SNS configuration in JSON format
You can edit the JSON configuration that is used when you have enabled event forwarding to Amazon SNS topics. It defines which conditions an event must meet in order to be published to a topic. The configuration language is modeled after Amazon's Policy language for SNS.
Each field is specified below. Basic SNS configuration looks like:
{
"Version": "2014-09-24",
"Statement": [statement1, statement2, ...]
}
For examples, see Example SNS configurations.
Version
The Version element specifies the version of the configuration language.
The only currently valid value of "Version" is the string "2014-09-24".
"Version": "2014-09-24",
Statement
The Statement element is an array of individual statements. Each individual statement is a distinct JSON object giving the SNS topic to send to if an event meets given conditions.
"Statement": [{...}, {...}, ...]
An individual statement has the form:
{
"Topic": "destination topic",
"Condition": {conditions event must meet to be published to the destination topic}
}
Topic
The Topic element must be the Amazon Resource Name of the SNS Topic to publish to.
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic"
Condition
The Condition element is the most complex part of the configuration. It contains one or more conditions an event must match in order to be published to the topic.
Each condition can have one or more key-value pairs that the event must match (or not match, depending on the type of condition) to be included in the topic. Keys are any valid event property. (For event properties, see Events in JSON format). Valid values vary by key. Some keys support multiple values.
"Condition": {
"ConditionName": {
"key1": [value1, value2],
"key2": value3
},
"ConditionName2": {
"key3": [value4]
},
...
}
Valid condition names and their syntax are described below.
Bool
The Bool condition performs Boolean matching. To match, an event must have a property with the desired Boolean value. If the property in the event exists but is not itself a Boolean value, the property is tested as follows:
- Numbers equal to 0 evaluate to false. Numbers not equal to 0 evaluate to true.
- Empty strings and the special strings "false" and "0" evaluate to false. Other strings evaluate to true.
- Any other property value in an event cannot be converted to a Boolean and will not match.
Allows for multiple values? No
The following example shows a configuration that publishes events that have a "DetectOnly" property with a value false:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"Bool": {
"DetectOnly": false
}
}
}
]
}
Exists
The Exists condition tests for the existence or non-existence of a property in an event. The value of the property is not considered.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has the property "Severity" but does not have the property "Title":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"Exists": {
"Severity": true,
"Title": false
}
}
}
]
}
IpAddress
The IpAddress condition tests the value of an event's property is an IP address in a range given in CIDR format, or exactly equals a single IP address.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "DestinationIP" with an IP address in the range 10.0.1.0/24, or to 10.0.0.5:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"IpAddress": {
"DestinationIP": ["10.0.1.0/24", "10.0.0.5"]
}
}
}
]
}
NotIpAddress
The NotIpAddress condition tests the value of an event's property is not an IP address in any of the specified IP address ranges.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "DestinationIP" with an IP address not in the range 10.0.0.0/8:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NotIpAddress": {
"DestinationIP": "10.0.0.0/8"
}
}
}
]
}
NumericEquals
The NumericEquals condition tests the numeric value of an event's property equals one or more desired values. If the property in the event exists but is not itself a numeric value, the property is tested as follows:
- Strings are converted to numbers. Strings that cannot be converted to numbers will not match.
- Any other property value in an event cannot be converted to a number and will not match.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "Protocol" with the value 6 or 17:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericEquals": {
"Protocol": [6, 17]
}
}
}
]
}
NumericNotEquals
The NumericNotEquals condition tests the numeric value of an event's property is not equal to any one of an undesired set of values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "Protocol" not equal to 6, and the property "Risk" not equal to 2 or 3:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericNotEquals": {
"Protocol": 6,
"Risk" : [2, 3]
}
}
}
]
}
NumericGreaterThan
The NumericGreaterThan condition tests the numeric value of an event's property is strictly greater than a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has the property "Protocol" with the value greater than 6:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericGreaterThan": {
"Protocol": 6
}
}
}
]
}
NumericGreaterThanEquals
The NumericGreaterThanEquals condition tests the numeric value of an event's property is greater than or equal to a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has the property "Number" with a value greater than or equal to 600:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericGreaterThanEquals": {
"Number": 600
}
}
}
]
}
NumericLessThan
The NumericLessThan condition tests the numeric value of an event's property is strictly less than a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has the property "Number" with a value greater than 1000:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericLessThan": {
"Number": 1000
}
}
}
]
}
NumericLessThanEquals
The NumericLessThanEquals condition tests the numeric value of an event's property is less than or equal to a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.
Allows for multiple values? No
The following example shows a configuration that publishes events when the event has the property "Number" with a value less than or equal to 500:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericLessThanEquals": {
"Number": 500
}
}
}
]
}
StringEquals
The StringEquals condition tests the string value of an event's property is strictly equal to or more desired values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "EventType" equal to "SystemEvent" and property "TargetType" equal to "User" or "Role":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringEquals": {
"EventType": ["SystemEvent"],
"TargetType" : ["User", "Role"]
}
}
}
]
}
StringNotEquals
The StringNotEquals condition tests the string value of an event's property does not equal any of an undesired set of values.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "EventType" not equal to "PacketLog" or "IntegrityEvent":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotEquals": {
"EventType": ["PacketLog", "IntegrityEvent"]
}
}
}
]
}
StringEqualsIgnoreCase
The StringEqualsIgnoreCase condition is the same as the StringEquals condition, except string matching is performed in a case-insensitive manner.
StringNotEqualsIgnoreCase
The StringNotEqualsIgnoreCase condition is the same as the StringNotEquals condition, except string matching is performed in a case-insensitive manner.
StringLike
The StringLike condition tests the string value of an event's property is equal to or more desired values, where the desired values may include the wildcard '*' to match any number of characters or '?' to match a single character. String comparisons are case-sensitive.
Allows for multiple values? Yes
The following example shows a configuration that publishes events when the event has the property "Title" which contains the string "User" or "Role":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringLike": {
"Title": ["*User*", "*Role*"]
}
}
}
]
}
StringNotLike
The StringNotLike condition tests that the string value of an event's property is not equal to any of an undesired set of values, where the values may include the wildcard '*' to match any number of characters or '?' to match a single character. String comparisons are case-sensitive.
Allows for multiple values? Yes
The following example shows a configuration that publishes all events except the "System Settings Saved" event:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike": {
"Title":"System Settings Saved"
}
}
}
]
}
The next example shows a configuration that publishes events when the event has the property "Title" that does not start with "User" and does not end with "Created":
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike": {
"Title": ["User*", "*Created"]
}
}
}
]
}
Multiple statements vs. multiple conditions
If you create multiple statements for the same SNS topic, those statements are evaluated as if they are joined by "or". If a statement contains multiple conditions, those conditions are evaluated as if they are joined by "and".
Multiple statements
This is an example of what not to do. The first statement says to forward all events other than "System Settings Saved". The second statement says to forward all "System Settings Saved" events. The result is that all events will be forwarded because any event will match either the condition in the first statement or the one in the second statement:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike" : {
"Title" : "System Settings Saved"
}
}
},
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringLike" : {
"Title" : "System Settings Saved"
}
}
}
]
}
Multiple conditions
This is another example of what not to do. The first condition says to forward all events other than "System Settings Saved". The second condition says to forward all "System Settings Saved" events. The result is that no events will be forwarded because no events will match both the condition in the first statement and the one in the second statement:
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"StringNotLike" : {
"Title" : "System Settings Saved"
},
"StringLike" : {
"Title" : "System Settings Saved"
}
}
}
]
}
Example SNS configurations
These configurations send matching events for some specific scenarios. For more event property names and values that you can use to filter SNS topics, see Events in JSON format.
Send all critical intrusion prevention events to an SNS topic
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
"Condition": {
"NumericEquals": {
"Severity": 4
},
"StringEquals" : {
"EventType" : "PayloadLog"
}
}
}
]
}
Send different events to different SNS topics
This example shows sending all system events to one topic and all integrity monitoring events to a different topic.
{
"Version": "2014-09-24",
"Statement": [
{
"Topic": "arn:aws:sns:us-east-1:012345678901:systemEventsTopic",
"Condition": {
"StringEquals" : {
"EventType" : "SystemEvent"
}
}
},
{
"Topic": "arn:aws:sns:us-east-1:012345678901:integrityTopic",
"Condition": {
"StringEquals" : {
"EventType" : "IntegrityEvent"
}
}
}
]
}