Using CloudWatch Events with Interface VPC Endpoints - Amazon CloudWatch Events
AvailabilityCreating a VPC Endpoint for CloudWatch EventsControlling Access to Your CloudWatch Events VPC Endpoint

Using CloudWatch Events with Interface VPC Endpoints

Note

Amazon EventBridge is the preferred way to manage your events. CloudWatch Events and EventBridge are the same underlying service and API, but EventBridge provides more features. Changes you make in either CloudWatch or EventBridge will appear in each console. For more information, see Amazon EventBridge.

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and CloudWatch Events. You can use this connection to enable CloudWatch Events to communicate with your resources on your VPC without going through the public internet.

Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, route tables, and network gateways. To connect your VPC to CloudWatch Events, you define an interface VPC endpoint for CloudWatch Events. This type of endpoint enables you to connect your VPC to AWS services. The endpoint provides reliable, scalable connectivity to CloudWatch Events without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see What is Amazon VPC in the Amazon VPC User Guide.

Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IP addresses. For more information, see New – AWS PrivateLink for AWS Services.

The following steps are for users of Amazon VPC. For more information, see Getting Started in the Amazon VPC User Guide.

Availability

CloudWatch Events currently supports VPC endpoints in the following Regions:

  • US East (Ohio)

  • US East (N. Virginia)

  • US West (N. California)

  • US West (Oregon)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Canada (Central)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Paris)

  • South America (São Paulo)

Creating a VPC Endpoint for CloudWatch Events

To start using CloudWatch Events with your VPC, create an interface VPC endpoint for CloudWatch Events. The service name to choose is com.amazonaws.Region.events. For more information, see Creating an Interface Endpoint in the Amazon VPC User Guide.

You do not need to change the settings for CloudWatch Events. CloudWatch Events calls other AWS services using either public endpoints or private interface VPC endpoints, whichever are in use. For example, if you create an interface VPC endpoint for CloudWatch Events, and you already have a CloudWatch Events rule that sends notifications to Amazon SNS when it is triggered, the notifications begin to flow through the interface VPC endpoint.

Controlling Access to Your CloudWatch Events VPC Endpoint

A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you don't attach a policy when you create an endpoint, we attach a default policy for you that allows full access to the service. An endpoint policy doesn't override or replace IAM user policies or service-specific policies. It's a separate policy for controlling access from the endpoint to the specified service.

Endpoint policies must be written in JSON format.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

The following is an example of an endpoint policy for CloudWatch Events. This policy enables users connecting to CloudWatch Events through the VPC to send events to CloudWatch Events, and prevents them from performing other CloudWatch Events actions.

{
  "Statement": [
    {
      "Sid": "PutOnly",
      "Principal": "*",
      "Action": [
        "events:PutEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
To modify the VPC endpoint policy for CloudWatch Events

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. If you have not already created the endpoint for CloudWatch Events, choose Create Endpoint. Then select com.amazonaws.Region.events and choose Create endpoint.

  4. Select the com.amazonaws.Region.events endpoint, and choose the Policy tab in the lower half of the screen.

  5. Choose Edit Policy and make the changes to the policy.