How do I get more information about a CloudTrailAuthorizationFailures alarm

Question

I am getting several of these alarms, so I decided to look at the event history in CloudTrail. However there are no events that I can see with error codes. I would've thought that events that cause the alarm would be in here.

Question: So how do I get more information about the event that would've caused the CloudWatch alarm? Specifically I would like to know things like source IP, IAM user (if any), Access Key used (if any), etc.

Answer 1

Short answer:
Have to find the CloudWatch log group with a metric filter set matching the alarm name.

Long answer
The sequence of observations and steps that led me to the information needed were as follows:

1. Email contains no event IDs.
2. Looking at CloudTrail with the AWS console, there is no way to lookup based on error codes. And navigating through pages, there does not appear to be any error codes suggesting unauthorised access.
3. Can't find CloudTrail Insights with times correlating to those received in email.
4. The email has a link to the alarm. No idea where the CloudWatch custom metric "AuthorizationFailureCount" came from, and nothing clickable to check which AWS service it is mapped to.
5. Found a log group under CloudWatch with metric filters. Clicking on the AuthorizationFailuresMetricFilter filter brings some info, including how the metric in #4 may have been created.
6. Running 'Test pattern' in the console generates no results for some log streams but gives results for others. The results include event JSONs with eventId and sharedEventID properties.
7. Can't find any events under CloudTrail with IDs (or shared IDs) matching ones in the events above.

So my guess at this stage is that the events in this log group found are the exhaustive list of events tied to the metric raising the alarm.

This entire process would've been much simpler if there was something in the view for the alarm tying it back to any relevant log groups, but there isn't. Step #5 was stumbled upon by chance with no logical connection from #4.