What is technically the longest time between an unwanted event happening and an actual Cloudwatch Event trigger? Could this be 15 minutes or 20 minutes? (going on the premise that Cloutrail logs are 15 minutes behind and recorded every 5 minutes)
In my own experience the delay is minimal between a CloudTrail event and CloudWatch event trigger. I recently set up an event rule looking for api-gateway rest-api update events via CloudTrail (there were no ‘native’ api gateway event I could look for) and these events triggers an api-gateway deployment. The delay is only a few seconds, so the CloudTrail event must be sent without delay. Maybe it is different for different services, and I do remember reading about a delay for CloudTrail events but I suspect the delay is the actual delivery of the event to S3 (or CloudWatch logs), and not a delay for the actual event to be registered.