Short answer:
Have to find the CloudWatch log group with a metric filter set matching the alarm name.
Long answer
The sequence of observations and steps that led me to the information needed were as follows:
- Email contains no event IDs.
- Looking at CloudTrail with the AWS console, there is no way to lookup based on error codes. And navigating through pages, there does not appear to be any error codes suggesting unauthorised access.
- Can't find CloudTrail Insights with times correlating to those received in email.
- The email has a link to the alarm. No idea where the CloudWatch custom metric "AuthorizationFailureCount" came from, and nothing clickable to check which AWS service it is mapped to.
- Found a log group under CloudWatch with metric filters. Clicking on the
AuthorizationFailuresMetricFilter
filter brings some info, including how the metric in #4 may have been created.
- Running 'Test pattern' in the console generates no results for some log streams but gives results for others. The results include event JSONs with
eventId
and sharedEventID
properties.
- Can't find any events under CloudTrail with IDs (or shared IDs) matching ones in the events above.
So my guess at this stage is that the events in this log group found are the exhaustive list of events tied to the metric raising the alarm.
This entire process would've been much simpler if there was something in the view for the alarm tying it back to any relevant log groups, but there isn't. Step #5 was stumbled upon by chance with no logical connection from #4.