SNS configuration in JSON format

You can edit the JSON configuration that is used when you have enabled event forwarding to Amazon SNS topics. It defines which conditions an event must meet in order to be published to a topic. The configuration language is modeled after Amazon's Policy language for SNS.

Each field is specified below. Basic SNS configuration looks like:

{
  "Version": "2014-09-24",
  "Statement": [statement1, statement2, ...]
}
      

For examples, see Example SNS configuration.

Version

The Version element specifies the version of the configuration language.

The only currently valid value of "Version" is the string "2014-09-24".

"Version": "2014-09-24",
      

Statement

The Statement element is an array of individual statements. Each individual statement is a distinct JSON object giving the SNS topic to send to if an event meets given conditions.

"Statement": [{...}, {...}, ...]
      

An individual statement has the form:

{
  "Topic": "destination topic",
  "Condition": {conditions event must meet to be published to the destination topic}
}
      

Topic

The Topic element must be the Amazon Resource Name of the SNS Topic to publish to.

"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic"
      

Condition

The Condition element is the most complex part of the configuration. It contains one or more conditions an event must match in order to be published to the topic.

Each condition can have one or more key-value pairs that the event must match (or not match, depending on the type of condition) to be included in the topic. Keys are any valid event property. (For event properties, see Events in JSON format). Valid values vary by key. Some keys support multiple values.

"Condition": {
  "ConditionName": {
    "key1": [value1, value2],
    "key2": value3
  },
  "ConditionName2": {
    "key3": [value4]
  },
  ...
}
      

Valid condition names and their syntax are described below.

Bool

The Bool condition performs Boolean matching. To match, an event must have a property with the desired Boolean value. If the property in the event exists but is not itself a Boolean value, the property is tested as follows:

  • Numbers equal to 0 evaluate to false. Numbers not equal to 0 evaluate to true.
  • Empty strings and the special strings "false" and "0" evaluate to false. Other strings evaluate to true.
  • Any other property value in an event cannot be converted to a Boolean and will not match.

Allows for multiple values? No

The following example shows a configuration that publishes events that have a "DetectOnly" property with a value false:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "Bool": { "DetectOnly": false } } } ] }

Exists

The Exists condition tests for the existence or non-existence of a property in an event. The value of the property is not considered.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Severity" but does not have the property "Title":

{  
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "Exists": { "Severity": true, "Title": false } } } ] }

IpAddress

The IpAddress condition tests the value of an event's property is an IP address in a range given in CIDR format, or exactly equals a single IP address.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "DestinationIP" with an IP address in the range 10.0.1.0/24, or to 10.0.0.5:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "IpAddress": { "DestinationIP": ["10.0.1.0/24", "10.0.0.5"] } } } ] }

NotIpAddress

The NotIpAddress condition tests the value of an event's property is not an IP address in any of the specified IP address ranges.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "DestinationIP" with an IP address not in the range 10.0.0.0/8:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NotIpAddress": { "DestinationIP": "10.0.0.0/8" } } } ] }

NumericEquals

The NumericEquals condition tests the numeric value of an event's property equals one or more desired values. If the property in the event exists but is not itself a numeric value, the property is tested as follows:

  • Strings are converted to numbers. Strings that cannot be converted to numbers will not match.
  • Any other property value in an event cannot be converted to a number and will not match.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "Protocol" with the value 6 or 17:

{  
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericEquals": { "Protocol": [6, 17] } } } ] }

NumericNotEquals

The NumericNotEquals condition tests the numeric value of an event's property is not equal to any one of an undesired set of values.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "Protocol" not equal to 6, and the property "Risk" not equal to 2 or 3:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericNotEquals": { "Protocol": 6, "Risk" : [2, 3] } } } ] }

NumericGreaterThan

The NumericGreaterThan condition tests the numeric value of an event's property is strictly greater than a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Protocol" with the value greater than 6:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericGreaterThan": { "Protocol": 6 } } } ] }

NumericGreaterThanEquals

The NumericGreaterThanEquals condition tests the numeric value of an event's property is greater than or equal to a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Number" with a value greater than or equal to 600:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericGreaterThanEquals": { "Number": 600 } } } ] }

NumericLessThan

The NumericLessThan condition tests the numeric value of an event's property is strictly less than a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Number" with a value greater than 1000:

{  
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericLessThan": { "Number": 1000 } } } ] }

NumericLessThanEquals

The NumericLessThanEquals condition tests the numeric value of an event's property is less than or equal to a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Number" with a value less than or equal to 500:

{  
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericLessThanEquals": { "Number": 500 } } } ] }

StringEquals

The StringEquals condition tests the string value of an event's property is strictly equal to or more desired values.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "EventType" equal to "SystemEvent" and property "TargetType" equal to "User" or "Role":

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringEquals": { "EventType": ["SystemEvent"], "TargetType" : ["User", "Role"] } } } ] }

StringNotEquals

The StringNotEquals condition tests the string value of an event's property does not equal any of an undesired set of values.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "EventType" not equal to "PacketLog" or "IntegrityEvent":

{
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringNotEquals": {
          "EventType": ["PacketLog", "IntegrityEvent"]
        }
      }
    }
  ]
}
      

StringEqualsIgnoreCase

The StringEqualsIgnoreCase condition is the same as the StringEquals condition, except string matching is performed in a case-insensitive manner.

StringNotEqualsIgnoreCase

The StringNotEqualsIgnoreCase condition is the same as the StringNotEquals condition, except string matching is performed in a case-insensitive manner.

StringLike

The StringLike condition tests the string value of an event's property is equal to or more desired values, where the desired values may include the wildcard '*' to match any number of characters or '?' to match a single character. String comparisons are case-sensitive.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "Title" which contains the string "User" or "Role":

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringLike": { "Title": ["*User*", "*Role*"] } } } ] }

StringNotLike

The StringNotLike condition tests that the string value of an event's property is not equal to any of an undesired set of values, where the values may include the wildcard '*' to match any number of characters or '?' to match a single character. String comparisons are case-sensitive.

Allows for multiple values? Yes

The following example shows a configuration that publishes all events except the "System Settings Saved" event:

{  
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike": { "Title":"System Settings Saved" } } } ] }

The next example shows a configuration that publishes events when the event has the property "Title" that does not start with "User" and does not end with "Created":

{  
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike": { "Title": ["User*", "*Created"] } } } ] }

Multiple statements vs. multiple conditions

If you create multiple statements for the same SNS topic, those statements are evaluated as if they are joined by "or". If a statement contains multiple conditions, those conditions are evaluated as if they are joined by "and".

Multiple statements

This is an example of what not to do. The first statement says to forward all events other than "System Settings Saved". The second statement says to forward all "System Settings Saved" events. The result is that all events will be forwarded because any event will match either the condition in the first statement or the one in the second statement:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike" : { "Title" : "System Settings Saved" } } }, { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringLike" : { "Title" : "System Settings Saved" } } } ] }

Multiple conditions

This is another example of what not to do. The first condition says to forward all events other than "System Settings Saved". The second condition says to forward all "System Settings Saved" events. The result is that no events will be forwarded because no events will match both the condition in the first statement and the one in the second statement:

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "StringNotLike" : { "Title" : "System Settings Saved" }, "StringLike" : { "Title" : "System Settings Saved" } } } ] }

Example SNS configurations

These configurations send matching events for some specific scenarios. For more event property names and values that you can use to filter SNS topics, see Events in JSON format.

Send all critical intrusion prevention events to an SNS topic

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic", "Condition": { "NumericEquals": { "Severity": 4 }, "StringEquals" : { "EventType" : "PayloadLog" } } } ] }

Send different events to different SNS topics

This example shows sending all system events to one topic and all integrity monitoring events to a different topic.

{ 
"Version": "2014-09-24", "Statement": [ { "Topic": "arn:aws:sns:us-east-1:012345678901:systemEventsTopic", "Condition": { "StringEquals" : { "EventType" : "SystemEvent" } } }, { "Topic": "arn:aws:sns:us-east-1:012345678901:integrityTopic", "Condition": { "StringEquals" : { "EventType" : "IntegrityEvent" } } } ] }