a bucket folder as previously standardized.
The generated files are generated according to the following standardization:
Notification by rule: #
[ID da regra]-[HH-mm-ss_SSS].json - horário (UTC);Exemplo: ecs-container-account-settings-arn-format-disabled-17-36-27_702.json
Notification by rule group: #
[ID da regra]-grou-filter-[ID do group filter]-[HH-mm-ss_SSS].json - horário (UTC);Exemplo: ecs-container-account-settings-arn-format-disabled-group-filter-1-17-36-27_702.json
Notification (global) by provider: #
[ID da regra]-provider-[ID do provider]-[HH-mm-ss_SSS].json - horário (UTC);Exemplo: ecs-container-account-settings-arn-format-disabled-provider-123-17-36-27_702.json
NOTE : Each generated file is unique and is not overwritten.
