Menu
Amazon CloudWatch Events
User Guide

Using Resource-Based Policies for CloudWatch Events

When a rule is triggered in CloudWatch Events, all the targets associated with the rule are invoked. Invocation means invoking the AWS Lambda functions, publishing to the Amazon SNS topics, and relaying the event to the Amazon Kinesis streams. In order to be able to make API calls against the resources you own, CloudWatch Events needs the appropriate permissions. For Lambda, Amazon SNS, and Amazon SQS resources, CloudWatch Events relies on resource-based policies. For Amazon Kinesis streams, CloudWatch Events relies on IAM roles.

You can use the following permissions to invoke the targets associated with your CloudWatch Events rules. The procedures below use the AWS CLI to add permissions to your targets. For information about how to install and configure the AWS CLI, see Getting Set Up with the AWS Command Line Interface in the AWS Command Line Interface User Guide.

AWS Lambda Permissions

To invoke your AWS Lambda function using a CloudWatch Events rule, add the following permission to the policy of your Lambda function.

{
  "Effect": "Allow",
  "Action": "lambda:InvokeFunction",
  "Resource": "arn:aws:lambda:region:account-id:function:function-name",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Condition": {
    "ArnLike": {
      "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"
    }
  },
  "Sid": "TrustCWEToInvokeMyLambdaFunction"
}

To add permissions that enable CloudWatch Events to invoke Lambda functions

  • At a command prompt, enter the following command:

    aws lambda add-permission --statement-id "TrustCWEToInvokeMyLambdaFunction" \
    --action "lambda:InvokeFunction" \
    --principal "events.amazonaws.com" \
    --function-name "arn:aws:lambda:region:account-id:function:function-name" \
    --source-arn "arn:aws:events:region:account-id:rule/rule-name"

For more information about setting permissions that enable CloudWatch Events to invoke Lambda functions, see AddPermission and Using Lambda with Scheduled Events in the AWS Lambda Developer Guide.

Amazon SNS Permissions

To allow CloudWatch Events to publish an Amazon SNS topic, use the aws sns get-topic-attributes and the aws sns set-topic-attributes commands.

To add permissions that enable CloudWatch Events to publish SNS topics

  1. First, list SNS topic attributes. At a command prompt, type the following:

    aws sns get-topic-attributes --topic-arn "arn:aws:sns:region:account-id:topic-name"

    The command returns all attributes of the SNS topic. The following example shows the result of a newly-created SNS topic.

    {
        "Attributes": {
            "SubscriptionsConfirmed": "0", 
            "DisplayName": "", 
            "SubscriptionsDeleted": "0", 
            "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false}}",
            "Owner": "account-id", 
            "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\",\"SNS:Receive\"],\"Resource\":\"arn:aws:sns:region:account-id:topic-name\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"account-id\"}}}]}", 
            "TopicArn": "arn:aws:sns:region:account-id:topic-name", 
            "SubscriptionsPending": "0"
        }
    }
  2. Next, convert the following statement to a string and add it to the "Statement" collection inside the "Policy" attribute.

    {
      "Sid": "TrustCWEToPublishEventsToMyTopic",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:region:account-id:topic-name"
    }

    After you convert the statement to a string, it should look like the following:

    {\"Sid\":\"TrustCWEToPublishEventsToMyTopic\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"sns:Publish\",\"Resource\":\"arn:aws:sns:region:account-id:topic-name\"}
  3. After you've added the statement string to the statement collection, use the aws sns set-topic-attributes command to set the new policy.

    aws sns set-topic-attributes --topic-arn "arn:aws:sns:region:account-id:topic-name" \
    --attribute-name Policy \
    --attribute-value "{\"Version\":\"2012-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\",\"SNS:Receive\"],\"Resource\":\"arn:aws:sns:region:account-id:topic-name\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"account-id\"}}}, {\"Sid\":\"TrustCWEToPublishEventsToMyTopic\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"sns:Publish\",\"Resource\":\"arn:aws:sns:region:account-id:topic-name\"}]}"

For more information, see the SetTopicAttributes action in the Amazon Simple Notification Service API Reference.

Amazon SQS Permissions

To allow a CloudWatch Events rule to invoke an Amazon SQS queue, use the aws sqs get-queue-attributes and the aws sqs set-queue-attributes commands.

To add permissions that enable CloudWatch Events rules to invoke an SQS queue

  1. First, list SQS queue attributes. At a command prompt, type the following:

    aws sqs get-queue-attributes \
    --queue-url https://sqs.region.amazonaws.com/account-id/queue-name \
    --attribute-names Policy

    For a newly-created SQS queue, its policy is empty by default. In addition to adding a statement, you also need to create a policy that contains this statement.

  2. The following statement enables CloudWatch Events to send messages to an SQS queue:

    {
      "Sid": "TrustCWEToSendEventsToMyQueue",
      "Effect": "Allow",
      "Principal": {
         "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:region:account-id:queue-name",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"
        }
      }
    }
  3. Next, convert the statement above into a string. After you convert the policy to a string, it should look like the following:

    {\"Sid\": \"TrustCWEToSendEventsToMyQueue\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"*\"}, \"Action\": \"sqs:SendMessage\", \"Resource\": \"arn:aws:sqs:region:account-id:queue-name\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"arn:aws:events:region:account-id:rule/rule-name\"}}
  4. Create a file called set-queue-attributes.json with the following content:

    {
        "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"arn:aws:sqs:region:account-id:queue-name/SQSDefaultPolicy\",\"Statement\":[{\"Sid\": \"TrustCWEToSendEventsToMyQueue\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"*\"}, \"Action\": \"sqs:SendMessage\", \"Resource\": \"arn:aws:sqs:region:account-id:queue-name\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"arn:aws:events:region:account-id:rule/rule-name\"}}}]}"
    }
  5. Set the policy attribute using the set-queue-attributes.json file as the input. At a command prompt, type:

    aws sqs set-queue-attributes \
    --queue-url https://sqs.region.amazonaws.com/account-id/queue-name \
    --attributes file://set-queue-attributes.json

    If the SQS queue already has a policy, you need to copy the original policy and combine it with a new statement in the set-queue-attributes.json file and run the above command to update the policy.

For more information, see Amazon SQS Policy Examples in the Amazon Simple Queue Service Developer Guide.