How to Build an EventBridge Debugger to Capture Every AWS Event

In daily operations and development, AWS EventBridge is a powerful tool for building event‑driven architectures, but many users struggle to write Event Patterns that exactly match the events they expect.

Why CloudTrail Logs Differ from EventBridge Events

CloudTrail’s role is audit and logging, producing log files that record API call details. EventBridge, on the other hand, routes standardized event objects that wrap CloudTrail data inside a envelope containing fields such as detail, source, detail-type, and time. Because the EventBridge payload includes this outer wrapper, copying raw CloudTrail JSON snippets directly into an Event Pattern often fails.

Step‑by‑Step: Create an “Event Debugger”

The goal is to set up a rule that captures every AWS event and stores it unchanged in CloudWatch Logs, giving you a “truth database” of events.

1. Create a CloudWatch Log Group

Open the AWS Management Console and navigate to CloudWatch .

In the left menu choose Logs → Log groups .

Click Create log group .

Name the group, e.g. aws-eventbridge-catch-all-events, and configure retention, encryption, etc., then create it.

2. Create a Catch‑All EventBridge Rule

Go to the Amazon EventBridge service.

Select Rules and click Create rule .

Enter rule details:

Name : CatchAllAwsEvents-To-CloudWatch Description :

A debug rule to capture all AWS events and log them to CloudWatch.

Define the Event Pattern using the JSON below:

{
  "source": [{
    "prefix": "aws."
  }]
}

This pattern matches any event whose source field starts with aws. , effectively catching all AWS service events.

Choose the target type AWS Service , select CloudWatch log group , and pick the log group you created ( aws-eventbridge-catch-all-events).

Click Create to finish the rule.

3. Using the Debugger to Build Precise Rules

After the debugger is active, you can capture real events and inspect their JSON payloads. For example, to monitor failed console logins:

Trigger a failed login (e.g., open an incognito browser window and enter wrong credentials). This generates a ConsoleLogin event.

In CloudWatch Logs, locate the newly created log stream under the log group and view the captured JSON.

Extract the relevant fields from the JSON, such as source = aws.signin, eventName = ConsoleLogin, and the failure indicator detail.responseElements.ConsoleLogin = Failure.

Construct a precise Event Pattern using these values, then create your production alert rule with confidence.

Practical Tips: Cost and Cleanup

Enable only during debugging : Activate the CatchAll rule while developing or testing.

Disable after use : Once your production rule works, disable the CatchAll rule to stop unnecessary logging and fees.

Set a short retention period : Configure the log group to retain logs for 1–7 days so they are automatically purged.

Conclusion

By creating a simple “catch‑all” EventBridge rule that forwards raw events to CloudWatch Logs, you eliminate the guesswork of writing Event Patterns. This turns rule creation from a trial‑and‑error process into a precise, efficient engineering task, giving you confidence when building event‑driven systems.