How do I configure cross-account targets in EventBridge?

4 minute read

I want to set up an Amazon EventBridge rule to send notifications from an event in one AWS account to a target in another account.

Resolution

Create a rule in the source account

Create a rule to send events to a different account.

Note: The EventBridge rule and target must be in the same AWS Region. You can configure cross-account targets only for the following targets:

Amazon API Gateway APIs
Amazon Kinesis Data Streams applications
AWS Lambda functions
Amazon Simple Notification Service (Amazon SNS) topics
Amazon Simple Queue Service (Amazon SQS) queues

Configure IAM permissions in the source account

Make sure that the AWS Identity and Access Management (IAM) execution role that you assigned to the EventBridge rule target has a trust relationship with EventBridge. The trust policy must include events.amazonaws.com as a trusted entity. Also, make sure that the execution role's IAM policy includes the required permissions to publish to your target.

Example trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "arn:aws:sns:Region:Account-ID-of-SNS-Topic:test"
            ]
        }
    ]
}

Note: Replace sns:Publish with the required permissions for your target and arn:aws:sns:Region:Account-ID-of-SNS-Topic:test with the Amazon Resource Name (ARN) of the target resource.

Configure IAM permissions in the target account

Your target's resource-based policy must give EventBridge the permissions required to access your target. Review your target resource's IAM policy to confirm that it has the required permissions.

Example IAM policy for Amazon SNS topics:

{
      "Sid": "AWSEvents_ArticleEvent_Id4950650036948",
      "Effect": "Allow",
      "Principal": {
        "AWS": "IAMRole"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:Region:Account-ID-of-SNS-topic:test"
    }

Note: Replace IAMRole with the ARN of the execution role in the source account and arn:aws:sns:Region:Account-ID-of-SNS-topic:test with the ARN of the SNS topic.

(For topics with SSE activated) Confirm that your target has the required AWS KMS permissions

Your target must use an AWS Key Management Service (AWS KMS) customer managed key. This AWS KMS key must include a custom key policy that gives EventBridge permission to use the key.

To set up the required AWS KMS permissions, complete the following steps:

Create a new customer managed key in the same account as your target resource. Make sure that the AWS KMS key policy has the required permissions for EventBridge to access the customer managed key.
Example policy:

{
    "Sid": "AWSEvents_ArticleEvent_Id4950650036948",
    "Effect": "Allow",
    "Principal": {
        "AWS": "IAMRole"
    },
    "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
    "Resource": "KMS-key-arn"
}

Note: Replace IAMRole with the ARN of the IAM execution role and KMS-key-ARN with the AWS KMS key ARN.

Use the customer managed key to configure server-side encryption (SSE).
Note: The instructions to configure SSE are the same for all target types.

Make sure that the EventBridge rule's execution role has a policy that allows the kms:Decrypt API action.
Example policy:

{    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
            "Resource": "KMS-key-arn"
        }
    ]
}

Note: Replace KMS-key-arn with your AWS KMS key ARN.

Troubleshoot issues

If your SNS topic doesn't receive event notifications, then see Why didn't my Amazon SNS topic receive EventBridge notifications?

If your Lambda function doesn't receive event notifications, then see Why didn't my EventBridge rule invoke my Lambda function?

If your Amazon SQS queue doesn't receive event notifications, then see Why is my Amazon SQS queue not receiving EventBridge notifications?

For more troubleshooting steps, see How do I troubleshoot issues with cross-account or cross-Region EventBridge rules?

Topics: Serverless Application Integration
Tags: Amazon EventBridge
Language: English

AWS OFFICIALUpdated 5 months ago

No comments

Relevant content

Can an AWS EventBridge Rule target a Kinesis Data Stream (with a custom event, not AWS event)?
Accepted Answer
Pablo DC
asked 3 years ago
EventBridge Rule Target ID
Glenn Comiskey
asked 2 years ago
Eventbridge rule not triggering the target
IndieGameDeveloperFromParallel...
asked 2 years ago
Why didn't I receive any messages from SQS after creating a rule schedule and sending a target to SQS by AWS SDK?
Accepted Answer
Ceck
asked 3 years ago
How to specify a Kinesis partition key in the target of a EventBridge Pipe
Accepted Answer
rePost-User-9397555
asked 3 years ago
How do I configure EventBridge to send events to a cross-account custom event bus?
AWS OFFICIALUpdated 5 months ago
How do I troubleshoot issues with EventBridge rules?
AWS OFFICIALUpdated 5 months ago
How do I get notified when IAM changes occur in my AWS account?
AWS OFFICIALUpdated 4 months ago
How do I configure EventBridge rules for GuardDuty to send custom SNS notifications for specific service finding types?
AWS OFFICIALUpdated a year ago
How do I override AWS CodePipeline variables using Amazon EventBridge and conditionally skip stages with entry conditions?
EXPERT
Varun Sharma
published a month ago