Configure AWS EventBridge for CSM

This mApp® Solution allows you to automatically create Incidents in CSM, based on multiple event sources. These Incidents are linked to existing AWS Configuration Item records.

Before you begin configuring your EventBridge rules, ensure that you have a CloudWatch alarm configured, and appropriate topics and subscriptions to which you can publish EventBridge messages from AWS. Refer to Configure AWS SNS for CSM and Configure AWS CloudWatch Alarms for CSM.

To set up your system to accept events from multiple event sources, use the AWS EventBridge service. This provides a standard notification format for all event types, which can be parsed when creating incidents in CSM.

For our example, we will create a CloudWatch Alarm for CPU Usage on a specific EC2 instance. However, the principles are the same and the setup is similar for alarms of other types. You will need to update the One-Step™ Actions for the Create AWS Event webhook described in Configure CSM to Add Incidents for AWS Product Events.

The overall workflow for the automatic creation of Incidents for your AWS Product configuration items is shown below:

Workflow for automatic creation of indicent records

A webhook triggers the Create AWS Event One-Step Action. This webhook was designed as a sample to demonstrate how you might automatically create Incidents for your AWS resources when they go into alarm state or violate an established rule. This sample expects a CloudWatch Alarm notification from Amazon SNS (example: An EC2 instance which has exceeded its CPU utilization threshold) and stores the JSON from that alarm notification in an AWS Event object record. Then, an automation process (AWS Event) creates an Incident linked to the associated CI in your CMDB. You may wish to configure additional, similar event types using either AWS CloudWatch or AWS Config. To facilitate this process, we have included sample JSON for these event types, as well as configured the (None) Create AWS Event One-Step Action with a decision tree that covers two possible paths:

  • A notification from AWS Config that a CloudWatch Alarm has changed from OK to ALARM state.
  • A CloudWatch alarm which sends the SNS notification directly with details about the affected resource.

There is a sample of what kind of JSON is expected for the event. It's very particular, so we provide relevant sample code.

To configure AWS CloudWatch Alarms for CSM:

  1. In the AWS console, navigate to
  2. Create a new rule for use with this integration (see You can modify existing alarms for use with this mApp Solution by simply adding a notification for these alarms to the 'cherwell-ci-create-incident' topic created in Configure AWS SNS for CSM.

    Settings in AWS EventBridge