The following example policy grants account 123456789012 permission to create,
delete, update, disable and enable rules, and add or remove targets. It limits these rules
that match against events with a source of com.exampleCorp.webStore
, and it uses
the "events:creatorAccount": "${aws:PrincipalAccount}"
to ensure that only
account 123456789012 can modify these rules and targets once they have been
created.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InvoiceProcessingRuleCreation",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "arn:aws:events:us-east-1:123456789012:rule/central-event-bus/*",
"Condition": {
"StringEqualsIfExists": {
"events:creatorAccount": "${aws:PrincipalAccount}",
"events:source": "com.exampleCorp.webStore"
}
}
}
]
}