AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon EventBridge

Amazon EventBridge (service prefix: events) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EventBridge

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
ActivateEventSource Activates a partner event source that has been deactivated. Once activated, your matching event bus will start receiving events from the event source. Write

event-source*

CreateEventBus Creates a new event bus within your account. This can be a custom event bus which you can use to receive events from your own custom applications and services, or it can be a partner event bus which can be matched to a partner event source. Write

event-bus*

CreatePartnerEventSource Called by an AWS partner to create a partner event source. Write

event-source*

DeactivateEventSource Called by an AWS partner to create a partner event source. Write

event-source*

DeleteEventBus Deletes the specified custom event bus or partner event bus. All rules associated with this event bus are also deleted. You can't delete your account's default event bus. Write

event-bus*

DeletePartnerEventSource Called by an AWS partner to delete a partner event source. Write

event-source*

DeleteRule Deletes a rule. You must remove all targets from a rule using RemoveTargets before you can delete the rule. Write

rule*

DescribeEventBus Displays the external AWS accounts that are permitted to write events to your account using your account's event bus, and the associated policy. Read

event-bus

DescribeEventSource Describes the details of the specified partner event source that is shared with your account. Read

event-source*

DescribePartnerEventSource Called by an AWS partner describe the details of the specified partner event source that they have created. Read

event-source*

DescribeRule Describes the details of the specified rule. Read

rule*

DisableRule Disables a rule. A disabled rule won't match any events, and won't self-trigger if it has a schedule expression. Write

rule*

EnableRule Enables a rule. If the rule does not exist, the operation fails. Write

rule*

ListEventBuses Lists all the event buses in your account, including the default event bus, custom event buses, and partner event buses. List

event-bus*

ListEventSources Lists the event sources shared with this account. List

event-source*

ListPartnerEventSourceAccounts Called by an AWS partner to display the AWS account ID that the specified partner event source is associated with. List

event-source*

ListPartnerEventSources Called by an AWS partner to list all the partner event sources that they have created. List

event-source*

ListRuleNamesByTarget Lists the names of the rules that the given target is put to. List

rule*

ListRules Lists the Amazon EventBridge rules in your account. List

rule*

ListTagsForResource This action lists tags for an Amazon EventBridge resource. List

rule*

ListTargetsByRule Lists of targets assigned to the rule. List

rule*

PutEvents Sends custom events to Amazon EventBridge so that they can be matched to rules. Write
PutPartnerEvents Sends custom events to Amazon EventBridge so that they can be matched to rules. Write
PutPermission Running PutPermission permits the specified AWS account to put events to your account's default event bus. Write
PutRule Creates or updates a rule. Rules are enabled by default, or based on value of the State parameter. Tagging

rule*

events:detail.userIdentity.principalId

events:detail-type

events:source

events:detail.service

events:detail.eventTypeCode

aws:RequestTag/${TagKey}

aws:TagKeys

PutTargets Adds target(s) to a rule. Targets are the resources that can be invoked when a rule is triggered. Write

rule*

events:TargetArn

RemovePermission Revokes the permission of another AWS account to be able to put events to your default event bus. Write
RemoveTargets Removes target(s) from a rule so that when the rule is triggered, those targets will no longer be invoked. Write

rule*

TagResource This action tags an Amazon EventBridge resource. Tagging

rule*

aws:TagKeys

aws:RequestTag/${TagKey}

TestEventPattern Tests whether an event pattern matches the provided event. Read
UntagResource This action removes a tag from an Amazon EventBridge resource. Tagging

rule*

aws:TagKeys

Resources Defined by Amazon EventBridge

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
event-source arn:${Partition}:events:${Region}::event-source/${EventSourceName}
event-bus arn:${Partition}:events:${Region}:${Account}:event-bus/${EventBusName}
rule arn:${Partition}:events:${Region}:${Account}:rule/[${EventBusName}/]${RuleName}

aws:ResourceTag/${TagKey}

Condition Keys for Amazon EventBridge

Amazon EventBridge defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on tag-value associated with the resource String
aws:TagKeys Filters actions based on the presence of mandatory tags in the request String
events:TargetArn The ARN of a target that can be put to a rule. ARN
events:detail-type Matches the literal string of the detail-type filed of the event. String
events:detail.eventTypeCode Matches the literal string for the detail.eventTypeCode field of the event. String
events:detail.service Matches the literal string for the detail.service field of the event. String
events:detail.userIdentity.principalId Matches the literal string for the detail.useridentity.principalid field of the event. String
events:source The AWS service or AWS partner event source that generated the event. Matches the literal string of the source field of the event. String