# Third-party integrations with Amazon EventBridge
<a name="eb-integrations"></a>

In addition to AWS services, Amazon EventBridge supports integration with custom and third-party systems and applications, both as event sources and targets.

Third-party integration that EventBridge supports includes:
+ Creating [API destinations](eb-api-destinations.md) to send events to public HTTP endpoints from an event bus or pipe.
+ Enabling your event bus to receive events from a [Software as a Service (SaaS) partner source](eb-saas.md).

# API destinations as targets in Amazon EventBridge
<a name="eb-api-destinations"></a>

EventBridge *API destinations* are HTTPS endpoints that you can invoke as the target of an event bus rule, or pipe, similar to how you invoke an AWS service or resource as a target. Using API destinations, you can route [events](eb-events.md) between AWS services, integrated software as a service (SaaS) applications, and public or private applications by using API calls. 

When you specify an API destination as a rule or pipe target, EventBridge invokes the HTTPS endpoint for any event that matches the [event pattern](eb-event-patterns.md) specified in the rule or pipe and then delivers the event information with the request. With EventBridge, you can use any HTTP method except CONNECT and TRACE for the request. The most common HTTP methods to use are PUT and POST. 

You can also use input transformers to customize the event to the parameters of a specific HTTP endpoint parameters. For more information, see [Amazon EventBridge input transformation](eb-transform-target-input.md).

![\[API destinations use a connection with authorization parameters to send events to HTTP endpoints.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/api-destinations-overview_eventbridge_conceptual.svg)


EventBridge API destinations use *connections* to define the authorization method and credentials and network connectivity for EventBridge to use when connecting to a given HTTPS endpoint. Connections support both public and private APIs. For more information, see [Connections](eb-target-connection.md).

**Note**  
EventBridge API destinations currently only support public domain names with publicly trusted certificates for HTTPS endpoints when using private APIs. API destinations do not support mutual TLS (mTLS).

**Important**  
EventBridge requests to an API destination endpoint must have a maximum client execution timeout of 5 seconds. If the target endpoint takes longer than 5 seconds to respond, EventBridge times out the request. EventBridge retries timed out requests up to the maximums that are configured on your retry policy.   
For event buses, by default the maximums are 24 hours and 185 times.
For pipes, retries are determined the pipe source type and its configuration. EventBridge will retry until the event expires from the source, or the maximum event age or retry attempts configured has reached.
After the maximum number of retries, events are sent to your [dead-letter queue](eb-rule-dlq.md) if you have one.Otherwise, the event is dropped.

 The following video demonstrates the use of API destinations:




## Service-linked role for API destinations
<a name="eb-api-destination-slr"></a>

When you create a connection for an API destination, the service-linked role [AmazonEventBridgeApiDestinationsServiceRolePolicy](eb-use-identity-based.md#api-destination-slr-policy) is added to your account. EventBridge uses this service-linked role to create and store a secret in Secrets Manager. To grant the necessary permissions to the service-linked role, EventBridge attaches the **AmazonEventBridgeApiDestinationsServiceRolePolicy** policy to the role. The policy limits the permissions granted to only those necessary for the role to interact with the secret for the connection. No other permissions are included, and the role can interact only with the connections in your account to manage the secret.

For more information about service-linked roles, see [Using service-linked roles](https://docs.aws.amazon.com//IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide*.

## Headers in requests to API destinations
<a name="eb-api-destination-headers"></a>

The following section details how EventBridge handles HTTP headers in requests to API destinations.

### Headers included in requests to API destinations
<a name="eb-api-destination-headers-included"></a>

In addition to the authorization headers defined for the connection used for an API destination, EventBridge includes the following headers in each request.


| Header key | Header value | 
| --- | --- | 
|  User-Agent  |  Amazon/EventBridge/ApiDestinations  | 
|  Content-Type  |  If no custom Content-Type value is specified, EventBridge includes the following default value as Content-Type: application/json; charset=utf-8  | 
|  Range  |  bytes=0-1048575  | 
|  Accept-Encoding  |  gzip,deflate  | 
|  Connection  |  close  | 
|  Content-Length  |  An entity header that indicates the size of the entity-body, in bytes, sent to the recipient.  | 
|  Host  |  A request header that specifies the host and port number of the server where the request is being sent.  | 

### Headers that cannot be overridden in requests to API destinations
<a name="eb-api-destination-headers-no-override"></a>

EventBridge does not allow you to override the following headers:
+ User-Agent
+ Range

### Headers EventBridge removes from requests to API destinations
<a name="eb-api-destination-headers-removed"></a>

EventBridge removes the following headers for all API destination requests:
+ A-IM
+ Accept-Charset
+ Accept-Datetime
+ Accept-Encoding
+ Cache-Control
+ Connection
+ Content-Encoding
+ Content-Length
+ Content-MD5
+ Date
+ Expect
+ Forwarded
+ From
+ Host
+ HTTP2-Settings
+ If-Match
+ If-Modified-Since
+ If-None-Match
+ If-Range
+ If-Unmodified-Since
+ Max-Forwards
+ Origin
+ Pragma
+ Proxy-Authorization
+ Range
+ Referer
+ TE
+ Trailer
+ Transfer-Encoding
+ User-Agent
+ Upgrade
+ Via
+ Warning

## API destination error codes
<a name="eb-api-destination-error-codes"></a>

When EventBridge tries to deliver an event to an API destination and an error occurs, EventBridge does the following:
+ Retries events associated with error codes `401`, `407`, `409`, `429`, and `5xx`.
+ Does not retry events associated with error codes `1xx`, `2xx`, `3xx`, and `4xx` (other than those noted above).

EventBridge API destinations read the standard HTTP response header `Retry-After` to find out how long to wait before making a follow-up request. For event buses, EventBridge chooses the more conservative value between the defined retry policy and the `Retry-After` header. If `Retry-After` value is negative, EventBridge stops retrying delivery for that event.

## How invocation rate affects event delivery
<a name="eb-api-destination-event-delivery"></a>

If you set the invocation rate per second to a value much lower than the number of invocations generated, events may not be delivered within the 24 hour retry time for events. For example, if you set the invocation rate to 10 invocations per second, but thousands of events per second are generated, you will quickly have a backlog of events to deliver that exceeds 24 hours. To ensure that no events are lost, set up a dead-letter queue to send events with failed invocations to so you can process the events at a later time. For more information, see [Using dead-letter queues to process undelivered events in EventBridge](eb-rule-dlq.md).

## Region availability
<a name="eb-api-destination-regions"></a>

API destinations to public HTTPS endpoints are supported in the following AWS Regions:
+ US East (N. Virginia)
+ US East (Ohio)
+ US West (N. California)
+ US West (Oregon)
+ Africa (Cape Town)
+ Asia Pacific (Hong Kong)
+ Asia Pacific (Tokyo)
+ Asia Pacific (Seoul)
+ Asia Pacific (Osaka)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Jakarta)
+ Canada (Central)
+ China (Beijing)
+ China (Ningxia)
+ Europe (Frankfurt)
+ Europe (Zurich)
+ Europe (Stockholm)
+ Europe (Milan)
+ Europe (Spain)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Paris)
+ Middle East (UAE)
+ Middle East (Bahrain)
+ South America (São Paulo)

# Create an API destination in Amazon EventBridge
<a name="eb-api-destination-create"></a>

Creating an API destination enables you to specify an HTTP endpoint as the target of a rule.

Each API destination requires a connection. A *connection* specifies the authorization type and credentials to use to authorize with the API destination endpoint. You can choose an existing connection, or create a connection at the same time that you create the API destination. For more information, see [Connections for API targets in Amazon EventBridge](eb-target-connection.md)

**To create an API destination using the EventBridge console**

1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events).

1. In the left navigation pane, choose **API destinations**.

1. Scroll down to the **API destinations** table, and then choose **Create API destination**.

1. On the **Create API destination** page, enter a **Name** and Description for the API destination. 

   The name must be unique to your account in the current Region. You can use up to 64 uppercase or lowercase letters, numbers, dot (.), dash (-), or underscore (\$1) characters.
**Important**  
When creating a new API destination for your connection, ensure that the connection reaches the AUTHORIZED state before creating the API destination.

1. Enter an **API destination endpoint** for the API destination. 

   The **API destination endpoint** is an HTTP invocation endpoint target for events. The authorization information you include in the connection used for this API destination is used to authorize against this endpoint. The URL must use HTTPS.

1. Enter the **HTTP method** to use to connect to the **API destination endpoint**.

1. (Optional) For **Invocation rate limit per second** field, enter the maximum number of invocations per second to send to the API destination endpoint.

   The rate limit you set may affect how EventBridge delivers events. For more information, see [How invocation rate affects event delivery](eb-api-destinations.md#eb-api-destination-event-delivery).

1. For **Connection**, do one of the following:
   + Choose **Use an existing connection**, and then select the connection to use for this API destination.
   + Choose **Create a new connection**, and then enter the details for the connection to create. 

     For detailed instructions, see [Creating connections](eb-target-connection-create.md).

1. Choose **Create**.

# Creating rules that send events to an API destination in EventBridge
<a name="eb-create-rule-api-destination-target"></a>

After you create an API destination, you can select it as the target of a [rule](eb-rules.md). To use an API destination as a target, you must provide an IAM role with the correct permissions. For more information, see [Permissions required for EventBridge to access targets using IAM roles](eb-events-iam-roles.md#eb-target-permissions)

Selecting an API destination as a target is part of creating the rule.

**To create a rule that sends events to an API destination using the console**

1. Follow the steps in the [Creating rules using the Enhanced Builder](eb-create-rule-visual.md) procedure.

1. In the [Select targets](eb-create-rule-wizard.md#eb-create-rule-target) step, when prompted to choose an API destination as the target type:

   1. Select **EventBridge API destination**.

   1. Do one of the following:
      + Choose **Use an existing API destination** and select an existing API destination
      + Choose **Create a new API destination** and specify the necessary setting to define your new API destination.

        For more information on specifying the required settings, see [Create an API destination in Amazon EventBridge](eb-api-destination-create.md).

   1. (Optional): To specify header parameters for the event, under **Header Parameters** choose **Add header parameter**.

      Next, specify the key and value for the header parameter.

   1. (Optional): To specify query string parameters for the event, under **Query string parameters** choose **Add query string parameter**.

      Next, specify the key and value for the query string parameter.

1. Complete creating the rule following the [procedure steps](eb-create-rule-visual.md).

# Sending CloudEvents events to API destinations
<a name="eb-api-destinations-cloudevents"></a>

CloudEvents is a vendor-neutral specification for event formatting, with the goal of providing interoperability across services, platforms and systems. You can use EventBridge to transform AWS service events to CloudEvents before they are sent to a target, such as an API destination.

**Note**  
The following procedure explains how to transform source events into *structured-mode* CloudEvents. In the CloudEvents specification, a structured-mode message is one where the entire event (attributes and data) is encoded into the payload of the event.

For more information on the CloudEvents specification, see [cloudevents.io](https://cloudevents.io/).

**To transform AWS events to the CloudEvents format using the console**

To transform events to the CloudEvents format prior to delivery to a target, you start by creating an event bus rule. As part of defining the rule, you use an input transformer to have EventBridge transform events prior to sending to the target you specify.

1. Follow the steps in the [Creating rules using the Enhanced Builder](eb-create-rule-visual.md) procedure.

1. In the [Select targets](eb-create-rule-wizard.md#eb-create-rule-target) step, when prompted to choose an API destination as the target type:

   1. Select **EventBridge API destination**.

   1. Do one of the following:
      + Choose **Use an existing API destination** and select an existing API destination
      + Choose **Create a new API destination** and specify the necessary setting to define your new API destination.

        For more information on specifying the required settings, see [Create an API destination in Amazon EventBridge](eb-api-destination-create.md).

   1. Specify the necessary Content-Type header parameters for the CloudEvents events:
      + Under **Header Parameters** choose **Add header parameter**.
      + For **key**, specify `Content-Type`. 

        For **value**, specify `application/cloudevents+json; charset=UTF-8`.

1. Specify an execution role for your target.

1. Define an input transformer to transform the source event data into the CloudEvents format:

   1. Under **Additional settings**, for **Configure target input**, choose **Input transformer**.

      Then choose **Configure input transformer**.

   1. Under **Target input transformer**, specify the **Input path**.

      In the input path below, the region attribute is a custom *extension attribute* of the CloudEvents format. As such it is not required for adherence to the CloudEvents specification.

      CloudEvents allows you to use and create extension attributes not defined in the core specification. For more information, including a list of known extension attributes, see [CloudEvents Extension Attributes](https://github.com/cloudevents/spec/tree/main/cloudevents/extensions) in the [CloudEvents specification documentation](https://github.com/cloudevents/spec/tree/main) on GitHub.

      ```
      {
        "detail": "$.detail",
        "detail-type": "$.detail-type",
        "id": "$.id",
        "region": "$.region",
        "source": "$.source",
        "time": "$.time"
      }
      ```

   1. For **Template**, enter the template to transform the source event data to the CloudEvents format. 

      In the template below, `region` is not strictly required, since the `region` attribute in the input path is an extension attribute to the CloudEvents specification.

      ```
      {
        "specversion":"1.0",
        "id":<id>,
        "source":<source>,
        "type":<detail-type>,
        "time":<time>,
        "region":<region>,
        "data":<detail>
      }
      ```

1. Complete creating the rule following the [procedure steps](eb-create-rule-visual.md).

# API destination partners in Amazon EventBridge
<a name="eb-api-destination-partners"></a>

Use the information provided by the following AWS Partners to configure an API destination and connection for their service or application.

## Cisco Cloud Observability
<a name="eb-api-destination-cisco-cloud-observability"></a>

**API destination invocation endpoint URL:**  
`https://tenantName.observe.appdynamics.com/rest/awsevents/aws-eventbridge-integration/endpoint`

**Supported authorization types:**   
OAuth client credentials  
OAuth tokens are refreshed when a 401 or 407 response is returned

**Additional authorization parameters required:**  
Cisco AppDynamics Client ID and Client Secret  
OAuth endpoint:  
`https://tenantName.observe.appdynamics.com/auth/tenantId/default/oauth2/token`  
The following OAuth key/value pair parameters:      
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/eb-api-destination-partners.html)

**Cisco AppDynamics documentation:**  
[AWS events ingestion](https://docs.appdynamics.com/display/CLOUD/AWS+Events+Ingestion)

**Commonly used API operations:**  
Not applicable

**Additional information:**  
Choosing **Cisco AppDynamics** from the **Partner destinations** drop-down menu prefills the necessary OAuth information, including the header and body key/value pairs required for API calls.  
For additional information, see [AWS events ingestion](https://docs.appdynamics.com/display/CLOUD/AWS+Events+Ingestion) in the *Cisco AppDynamics* documentation.

## Confluent
<a name="api-destination-confluent"></a>

**API destination invocation endpoint URL:**  
Typically the following format:  
`https://random-id.region.aws.confluent.cloud:443/kafka/v3/clusters/cluster-id/topics/topic-name/records`  
For more information, see [Find the REST endpoint address and cluster ID](https://docs.confluent.io/cloud/current/kafka-rest/krest-qs.html#step-1-find-the-rest-endpoint-address-and-cluster-id) in the Confluent documentation.

**Supported authorization types:**   
Basic

**Additional authorization parameters required:**  
Not applicable

**Confluent documentation:**  
[Produce Records](https://docs.confluent.io/cloud/current/api.html#tag/Records-(v3)/operation/produceRecord)  
[Confluent REST Proxy for Apache Kafka](https://docs.confluent.io/platform/current/kafka-rest/api.html#records-v3)

**Commonly used API operations:**  
`POST`

**Additional information:**  
To transform the event data into a message that the endpoint can process, create a target [input transformer](eb-transform-target-input.md).  
+ To generate a record without specifying a Kafka partitioning key, use the following template for your input transformer. No input path is required. 

  ```
  {
    "value":{
        "type":"JSON",
        "data":aws.events.event.json
    },
  }
  ```
+ To generate a record using an event data field as the Kafka partitioning key, follow the input path and template example below. This example defines the input path for the `orderId` field, and then specifies that field as the partition key.

  First, define the input path for the event data field:

  ```
  {
    "orderId":"$.detail.orderId"
  }
  ```

  Then, use the input transformer template to specify the data field as the partition key:

  ```
  {
    "value":{
      "type":"JSON",
      "data":aws.events.event.json
    },
    "key":{
      "data":"<orderId>",
      "type":"STRING"
    }
  }
  ```

## Coralogix
<a name="eb-api-destination-coralogix"></a>

**API destination invocation endpoint URL**  
For a full list of endpoints, see [Coralogix API Reference](https://coralogix.com/docs/log-query-simply-retrieve-data/).

**Supported authorization types**   
API Key

**Additional authorization parameters required**  
Header `"x-amz-event-bridge-access-key"`, the value is the Coralogix API Key

**Coralogix documentation**  
[Amazon EventBridge authentication](https://coralogix.com/docs/amazon-eventbridge/)

**Commonly used API operations**  
US: https://ingress.coralogix.us/aws/event-bridge  
Singapore: https://ingress.coralogixsg.com/aws/event-bridge  
Ireland: https://ingress.coralogix.com/aws/event-bridge  
Stockholm: https://ingress.eu2.coralogix.com/aws/event-bridge  
India: https://ingress.coralogix.in/aws/event-bridge

**Additional information**  
The events are stored as log entries with `applicationName=[AWS Account]` and `subsystemName=[event.source]`.

## Datadog
<a name="eb-api-destination-datadog"></a>

**API destination invocation endpoint URL**  
For a full list of endpoints, see [Datadog API Reference](https://docs.datadoghq.com/api/latest/).

**Supported authorization types**   
API Key

**Additional authorization parameters required**  
None

**Datadog documentation**  
[Authentication](https://docs.datadoghq.com/api/latest/authentication/)

**Commonly used API operations**  
POST https://api.datadoghq.com/api/v1/events  
POST https://http-intake.logs.datadoghq.com/v1/input

**Additional information**  
Endpoint URLs differ depending on the location of your Datadog organization. For the correct URL for your organization, see [documentation](https://docs.datadoghq.com/api/latest/).

## Dynatrace
<a name="api-destination-dynatrace"></a>

**API destination invocation endpoint URL:**  
+ Logs: https://*environment-id*.live.dynatrace.com/api/v2/logs/ingest
+ Davis events: https://*environment-id*.live.dynatrace.com/platform/ingest/v1/events
+ SDLC events: https://*environment-id*.live.dynatrace.com/platform/ingest/v1/events.sdlc
+ Security events: https://*environment-id*.live.dynatrace.com/platform/ingest/v1/events.security

**Supported authorization types:**   
API Key

**Additional authorization parameters required:**      
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/eb-api-destination-partners.html)

**Dynatrace documentation:**  
+ [Log ingestion](https://docs.dynatrace.com/docs/observe-and-explore/logs/lma-log-ingestion)
+ [How to ingest data (events)](https://docs.dynatrace.com/docs/platform/openpipeline/getting-started/how-to-ingestion)
+ [Ingest Amazon ECR vulnerability findings and scan events](https://docs.dynatrace.com/docs/platform-modules/application-security/security-events-ingest/ingest-aws-ecr-data)

**Commonly used API operations:**  
POST

**Additional information:**  
Each endpoint type has its token scope, which is required for successful authentication. For more information, see [Ingestion APIs](https://docs.dynatrace.com/docs/platform/openpipeline/reference/api-ingestion-reference) in the Dynatrace documentation.

## Freshworks
<a name="eb-api-destination-freshworks"></a>

**API destination invocation endpoint URL**  
For a list of endpoints, see [https://developers.freshworks.com/documentation/](https://developers.freshworks.com/documentation/)

**Supported authorization types**   
Basic, API Key

**Additional authorization parameters required**  
Not applicable

**Freshworks documentation**  
[Authentication](https://developers.freshdesk.com/api/#authentication)

**Commonly used API operations**  
https://developers.freshdesk.com/api/\$1create\$1ticket  
https://developers.freshdesk.com/api/\$1update\$1ticket  
https://developer.freshsales.io/api/\$1create\$1lead  
https://developer.freshsales.io/api/\$1update\$1lead

**Additional information**  
None

## MongoDB
<a name="eb-api-destination-mongodb"></a>

**API destination invocation endpoint URL**  
https://data.mongodb-api.com/app/*App ID*/endpoint/

**Supported authorization types**   
API Key  
Email/Password  
Custom JWT Authentication

**Additional authorization parameters required**  
None

**MongoDB documentation**  
[Atlas Data API](https://www.mongodb.com/docs/atlas/app-services/data-api/)  
[Endpoints](https://www.mongodb.com/docs/atlas/app-services/data-api/generated-endpoints/#endpoints)  
[Custom HTTPS Endpoints](https://www.mongodb.com/docs/atlas/app-services/data-api/custom-endpoints/)  
[Authentication](https://www.mongodb.com/docs/atlas/app-services/data-api/generated-endpoints/#authentication)

**Commonly used API operations**  
None

**Additional information**  
None

## Momento
<a name="api-destination-momento"></a>

**API destination invocation endpoint URL:**  
https://api.cache.*region*.prod.a.momentohq.com/cache/*cacheName*  
https://api.cache.*region*.prod.a.momentohq.com/topics/*cacheName*/*topicName*

**Supported authorization types:**   
API Key

**Additional authorization parameters required:**      
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/eb-api-destination-partners.html)

**Momento documentation:**  
[Momento \$1 Amazon EventBridge](https://docs.momentohq.com/cache/integrations/amazon-eventbridge)  
[Using the Momento Topics API](https://docs.momentohq.com/topics/develop/api-reference)  
[API reference for Momento Cache](https://docs.momentohq.com/cache/develop/api-reference)

**Commonly used API operations:**  
For caches: `PUT`, `DELETE`  
For topics: `POST`

**Additional information:**  
When updating or deleting a cache, include the following query string parameters in the configuration of your rule target:   
+ The key you want to update in your Momento cache
+ The Time-To-Live (TTL) for the cache item
For example, if your input event included a `details` field with those values:  
`key: $.details.key ttl_seconds: $.details.ttl_seconds`

## New Relic
<a name="api-destination-new-relic"></a>

**API destination invocation endpoint URL**  
For more information, see [Our EU and US region data centers](https://docs.newrelic.com/docs/using-new-relic/welcome-new-relic/get-started/our-eu-us-region-data-centers/).  
**Events**  
**US–** https://insights-collector.newrelic.com/v1/accounts/*YOUR\$1NEW\$1RELIC\$1ACCOUNT\$1ID*/events  
**EU–** https://insights-collector.eu01.nr-data.net/v1/accounts/*YOUR\$1NEW\$1RELIC\$1ACCOUNT\$1ID*/events  
**Metrics**  
**US–** https://metric-api.newrelic.com/metric/v1  
**EU–** https://metric-api.eu.newrelic.com/metric/v1  
**Logs**  
**US–** https://log-api.newrelic.com/log/v1  
**EU–** https://log-api.eu.newrelic.com/log/v1  
**Traces**  
**US–** https://trace-api.newrelic.com/trace/v1  
**EU–** https://trace-api.eu.newrelic.com/trace/v1

**Supported authorization types**   
API Key

**New Relic documentation**  
[Metric API](https://docs.newrelic.com/docs/telemetry-data-platform/ingest-manage-data/ingest-apis/report-metrics-metric-api/)  
[Event API](https://docs.newrelic.com/docs/telemetry-data-platform/ingest-manage-data/ingest-apis/introduction-event-api/)  
[Log API](https://docs.newrelic.com/docs/logs/log-management/log-api/introduction-log-api/)  
[Trace API](https://docs.newrelic.com/docs/understand-dependencies/distributed-tracing/trace-api/introduction-trace-api/)

**Commonly used API operations**  
[Metric API](https://docs.newrelic.com/docs/telemetry-data-platform/ingest-manage-data/ingest-apis/report-metrics-metric-api/)  
[Event API](https://docs.newrelic.com/docs/telemetry-data-platform/ingest-manage-data/ingest-apis/introduction-event-api/)  
[Log API](https://docs.newrelic.com/docs/logs/log-management/log-api/introduction-log-api/)  
[Trace API](https://docs.newrelic.com/docs/understand-dependencies/distributed-tracing/trace-api/introduction-trace-api/)

**Additional information**  
[Metric API limits](https://docs.newrelic.com/docs/telemetry-data-platform/get-data/apis/metric-api-limits-restricted-attributes/)  
[Event API limits](https://docs.newrelic.com/docs/telemetry-data-platform/ingest-manage-data/ingest-apis/introduction-event-api/#limits)  
[Log API limits](https://docs.newrelic.com/docs/logs/log-management/log-api/introduction-log-api/#limits)  
[Trace API limits](https://docs.newrelic.com/docs/understand-dependencies/distributed-tracing/trace-api/trace-api-general-requirements-limits/)

## Operata
<a name="api-destination-operata"></a>

**API destination invocation endpoint URL:**  
https://api.operata.io/v2/aws/events/contact-record

**Supported authorization types:**   
Basic

**Additional authorization parameters required:**  
None

**Operata documentation:**  
[How do I create, view, change and revoke API Tokens?](https://help.operata.com/en/articles/5542797-how-do-i-create-view-change-and-revoke-api-tokens)  
[Operata AWS Integration using Amazon EventBridge Scheduler Pipes](https://docs.operata.com/docs/aws-integration)

**Commonly used API operations:**  
`POST https://api.operata.io/v2/aws/events/contact-record`

**Additional information:**  
The `username` is the Operata Group ID and the password is your API token.

## Salesforce
<a name="api-destination-salesforce"></a>

**API destination invocation endpoint URL**  
**Sobject–** https:// *myDomainName*.my.salesforce.com/services/data/*versionNumber*/sobjects /*SobjectEndpoint*/\$1  
**Custom platform events–** https://*myDomainName*.my.salesforce.com/services/data /*versionNumber*/sobjects/*customPlatformEndpoint*/\$1  
For a full list of endpoints, see [Salesforce API Reference](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/resources_list.htm)

**Supported authorization types**   
OAuth client credentials  
OAUTH tokens are refreshed when a 401 or 407 response is returned.

**Additional authorization parameters required**  
[Salesforce Connected App](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_oauth_and_connected_apps.htm) Client Id and Client Secret.  
One of the following authorization endpoints:  
+ **Production–** https://*MyDomainName*.my.salesforce.com./services/oauth2/token
+ **Sandbox without enhanced domains–** https://*MyDomainName*--* SandboxName*.my. salesforce.com/services /oauth2/token
+ **Sandbox with enhanced domains–** https://*MyDomainName*--* SandboxName*.sandbox.my.salesforce.com/services/oauth2/token
The following key/value pair:      
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/eb-api-destination-partners.html)

**Salesforce documentation**  
[REST API Developer Guide](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_what_is_rest_api.htm)

**Commonly used API operations**  
[Working with Object Metadata](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_working_with_object_metadata.htm)  
[Working with Records](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_working_with_records.htm)

**Additional information**  
For a tutorial explaining how to use the EventBridge console to create a connection to Salesforce, an API Destination, and a rule to route information to Salesforce, see [Tutorial: Send events to Salesforce from Amazon EventBridge](eb-tutorial-salesforce.md).

## Slack
<a name="eb-api-destination-slack"></a>

**API destination invocation endpoint URL**  
For a list of endpoints and other resources, see [Using the Slack Web API](https://api.slack.com/web)

**Supported authorization types**   
OAuth 2.0  
OAUTH tokens are refreshed when a 401 or 407 response is returned.  
When you create a Slack application and install it to your workspace, an OAuth bearer token will be created on your behalf to be used for authenticating calls by your API destination connection.

**Additional authorization parameters required**  
Not applicable

**Slack documentation**  
[Basic app setup](https://api.slack.com/authentication/basics)  
[Installing with OAuth](https://api.slack.com/authentication/oauth-v2)  
[Retrieving messages](https://api.slack.com/messaging/retrieving)  
[Sending messages](https://api.slack.com/messaging/sending)  
[Sending messages using Incoming Webhooks](https://api.slack.com/messaging/webhooks)

**Commonly used API operations**  
https://slack.com/api/chat.postMessage

**Additional information**  
When configuring your EventBridge rule there are two configurations to highlight:  
+ Include a header parameter that defines the content type as “application/json;charset=utf-8”.
+ Use an input transformer to map the input event to the expected output for the Slack API, namely ensure that the payload sent to the Slack API has “channel” and “text” key/value pairs.

## Shopify
<a name="eb-api-destination-shopify"></a>

**API destination invocation endpoint URL**  
For a list of endpoints and other resouces and methods, see [Endpoints and requests](https://shopify.dev/api/admin-rest#endpoints)

**Supported authorization types**   
OAuth, API Key  
OAUTH tokens are refreshed when a 401 or 407 response is returned.

**Additional authorization parameters required**  
Not applicable

**Shopify documentation**  
[Authentication and authorization overview](https://shopify.dev/apps/auth)

**Commonly used API operations**  
POST - /admin/api/2022-01/products.json  
GET - admin/api/2022-01/products/\$1product\$1id\$1.json  
PUT - admin/api/2022-01/products/\$1product\$1id\$1.json  
DELETE - admin/api/2022-01/products/\$1product\$1id\$1.json

**Additional information**  
[Create an app](https://shopify.dev/apps/getting-started/create)  
[Amazon EventBridge webhook delivery](https://shopify.dev/apps/webhooks/configuration/eventbridge)  
[Access tokens for custom apps in the Shopify admin](https://shopify.dev/apps/auth/admin-app-access-tokens)  
[Product](https://shopify.dev/api/admin-rest/2021-10/resources/product#top)  
[Shopify Admin API](https://shopify.dev/api/admin)

## Splunk
<a name="api-destination-splunk"></a>

**API destination invocation endpoint URL**  
https://*SPLUNK\$1HEC\$1ENDPOINT*:*optional\$1port*/services/collector/raw

**Supported authorization types**   
Basic, API Key

**Additional authorization parameters required**  
None

**Splunk documentation**  
For both authorization types, you need an HEC token ID. For more information, see [Set up and use HTTP Event Collector in Splunk Web](https://help.splunk.com/en/data-management/collect-http-event-data/use-hec-in-splunk-cloud-platform/set-up-and-use-http-event-collector-in-splunk-web).

**Commonly used API operations**  
POST https://*SPLUNK\$1HEC\$1ENDPOINT*:*optional\$1port*/services/collector/raw

**Additional information**  
API Key – When configuring the endpoint for EventBridge, the API key name is “Authorization” and value is the Splunk HEC token ID.  
Basic (Username/Password) – When configuring the endpoint for EventBridge, the username is “Splunk” and the password is the Splunk HEC token ID.

## Sumo Logic
<a name="api-destination-sumologic"></a>

**API destination invocation endpoint URL**  
HTTP Log and Metric Source endpoint URLs will be different for every user. For more information, see [ HTTP Logs and Metrics Source](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/HTTP-Source).

**Supported authorization types**   
Sumo Logic doesn’t require authentication on their HTTP Sources because there’s a unique key baked into the URL. For this reason, you should make sure to treat that URL as a secret.  
When you configure the EventBridge API destination, an authorization type is required. To meet this requirement, select API Key and give it a key name of “dummy-key” and a key value of “dummy-value”.

**Additional authorization parameters required**  
Not applicable

**Sumo Logic documentation**  
Sumo Logic has already built hosted sources to collect logs and metrics from many AWS services and you can use the information on their website to work with those sources. For more information, see [Amazon Web Services](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services).  
If you’re generating custom events from an application and want to send them to Sumo Logic as either logs or metrics, then use EventBridge API Destinations and Sumo Logic HTTP Log and Metric Source endpoints.  
+ To sign up and create a free Sumo Logic instance, see [Start your free trial today](https://www.sumologic.com/sign-up/).
+ For more information about using Sumo Logic, see [ HTTP Logs and Metrics Source](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/HTTP-Source).

**Commonly used API operations**  
POST https://endpoint4.collection.us2.sumologic.com/receiver/v1/http/*UNIQUE\$1ID\$1PER\$1COLLECTOR*

**Additional information**  
None

## TriggerMesh
<a name="eb-api-destination-triggermesh"></a>

**API destination invocation endpoint URL**  
Use the information in the [Event Source for HTTP](https://docs.triggermesh.io/concepts/sources) topic to formulate the endpoint URL. An endpoint URL includes the event source name and user namespace in the following format:  
https://*source-name*.*user-namespace*.cloud.triggermesh.io  
Include the Basic authorization parameters in the request to the endpoint.

**Supported authorization types**   
Basic

**Additional authorization parameters required**  
None

**TriggerMesh documentation**  
[Event Source for HTTP](https://docs.triggermesh.io/concepts/sources)

**Commonly used API operations**  
Not applicable

**Additional information**  
None

## Zendesk
<a name="eb-api-destination-zendesk"></a>

**API destination invocation endpoint URL**  
https://developer.zendesk.com/rest\$1api/docs/support/tickets

**Supported authorization types**   
Basic, API Key

**Additional authorization parameters required**  
None

**Zendesk documentation**  
[Security and Authentication](https://developer.zendesk.com/rest_api/docs/support/introduction#security-and-authentication)

**Commonly used API operations**  
POST https://*your\$1Zendesk\$1subdomain*/api/v2/tickets

**Additional information**  
API requests EventBridge makes count against your Zendesk API limits. For information about Zendesk limits for your plan, see [Usage limits](https://developer.zendesk.com/rest_api/docs/support/usage_limits).   
To better safeguard your account and data, we recommend using an API key rather than basic sign-in credentials authentication.

# Connections for API targets in Amazon EventBridge
<a name="eb-target-connection"></a>

To enable event buses and pipes to target custom resources, such as HTTPS APIs, you create connections. A *connection* defines the authorization method and credentials for EventBridge to use in connecting to a given resource. If you are connecting to a private API, such as a private API in an Amazon Virtual Private Cloud (Amazon VPC), you can also use the connection to define secure point-to-point network connectivity. 

You can create connections to target:
+ Public APIs, such as third-party SaaS applications.
+ Private APIs, such as custom resources that reside in an Amazon VPC or on-premise.

  EventBridge creates connections to private HTTPS endpoints by utilizing *resource configurations* created in Amazon VPC Lattice. A resource configuration is a logical object that identifies a resource, and specifies who can access it and how.

Use connections with:
+ API destinations in EventBridge

  When you create an API destination, you specify a connection to use for it. You can choose an existing connection from your account, or create a connection when you create an API destination. 

  For more information, see [API destinations](eb-api-destinations.md).
+ HTTP Endpoint tasks in AWS Step Functions

  An HTTP Endpoint task is a type of Task workflow state that lets you call HTTPS APIs in your workflows. These APIs can be public, such as Salesforce and Stripe, or private APIs that reside in an Amazon VPC or on-premise. The task uses a connection to specify the authorization type and credentials to use for authorizing the API. For private APIs, the connection also defines the network path to the API.

  For more information, see [Call HTTPS APIs in Step Functions workflows](https://docs.aws.amazon.com/step-functions/latest/dg/connect-third-party-apis.html) in the *Step Functions User Guide*.

![\[EventBridge and Step Functions use connections as authorization and network connectivity configurations for HTTPS endpoints.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/connections-overview_eventbridge_conceptual.svg)


Connections are reusable. You can use the same connection to the same API for multiple EventBridge API destinations or Step Functions tasks, as long as the authentication method is the same. If API destinations or tasks require different authentication, then you must create separate connections.

## Storing connection authorization parameters in AWS Secrets Manager
<a name="connection-secrets"></a>

When you configure the authorization settings and create a connection, it creates a secret in AWS Secrets Manager to securely store the authorization information. You can also add additional parameters to include in the connection as appropriate for your HTTPS endpoint target.

EventBridge connections support the following authentication methods: basic, OAuth, and API Key. For more information, see [Connection authorization methods](eb-target-connection-auth.md).

While by default EventBridge uses an AWS owned key to encrypt and decrypt the connection secret, you can specify a customer managed key for EventBridge to use instead. For more information, see [Encrypting connections](encryption-connections.md).

# Connecting to private APIs in EventBridge
<a name="connection-private"></a>

You can create connections to private HTTPS endpoints, to provide secure point-to-point network access to resources in VPCs or on-premises without having to traverse the public internet. For example, you can create a connection to access an HTTPS-based application behind an Amazon Elastic Load Balancer. 

EventBridge creates connections to private HTTPS endpoints by utilizing *resource configurations* created in VPC Lattice. A resource configuration is a logical object that identifies the resource and specifies how and who can access it. To create a connection to a private API in EventBridge, you specify the resource configuration for the private API. For more information, see [ Resource configuration in VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html) in the *Amazon VPC Lattice User Guide*.

EventBridge then creates a *resource association* that enables EventBridge to access the private API. For more information, see [ Manage resource associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-config-associations) in the *Amazon VPC Lattice User Guide*.

While EventBridge manages the resource association, it creates the association using your credentials, so you retain visibility into the resource association operation.

![\[EventBridge and Step Functions use connections as authorization configurations for HTTPS endpoints.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/connections-private-destination_eventbridge_conceptual.svg)


You can create connections that access private APIs in other AWS accounts. For more information, see [Cross-account private APIs](connection-private-cross-region.md).

# Connecting to private APIs in other AWS accounts
<a name="connection-private-cross-region"></a>

EventBridge supports connections to private APIs across accounts in the same Region. 

For you to create a connection to a private API in another AWS account, the owner of that account must first share a VPC Lattice resource configuration for that private API with you. To do this, they share the resource with you in AWS Resource Access Manager. AWS RAM enables secure sharing of resources across AWS accounts, within organizational units (OUs), and integrates with AWS Identity and Access Management roles and users. Once you've accepted the resource share in AWS RAM you can specify the shared VPC Lattice resource configuration when creating a connection.

For more information on AWS RAM, see the following topics in the *AWS Resource Access Manager User Guide*:
+ [Benefits of AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html#what-is-features)
+ [How resource sharing works](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html#what-is-how)
+ [Access AWS resources shared with you](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared-invitations.html)

EventBridge does not support connections to private APIs across Regions. However, to target a private API in a different Region from your event bus:, you can:

1. Define an event bus rule that targets a second event bus that does reside in the same Region as the desired private API.

1. Create a connection for the second event bus to target the private API.

For more information, see [Sending and receiving events between AWS Regions in Amazon EventBridge](eb-cross-region.md).

## Permissions for connecting to private APIs
<a name="connection-private-permissions"></a>

The following policy example includes the minimal necessary permissions for creating a connection to a private API.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "vpc-lattice:CreateServiceNetworkResourceAssociation",
                "vpc-lattice:GetResourceConfiguration",
                "vpc-lattice:AssociateViaAWSService-EventsAndStates",
                "events:CreateConnection"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}
```

------

The following policy example includes the minimal necessary permissions for updating a connection to a private API.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "vpc-lattice:CreateServiceNetworkResourceAssociation",
                "vpc-lattice:GetResourceConfiguration",               
                "vpc-lattice:AssociateViaAWSService-EventsAndStates",
                "events:UpdateConnection"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}
```

------

## Monitoring creation of connections to private APIs
<a name="connection-private-monitoring-create"></a>

When you create a connection to a private API, the following logs are generated: 

In the account in which the connection was created, AWS CloudTrail logs a `CreateServiceNetworkResourceAssociation` event. 

In this log, `sourceIPAddress`, `userAgent`, and `serviceNetworkIdentifier` are set to the EventBridge service principal, `events.amazonaws.com`. 

```
{
  "eventTime": "2024-11-21T00:00:00Z",
  "eventSource": "vpc-lattice.amazonaws.com",
  "eventName": "CreateServiceNetworkResourceAssociation",
  "awsRegion": "region",
  "sourceIPAddress": "events.amazonaws.com", 
  "userAgent": "events.amazonaws.com",
  "requestParameters": {
    "x-amzn-vpc-lattice-association-source-arn": "***",
    "x-amzn-vpc-lattice-service-network-identifier": "***",
    "clientToken": "token",
    "serviceNetworkIdentifier": "events.amazonaws.com",
    "resourceConfigurationIdentifier": "arn:partition:vpc-lattice:region:account-id:resourceconfiguration/resource-configuration-id",
    "tags": {
        "ManagedByServiceAWSEventBridge": "account-id:connection-name"
    }
}
```

In the account which contains the private API , AWS CloudTrail logs a `CreateServiceNetworkResourceAssociationBySharee` event. 

This log includes:
+ `callerAccountId`: The AWS account in which the connection was created
+ `accountId`: The AWS account that contains the private API.
+ `resource-configuration-arn`: The VPC Lattice resource configuration for the private API.

```
{
  "eventTime": "2024-11-21T06:31:42Z",
  "eventSource": "vpc-lattice.amazonaws.com",
  "eventName": "CreateServiceNetworkResourceAssociationBySharee",
  "awsRegion": "region",
  "sourceIPAddress": "vpc-lattice.amazonaws.com",
  "userAgent": "user-agent",
  "additionalEventData": {
      "callerAccountId": "consumer-account-id"
  },
  "resources": [
      {
          "accountId": "provider-account-id",
          "type": "AWS::VpcLattice::ServiceNetworkResourceAssociation",
          "ARN": "resource-configuration-arn"
      }
  ]
}
```

In the case of cross-account connections to private APIs, the account containing the connection will not receive AWS CloudTrail or VPC Lattice logs for the invocation of the private API.

## Managing service network resource associations for connections
<a name="connection-private-snra"></a>

When you specify the VPC Lattice resource configuration for the private API to which you want to connect, EventBridge enables the connection by creating a resource association between the VPC Lattice resource configuration and a VPC Lattice service network owned by the EventBridge service. While EventBridge manages the resource association, it creates the association using your credentials, so you retain visibility into the resource association. This means you can list and describe the resource associations.

Use [describe-connection](https://docs.aws.amazon.com/cli/latest/reference/events/describe-connection.html) to return a connection description that includes the Amazon Resource Names (ARNs) of the resource configuration and resource association.

You cannot delete resource associations created by EventBridge. If you delete a connection, EventBridge deletes any corresponding resource associations.

For more information, see [ Manage resource associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-config-associations) in the *Amazon VPC Lattice User Guide*.

## Connecting to on-premise private APIs
<a name="connection-private-on-prem"></a>

Using access to VPC resources through AWS PrivateLink and VPC Lattice, you can connect to on-premise private APIs. To do so, you must configure a network route between your VPC and your on-premise environment. For example, you can use [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) or [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) to establish such a route.

# Provider considerations for cross-account connections in EventBridge
<a name="connection-private-rc-provider"></a>

To create a connection to a private API in another AWS account, the owner of that account must share a VPC Lattice resource configuration for the private API with you. A resource configuration is a logical object that identifies the API and specifies how and who can access it. The *provider* account--that is, the account sharing the VPC Lattice resource configuration for the private API with another account--shares the VPC Lattice resource configuration using AWS RAM. 

If your account is the provider of a VPC Lattice resource configuration, keep the following considerations in mind:

## Resource policy for resource configurations for cross-account private APIs
<a name="connection-private-rc-provider-policy"></a>

By default, creating a AWS RAM resource share includes the necessary share policy, `AWSRAMPermissionVpcLatticeResourceConfiguration`. If you create a customer managed permission policy, you must include the necessary permissions.

The following policy example provides the minimum necessary permissions for EventBridge to create the resource association necessary for a connection to a private API.
+ `vpc-lattice:GetResourceConfiguration` allows EventBridge to retrieve the Amazon VPC Lattice resource configuration you specify.
+ `vpc-lattice:CreateServiceNetworkResourceAssociation` allows EventBridge to create the resource association from the VPC Lattice resource configuration you specify.
+ `vpc-lattice:AssociateViaAWSService-EventsAndStates` allows EventBridge to create a resource association to a VPC Lattice service network owned by the service.

```
{
    "Effect": "Allow",
    "Action": [
      "vpc-lattice:CreateServiceNetworkResourceAssociation", 
      "vpc-lattice:GetResourceConfiguration", 
      "vpc-lattice:AssociateViaAWSService-EventsAndStates"
      ]
}
```

For more information, see [Managing permissions in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/security-ram-permissions.html) in the *AWS Resource Access Manager User Guide*.

## Provider monitoring of connection creation
<a name="connection-private-provider-monitor"></a>

When another account creates an EventBridge connection using a VPC Lattice resource configuration you have shared, AWS CloudTrail logs a `CreateServiceNetworkResourceAssociationBySharee` event. For more information, see [Monitoring connection creation](connection-private.md#connection-private-monitoring-create).

## Configuring security groups for access to private APIs
<a name="connection-private-provider-security"></a>

With VPC Lattice, you can create and assign security groups to enforce additional network-level security protections for your target API and resource gateway. In order for EventBridge and Step Functions to access your private API successfully, the security groups on the target API and resource gateway must to be configured correctly. If not configured correctly, the services will return "Connection Timed Out" errors when attempting to call your API. 

For your target API, your security group must be configured to allow all inbound TCP traffic on port 443 from the security group for your resource gateway.

For your resource gateway, your security group must be configured to allow the following:
+ All inbound IPv6 TCP traffic across all ports from the ::/0 IPv6 CIDR range.
+ All inbound IPv4 TCP traffic across all ports from the 0.0.0.0/0 IPv6 CIDR range.
+ All outbound TCP traffic on port 443 to the security group used by your target resource, for the IP protocol your target API accepts (IPv4 or IPv6).

For more information, see the following topics in the *Amazon VPC Lattice User Guide*:
+ [Control traffic in VPC Lattice using security groups](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html)
+ [Resource gateway in VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateway.html)

# Creating connections to private APIs
<a name="connection-private-create"></a>

The following steps walk you through how to create a connection to a private API. For detailed instructions that include all configuration options for connections, including creating connections to public APIs, see [Creating connections](eb-target-connection-create.md).

## Define the connection
<a name="connection-private-create-define"></a>

The following steps walk you through how to create a connection to a private API endpoint. For instructions on creating connections to public APIs, see [Creating connections](eb-target-connection-create.md).

1. Open the [EventBridge console](https://console.aws.amazon.com/events).

1. In the left navigation pane, under **Integration**, choose **Connections**.

1. Choose **Create connection**.

1. On the **Create connection** page, enter a **Connection name** and **Description**.

## Configure the invocation endpoint
<a name="connection-private-create-invocation"></a>

Next, use the **Configure invocation** section to specify the HTTPS endpoint you want the connection to invoke.

1. For **API type**, choose **Private**.

1. Specify the Amazon VPC Lattice resource configuration to use to connect to it. 

   Under **Private API**: 
   + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu.
   + To create a new VPC Lattice resource configuration, choose **New resource configuration**.

     You are taken to the Amazon VPC Lattice; service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.

## Configure the endpoint authorization
<a name="connection-private-create-auth"></a>

Lastly, specify the authorization settings to use to access the endpoint. 

EventBridge supports basic, OAuth client credentials, and API key authentication methods.

1. Under **Configure authorization**, choose **Custom configuration**.

1. For **Authorization type**, select the authorization method for the connection to use.

1. Specify the authorization configuration details for the authorization method you chose:
   + **Basic**

     Enter the **Username** and **Password** to use to authorize with the HTTPS endpoint.
   + **OAuth Client Credentials**

     1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private (VPC) endpoint.

        If you choose **Private**, specify the **Private OAuth endpoint resource configuration**:
        + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu.
        + To create a new VPC Lattice resource configuration, choose **New resource configuration**.

          You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.

     1. Specify the following authorization information:
        + Authorization endpoint
        + HTTPS method
        + Client ID
        + Client secret

     1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint. 

        To do so:
        + Select a **Parameter** from the drop-down list.
        + Enter a **Key** and **Value**.

        To include an additional parameter, choose **Add parameter**.
   + **API Key**

     Enter the **API key name** and associated **Value** to use for API Key authorization.

1. Under **Invocation Http Parameters**, add any additional parameters to include in the authorization request. 

   To add a parameter:

   1. Select a **Parameter** from the drop-down list

   1. Enter a **Key** and **Value**

   To include an additional parameter, choose **Add parameter**.

1. Choose **Create Connection**.
**Note**  
For connections for private endpoints, EventBridge creates the necessary resource association when it create the connection. This can take up to 90 seconds.

# Authorization methods for connections in EventBridge
<a name="eb-target-connection-auth"></a>

EventBridge connections support the following authorization methods:
+ Basic
+ API Key

  For Basic and API Key authorization, EventBridge populates the required authorization headers for you.
+ OAuth

  For OAuth authorization, EventBridge also exchanges your client ID and secret for an access token and then manages it securely. 

  When you create a connection that uses OAuth authorization, you have the option of specifying a public or private authorization endpoint.

## Considerations when using OAuth
<a name="eb-target-connection-auth-oauth"></a>

Keep in mind the following when using OAuth as an authorization method for connections:
+ EventBridge refreshes OAuth tokens:
  + When a `401` or `407` response is returned.
  + Proactively during an HTTPS invocation, if the token expires within 60 seconds. This refresh only occurs when EventBridge processes an event for the API destination — it is not a background process. If no events arrive during this window, the next event triggers a synchronous token refresh, which may increase invocation latency or result in a failed invocation while the connection is reauthorizing.
+ You can use [Connection events](event-reference.md#event-reference-connections) to be notified when a connection changes state, such as becoming deauthorized.
+ We recommend you set the retry policy to greater than 0 for rules using connections that require OAuth. That way, if an OAuth token has expired, EventBridge will refresh the token when retrying the invocation. 

  For more information on setting a retry policy for a rule, see [Select targets](eb-create-rule-wizard.md#eb-create-rule-target).

## Considerations for connection authorization
<a name="eb-target-connection-auth-considerations"></a>

When you create a connection, you can also include the header, body, and query parameters that are required for authorization with an endpoint. You can use the same connection for more than one HTTPS endpoint if the authorization for the endpoint is the same.

When you create a connection and add authorization parameters, EventBridge creates a secret in AWS Secrets Manager. The cost of both storing and accessing the Secrets Manager secret is included with the charge for using an API destination. 

For information on how to have EventBridge re-authorize the connection once you have updated it to address authorization or connectivity issues, see [Updating connections](eb-target-connection-edit.md).

**Note**  
To successfully create or update a connection, you must use an account that has permission to use Secrets Manager. The required permission is included in the [AWS managed policy: AmazonEventBridgeFullAccess](eb-use-identity-based.md#eb-full-access-policy). The same permission is granted to the [service-linked role](eb-api-destinations.md#eb-api-destination-slr) that's created in your account for the connection.

For examples of how to create a CloudFormation template that provisions an EventBridge connection with authentication, see [AWS::Events::Connection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html) in the *CloudFormation User Guide*.

# Connection states in EventBridge
<a name="eb-target-connection-states"></a>

Below are the connection statuses returned by EventBridge when creating or re-authorizing a connection.

For successful connections to public APIs, EventBridge returns a status of `AUTHORIZED`. For successful connections to private APIs, EventBridge returns a status of `ACTIVE`.

*Connectivity failures* refer to errors involving the network connectivity of the connection. Connectivity errors result in a connection status of `FAILED_CONNECTIVITY`. *Authorization failures* refer to errors involving the permissions specified for the connection. Authorization failures result in a status of `DEAUTHORIZED`.

For information on how to have EventBridge re-authorize the connection once you have updated it to address authorization or connectivity issues, see [Updating connections](eb-target-connection-edit.md).

EventBridge emits events when the state of a connection changes. For more information, see [Connection events](event-reference.md#event-reference-connections).

**Public APIs**


| Authorization method | Success | Connectivity failure | Authorization failure | 
| --- | --- | --- | --- | 
|  Basic or API Key  |  `AUTHORIZED`  |  n/a  |  `DEAUTHORIZED`  | 
|  OAuth (public endpoint)  |  `AUTHORIZED`  |  n/a  |  `DEAUTHORIZED`  | 
|  OAuth (private endpoint)  |  `AUTHORIZED`  |  `FAILED_CONNECTIVITY`  |  `DEAUTHORIZED`  | 

**Private APIs**


| Authorization method | Success | Connectivity failure | Authorization failure | 
| --- | --- | --- | --- | 
|  Basic or API Key  |  `ACTIVE`  |  `FAILED_CONNECTIVITY`  |  `DEAUTHORIZED`  | 
|  OAuth (public endpoint)  |  `ACTIVE`  |  `FAILED_CONNECTIVITY`  |  `DEAUTHORIZED`  | 
|  OAuth (private endpoint)  |  `ACTIVE`  |  `FAILED_CONNECTIVITY`  |  `DEAUTHORIZED`  | 

When you create a connection to a private API, there can be a delay of up to several minutes from when the connection is successfully created to when you can successfully make HTTPS calls to the private API. During this period:
+ Private OAuth connection will be in `AUTHORIZING` state, and will transition to `AUTHORIZED` when OAuth token exchange is successfully completed.
+ The connection will update to `ACTIVE` status, and EventBridge will retry any invocations from event buses or pipes.

If you are using the connection in an HTTP task within a Step Functions workflow, you can configure retries on `httpTimeoutExceptions` to retry any calls to the private API that happen during this period.

# Creating connections for API targets in EventBridge
<a name="eb-target-connection-create"></a>

The following steps walk you through how to create a connection to an HTTPS endpoint.

**Topics**
+ [Define the connection](#eb-target-connection-create-define)
+ [Configure the invocation endpoint](#eb-target-connection-create-invocation)
+ [Configure the endpoint authorization](#eb-target-connection-create-auth)
+ [Configure encryption](#eb-target-connection-create-cmkms)

## Define the connection
<a name="eb-target-connection-create-define"></a>

1. Open the [EventBridge console](https://console.aws.amazon.com/events).

1. In the left navigation pane, under **Integration**, choose **Connections**.

1. Choose **Create connection**.

1. On the **Create connection** page, enter a **Connection name** and **Description**.

## Configure the invocation endpoint
<a name="eb-target-connection-create-invocation"></a>

Next, use the **Configure invocation** section to specify the API type you want the connection to invoke. EventBridge connections support public and private APIs.
+ For **API type**, choose whether the endpoint is a public or private API.

  If you choose a private API, specify the VPC Lattice resource configuration to use to connect to it. 

  Under **Private API**: 
  + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu.
  + To create a new VPC Lattice resource configuration, choose **New Resource configuration**.

    You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.

## Configure the endpoint authorization
<a name="eb-target-connection-create-auth"></a>

Next, specify the authorization settings to use to access the endpoint. 

EventBridge supports basic, OAuth client credentials, and API key authentication methods.

1. For **Configure authorization**, choose the type of endpoint to which you want to connect.

------
#### [ Custom endpoint ]

   If the connection is to an endpoint other than a partner endpoint, choose **Custom configuration**.

   1. For **Authorization type**, select the authorization method for the connection to use.

   1. Specify the authorization configuration details for the authorization method you chose:
      + **Basic**

        Enter the **Username** and **Password** to use to authorize with the HTTPS endpoint.
      + **OAuth Client Credentials**

        1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private endpoint.

           If you choose **Private**, specify the **Private OAuth endpoint resource configuration**:
           + To use an existing resource configuration, choose a resource configuration from the drop-down menu.
           + To create a new resource configuration, choose **New resource configuration**.

             You are taken to the Amazon VPC Lattice; service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.

        1. Specify the following authorization information:
           + Authorization endpoint
           + HTTP method
           + Client ID
           + Client secret

        1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint. 

           To do so:
           + Select a **Parameter** from the drop-down list.
           + Enter a **Key** and **Value**.

           To include an additional parameter, choose **Add parameter**.
      + **API Key**

        Enter the **API key name** and associated **Value** to use for API Key authorization.

------
#### [ Partner endpoint ]

   If the connection is to a partner endpoint, choose **Use partner template**. For a list of available partner endpoints, see [API destination partners](eb-api-destination-partners.md).

   1. From **Partner destination**, select the partner to which to connect.

      Under **Authorization type**, EventBridge enables the authorization methods available for the partner.

   1. For **Authorization type**, select the authorization method for the connection to use.

   1. Specify the authorization configuration details for the authorization method you chose:
      + **Basic**

        Enter the **Username** and **Password** to use to authorize with the HTTP endpoint.
      + **OAuth Client Credentials**

        1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private (VPC) endpoint.

           If you choose **Private**, specify the **Private OAuth endpoint resource configuration**:
           + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu.
           + To create a new VPC Lattice resource configuration, choose **New resource configuration**.

             You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.

        1. Specify the following authorization information:
           + Authorization endpoint
           + HTTPS method
           + Client ID
           + Client secret

        1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint. 

           To do so:
           + Select a **Parameter** from the drop-down list.
           + Enter a **Key** and **Value**.

           To include an additional parameter, choose **Add parameter**.
      + **API Key**

        Enter the **API key name** and associated **Value** to use for API Key authorization.

------

1. Under **Invocation Http Parameters**, add any additional parameters to include in the authorization request. 

   To add a parameter:

   1. Select a **Parameter** from the drop-down list

   1. Enter a **Key** and **Value**

   To include an additional parameter, choose **Add parameter**.

## Configure encryption
<a name="eb-target-connection-create-cmkms"></a>

Lastly, specify the type of KMS key you want EventBridge to use when encrypting and decrypting the authorization parameters that it stores as a secret in AWS Secrets Manager.. By default, EventBridge uses an AWS owned key.

For more information, see [Encrypting connections](encryption-connections.md).

1. Choose the KMS key for EventBridge to use when encrypting the connection secret.
   + Choose **Use AWS owned key** for EventBridge to encrypt the secret using an AWS owned key.

     This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. 

     This is the default.
   + Choose **Use customer managed key** for EventBridge to encrypt the secret using the customer managed key that you specify or create.

     Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys.

     1. Specify an existing customer managed key, or choose **Create a new KMS key**.

       EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key.

1. Choose **Create Connection**.
**Note**  
For connections for private endpoints, EventBridge creates the necessary resource association when it create the connection. This can take up to 90 seconds.

# Updating connections in EventBridge
<a name="eb-target-connection-edit"></a>

You can update existing connections.

## Updating authentication of connections
<a name="eb-target-connection-edit-auth"></a>

When you update certain authentication parameters, EventBridge re-authorizes and verifies network connectivity of the connection accordingly.

Updating the connection with authorization parameters of a different authorization type, without updating the authorization type itself, has no effect.

**When EventBridge re-authenticates connections to public APIs**

For connections to public APIs, EventBridge re-authorizes the connection if you:
+ Update the connection to invoke a private API instead.
+ Update the connection authorization method *and* authorization parameters.

**When EventBridge re-authenticates connections to private APIs**

For connections to private APIs, if you do any of the following:
+ Update the connection to invoke a different private API, or a public API.
+ Update the connection authorization method.
+ Update the connection authorization parameters for the specified authorization method.

EventBridge does the following:
+ Re-authorizes the connection.
+ Verifies the network connectivity of the connection.

  If you have updated the connection to use a different private API, or a public API, EventBridge also removes or updates existing network connectivity artifacts as appropriate.

**To update a connection using the EventBridge console**

1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events).

1. In the left navigation pane, under **Integration**, choose **Connections**.

1. In the **Connections** table, choose the connection to edit.

1. On the **Connection details** page, choose **Edit**.

1. Update the values for the connection, and then choose **Update**.

   For information on updating the KMS key for EventBridge to use when encrypting a connection, see [Updating AWS KMS keys](encryption-connections-configure.md#encryption-connections-update).

**To update a connection using the AWS CLI**
+ Use the `[update-connection](https://docs.aws.amazon.com/cli/latest/reference/events/update-connection.html)` command. 

  To update a connection's invocation or authorization endpoint from a private API to a public API, you must specify an empty string (`""`) for the `ResourceConfigurationArn` parameter. Specifying `null` for this parameter has no effect.

  The following example updates the connection to use a public API, by setting the `ResourceConfigurationArn` that represents a private API resource configuration to an empty string.

  ```
  aws events update-connection \                              
  --name myConnection \
  --authorization-type BASIC \
  --auth-parameters '{"BasicAuthParameters": {"Username": "username", "Password": "***"}}' \
  --region us-east-1 \
  --invocation-connectivity-parameters ResourceParameters={ResourceConfigurationArn=\"\"}
  ```

# De-authorizing connections in EventBridge
<a name="eb-target-connection-deauthorize"></a>

You can de-authorize a connection. De-authorizing a connection removes all authorization parameters. Removing authorization parameters removes the secret from the connection, so you can reuse it without having to create a new connection.

**Note**  
You must update any API destinations or Step Functions workflow tasks that use the de-authorized connection to use a different connection to successfully send requests to the HTTPS endpoint.

In addition to manual de-authorization, EventBridge de-authorizes a connection if the following occurs:
+ EventBridge cannot retrieve the secret because it has been deleted.
+ For connections using OAuth authentication, EventBridge cannot refresh the necessary OAuth token.
+ For connections using Basic or API Key authentication, EventBridge receives a `401 (UnAuthorize)` or `407 (Proxy_Authentication_required)` error code.

  In this case, update the connection with appropriate credentials to resolve the error.
+ If you have specified a customer managed key for EventBridge to use for secret encryption, and EventBridge receives a KMS key error when encrypting or decrypting the connection's secret. For more information, see [Customer managed key errors](encryption-connections.md#encryption-connections-deauth).

**Note**  
EventBridge emits events when the state of a connection changes. You can use these events to track changes in a connection.   
For more information, see [Connection events](event-reference.md#event-reference-connections).

**To de-authorize a connection using the EventBridge console**

1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events).

1. In the left navigation pane, under **Integration**, choose **Connections**.

1. In the **Connections** table, choose the connection.

1. On the **Connection details** page, choose **De-authorize**.

1. In the **Deauthorize connection?** dialog box, enter the name of the connection, and then choose **De-authorize**.

   The status of the connection changes to **De-authorizing** until the process is complete. Then the status changes to **De-authorized**. Now you can edit the connection to add new authorization parameters.

**To de-authorize a connection using the AWS CLI**
+ Use the `[deauthorize-connection](https://docs.aws.amazon.com/cli/latest/reference/events/deauthorize-connection.html)` command. 

# Deleting connections in EventBridge
<a name="eb-target-connection-delete"></a>

You can delete a connection if you are no longer using it.

**To delete a connection using the EventBridge console**

1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events).

1. In the left navigation pane, under **Integration**, choose **Connections**.

1. In the **Connections** table, choose the connection.

1. On the **Connection details** page, choose **Delete**.

**To delete a connection using the AWS CLI**
+ Use the `[delete-connection](https://docs.aws.amazon.com/cli/latest/reference/events/delete-connection.html)` command. 

# Receiving events from a SaaS partner with Amazon EventBridge
<a name="eb-saas"></a>

To receive events from SaaS partner applications and services, you need a *partner event source* from the partner. A partner event source is a resource created by a partner that you can then accept as an event source. To accept the partner event source, you create a custom event bus and match it to the partner event source.

![\[An SaaS partner sends an event to a partner event source, which sends it to the partner event bus.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/bus-saas_eventbridge_conceptual.svg)


 The following video covers SaaS integrations with EventBridge:




**Topics**
+ [Supported SaaS partner integrations](#eb-supported-integrations)
+ [Configuring Amazon EventBridge to receive events from a SaaS integration](#eb-saas-integration)
+ [Receiving SaaS events from AWS Lambda function URLs in Amazon EventBridge](eb-saas-furls.md)
+ [Receiving events from Salesforce in Amazon EventBridge](eb-saas-salesforce.md)

## Supported SaaS partner integrations
<a name="eb-supported-integrations"></a>

EventBridge supports the following SaaS partner integrations:
+ [https://console.aws.amazon.com/events/#/partners/adobe.com?page=overview](https://console.aws.amazon.com/events/#/partners/adobe.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/appflow-salesforce.com?page=overview](https://console.aws.amazon.com/events/#/partners/appflow-salesforce.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/apptrail.com?page=overview](https://console.aws.amazon.com/events/#/partners/apptrail.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/atlan.com?page=overview](https://console.aws.amazon.com/events/#/partners/atlan.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/auth0.com?page=overview](https://console.aws.amazon.com/events/#/partners/auth0.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/authress.io?page=overview](https://console.aws.amazon.com/events/#/partners/authress.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/benchling.com?page=overview](https://console.aws.amazon.com/events/#/partners/benchling.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/bigcommerce.com?page=overview](https://console.aws.amazon.com/events/#/partners/bigcommerce.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/blitline.com?page=overview](https://console.aws.amazon.com/events/#/partners/blitline.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/buildkite.com?page=overview](https://console.aws.amazon.com/events/#/partners/buildkite.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/chargebee.com?page=overview](https://console.aws.amazon.com/events/#/partners/chargebee.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/checkout.com?page=overview](https://console.aws.amazon.com/events/#/partners/checkout.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/clevertap.com?page=overview](https://console.aws.amazon.com/events/#/partners/clevertap.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/cloudamqp.com?page=overview](https://console.aws.amazon.com/events/#/partners/cloudamqp.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/commercetools.com?page=overview](https://console.aws.amazon.com/events/#/partners/commercetools.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/datadoghq.com?page=overview](https://console.aws.amazon.com/events/#/partners/datadoghq.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/energysys.com?page=overview](https://console.aws.amazon.com/events/#/partners/energysys.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/epsagon.com?page=overview](https://console.aws.amazon.com/events/#/partners/epsagon.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/freshworks.com?page=overview](https://console.aws.amazon.com/events/#/partners/freshworks.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/genesys.com?page=overview](https://console.aws.amazon.com/events/#/partners/genesys.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/gladly.com?page=overview](https://console.aws.amazon.com/events/#/partners/gladly.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/gs2.io?page=overview](https://console.aws.amazon.com/events/#/partners/gs2.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/guidewire.com?page=overview](https://console.aws.amazon.com/events/#/partners/guidewire.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/hitachi-solutions.co.jp?page=overview](https://console.aws.amazon.com/events/#/partners/hitachi-solutions.co.jp?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/ilert.com?page=overview](https://console.aws.amazon.com/events/#/partners/ilert.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/jiraservicemanagement.com?page=overview](https://console.aws.amazon.com/events/#/partners/jiraservicemanagement.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/karte.io?page=overview](https://console.aws.amazon.com/events/#/partners/karte.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/kloudless.com?page=overview](https://console.aws.amazon.com/events/#/partners/kloudless.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/mackerel.io?page=overview](https://console.aws.amazon.com/events/#/partners/mackerel.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/mongodb.com?page=overview](https://console.aws.amazon.com/events/#/partners/mongodb.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/newrelic.com?page=overview](https://console.aws.amazon.com/events/#/partners/newrelic.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/nops.io?page=overview](https://console.aws.amazon.com/events/#/partners/nops.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/okta.com?page=overview](https://console.aws.amazon.com/events/#/partners/okta.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/onelogin.com?page=overview](https://console.aws.amazon.com/events/#/partners/onelogin.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/operata.com?page=overview](https://console.aws.amazon.com/events/#/partners/operata.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/opsgenie.com?page=overview](https://console.aws.amazon.com/events/#/partners/opsgenie.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/pagerduty.com?page=overview](https://console.aws.amazon.com/events/#/partners/pagerduty.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/payshield.com.au?page=overview](https://console.aws.amazon.com/events/#/partners/payshield.com.au?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/rhythmsoftware.com?page=overview](https://console.aws.amazon.com/events/#/partners/rhythmsoftware.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/rightsline.com?page=overview](https://console.aws.amazon.com/events/#/partners/rightsline.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/rootly.com?page=overview](https://console.aws.amazon.com/events/#/partners/rootly.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/saasus.io?page=overview](https://console.aws.amazon.com/events/#/partners/saasus.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/sailpoint.com?page=overview](https://console.aws.amazon.com/events/#/partners/sailpoint.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/scalr.com?page=overview](https://console.aws.amazon.com/events/#/partners/scalr.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/segment.com?page=overview](https://console.aws.amazon.com/events/#/partners/segment.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/shopify.com?page=overview](https://console.aws.amazon.com/events/#/partners/shopify.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/signalfx.com?page=overview](https://console.aws.amazon.com/events/#/partners/signalfx.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/site24x7.com?page=overview](https://console.aws.amazon.com/events/#/partners/site24x7.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/snowcatcloud.com?page=overview](https://console.aws.amazon.com/events/#/partners/snowcatcloud.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/snyk.io?page=overview](https://console.aws.amazon.com/events/#/partners/snyk.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/stax.io?page=overview](https://console.aws.amazon.com/events/#/partners/stax.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/stripe.com?page=overview](https://console.aws.amazon.com/events/#/partners/stripe.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/sugarcrm.com?page=overview](https://console.aws.amazon.com/events/#/partners/sugarcrm.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/symantec.com?page=overview](https://console.aws.amazon.com/events/#/partners/symantec.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/tealium.com?page=overview](https://console.aws.amazon.com/events/#/partners/tealium.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/thundra.io?page=overview](https://console.aws.amazon.com/events/#/partners/thundra.io?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/triggermesh.com?page=overview](https://console.aws.amazon.com/events/#/partners/triggermesh.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/whispir.com?page=overview](https://console.aws.amazon.com/events/#/partners/whispir.com?page=overview)
+ [https://console.aws.amazon.com/events/#/partners/zendesk.com?page=overview](https://console.aws.amazon.com/events/#/partners/zendesk.com?page=overview)
+ [Amazon Seller Partner API](https://console.aws.amazon.com/events/#/partners/sellingpartnerapi.amazon.com?page=overview) 

## Configuring Amazon EventBridge to receive events from a SaaS integration
<a name="eb-saas-integration"></a>

Configuring EventBridge to receive partner events consists of two main steps:
+ Creating the partner event source
+ Associating that partner source with a partner event bus
**Note**  
Any events published by a partner to a partner event source that has not been associated with an event bus will be immediately dropped. Those events will not be persisted at rest in EventBridge.

**Create a partner event source (console only)**

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).

1. In the navigation pane, choose **Partner event sources**.

1. Find the partner that you want and then choose **Set up** for that partner.

1. To copy your account ID to the clipboard, choose **Copy**.

1. In the navigation pane, choose **Partner event sources**.

1. Go to the partner's website and follow the instructions to create a partner event source using your account ID. The event source that you create is available to only your account.

**Associate the partner source with a partner event bus (console)**

1. In the EventBridge console, choose **Partner event sources** in the navigation pane.

1. Select the button next to the partner event source and then choose **Associate with event bus**. 

   The status of the event source changes from `Pending` to `Active`, and the name of the event bus updates to match the partner event source name. You can now start creating rules that match events from the partner event source.

**Associate the partner source with a partner event bus (AWS CLI)**
+ Use [https://docs.aws.amazon.com/cli/latest/reference/events/create-event-bus.html](https://docs.aws.amazon.com/cli/latest/reference/events/create-event-bus.html) to create a partner event bus associated with the partner event source. 

  Both `name` and `event-source-name` should be set to the partner event source name.

  For example:

  ```
  aws events create-event-bus \
      --name "aws.partner/saas-integration/name" \
      --event-source-name "aws.partner/saas-integration/name" \
      --region us-east-1
  ```

  After EventBridge creates the event bus, you can call [https://docs.aws.amazon.com/cli/latest/reference/events/describe-event-source.html](https://docs.aws.amazon.com/cli/latest/reference/events/describe-event-source.html) to return details about the partner source. The `State` of the partner source should be `ACTIVE`.

  ```
  aws events describe-event-source
  --name "aws.partner/saas-integration/name"
  ```
**Note**  
Calling [https://docs.aws.amazon.com/cli/latest/reference/events/put-permission.html](https://docs.aws.amazon.com/cli/latest/reference/events/put-permission.html) on a partner event bus returns an error. Only the partner account of the event source associated with the partner event bus is permitted to send events to it.

**Associate the partner source with a partner event bus (CloudFormation)**

1. Create a CloudFormation template that provisions an [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-eventbus.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-eventbus.html) resource with the partner event source. 

   Both `Name` and `EventSourceName` should be set to the partner event source name. For example:

   ```
   AWSTemplateFormatVersion: 2010-09-09
   
   Description: 
      Cloudformation template to create Event Bus for receiving partner events
   
   Resources:
     ExamplePartnerEventBus:
       Type: AWS::Events::EventBus
       Properties:
         EventSourceName: 'aws.partner/saas-integration/name'
         Name: 'aws.partner/saas-integration/name'
   ```

1. Use [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html) or the CloudFormation console to create a stack from the template. For example:

   ```
   aws cloudformation create-stack --stack-name eventbridge-saas --template-body file://template.yml --region us-east-1
   ```
**Note**  
Including an [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-eventbuspolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-eventbuspolicy.html) resource for the partner event bus in your template will result in an error. Only the partner account of the event source associated with the partner event bus is permitted to send events to it.

# Receiving SaaS events from AWS Lambda function URLs in Amazon EventBridge
<a name="eb-saas-furls"></a>

**Note**  
In order for the Inbound Webhook to be accessible by our partners, we're creating an Open Lambda in your AWS account that is secured at the Lambda application level by verifying the authentication signature sent by the third-party partner. Please review this configuration with your security team. For more information, see [Security and auth model for Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html#urls-auth-none).

Your Amazon EventBridge [event bus](eb-event-bus.md) can use an [AWS Lambda function URL](https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html) created by an CloudFormation template to receive [events](eb-events.md) from supported SaaS providers. With function URLs, the event data is sent to a Lambda function. The function then converts this data into an event that can be ingested by EventBridge and sent to an event bus for processing. Once the event is on an event bus, you can use rules to filter the events, apply any configured input transformations, and then route it to the correct target. 

**Note**  
Creating Lambda function URLs will increase your monthly costs. For more information, see [AWS Lambda pricing](https://aws.amazon.com/lambda/pricing).

To set up a connection to EventBridge, you first select the SaaS provider that you want to set up a connection with. Then, you provide a *signing secret* that you’ve created with that provider, and select the EventBridge event bus to send events to. Finally, you use an CloudFormation template and create the needed resources to complete the connection. 

The following SaaS providers are currently available for use with EventBridge using Lambda function URLs:
+ GitHub
+ Twilio

**Topics**
+ [Step 1: Create the CloudFormation stack](#create-gh-cfn-stack)
+ [Step 2: Create a GitHub webhook](#create-gh-webhook)
+ [Set up a connection to a Twilio](#furls-connection-twilio)
+ [Update webhook secret or auth token](#furls-update-secret)
+ [Update Lambda function](#furls-update-function)
+ [Available event types](#furls-event-types)
+ [Quotas, error codes, and retrying delivery](#furls-quotas-errors)

## Step 1: Create the CloudFormation stack
<a name="create-gh-cfn-stack"></a>

 First, use the Amazon EventBridge console to create a CloudFormation stack:

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).

1. From the navigation pane, choose **Quick starts**.

1. Under **Inbound webhooks using Lambda fURLs**, choose **Get started**.

1. Under **GitHub**, choose **Set up**.

1. Under **Step 1: Select an event bus**, select an event bus from the dropdown list. This event bus receives data from the Lambda function URL that you provide to GitHub. You can also create an event bus by selecting **New event bus**.

1. Under **Step 2: Set up using CloudFormation**, choose **New GitHub webhook**.

1. Select **I acknowledge that the Inbound Webhook I create will be publicly accessible.** and choose **Confirm**.

1. Enter a name for the stack.

1. Under parameters, verify that the correct event bus is listed, then specify a secure token for the **GitHubWebhookSecret**. For more information on creating a secure token, see [Setting your secret token](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks#setting-your-secret-token) in the GitHub documentation.

1. Under **Capabilities and transforms**, select each of the following:
   + **I acknowledge that CloudFormation might create IAM resources.**
   + **I acknowledge that CloudFormation might create IAM resources with custom names.**
   + **I acknowledge that CloudFormation might require the following capability: `CAPABILITY_AUTO_EXPAND`**

1. Choose **Create stack**.

## Step 2: Create a GitHub webhook
<a name="create-gh-webhook"></a>

Next, create the webhook on GitHub. You’ll need both the secure token and the Lambda function URL you created in step 2 to complete this step. For more information, see [Creating webhooks](https://docs.github.com/en/developers/webhooks-and-events/webhooks/creating-webhooks) in the GitHub documentation.

## Set up a connection to a Twilio
<a name="furls-connection-twilio"></a>

### Step 1: Find your Twilio auth token
<a name="create-twilio-secret"></a>

To set up a connection between Twilio and EventBridge, first set up the connection to Twilio with the auth token, or secret, for your Twilio account. For more information, see [Auth Tokens and How To Change Them](https://support.twilio.com/hc/en-us/articles/223136027-Auth-Tokens-and-How-to-Change-Them) in the Twilio documentation.

### Step 2: Create the CloudFormation stack
<a name="create-twilio-cfn-stack"></a>

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).

1. In the navigation pane, choose **Quick starts**.

1. Under **Inbound webhooks using Lambda fURLs**, choose **Get started**.

1. Under **Twilio**, choose **Set up**.

1. Under **Step 1: Select and event bus**, sselect an event bus from the dropdown list. This event bus receives data from the Lambda function URL that you provide to Twilio. You can also create an event bus by selecting **New event bus**.

1. Under **Step 2: Set up using CloudFormation**, choose **New Twilio webhook**.

1. Select **I acknowledge that the Inbound Webhook I create will be publicly accessible.** and choose **Confirm**.

1. Enter a name for the stack.

1. Under parameters, verify that the correct event bus is listed, then enter the **TwilioWebhookSecret** that you created in Step 1.

1. Under **Capabilities and transforms**, select each of the following:
   + **I acknowledge that CloudFormation might create IAM resources.**
   + **I acknowledge that CloudFormation might create IAM resources with custom names.**
   + **I acknowledge that CloudFormation might require the following capability: CAPABILITY\$1AUTO\$1EXPAND**

1. Choose **Create stack**.

### Step 3: Create a Twilio webhook
<a name="create-twilio-webhook"></a>

After you set up the Lambda function URL, you need to give it to Twilio so that event data can be sent. For more information, see [Configure your public URL with Twilio](https://www.twilio.com/docs/usage/webhooks/getting-started-twilio-webhooks#configure-your-public-url-with-twilio) in the Twilio documentation.

## Update webhook secret or auth token
<a name="furls-update-secret"></a>

### Update GitHub secret
<a name="update-gh-secret"></a>

**Note**  
GitHub doesn’t support having two secrets at the same time. You may experience resource downtime while the GitHub secret and the secret in the CloudFormation stack are out of sync. GitHub messages sent while the secrets are out of sync will fail becaue of incorrect signatures. Wait until the GitHub and CloudFormation secrets are in sync, then try again.

1. Create a new GitHub secret. For more information, see [Encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in the GitHub documentation.

1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

1. From the navigation pane, choose **Stacks**.

1. Choose the stack for the webhook that includes the secret you want to update.

1. Choose **Update**.

1. Make sure **Use current template** is selected and choose **Next**.

1. Under **GitHubWebhookSecret**, clear **Use existing value**, enter the new GitHub secret you created in step 1, and choose **Next**.

1. Choose **Next**.

1. Choose **Update stack**.

It may take up to one hour for the secret to propagate. To reduce this downtime, you can refresh the Lambda execution context.

### Update Twilio secret
<a name="update-twilio-secret"></a>

**Note**  
Twilio doesn’t support having two secrets at the same time. You may experience resource downtime while the Twilio secret and the secret in the CloudFormation stack are out of sync. Twilio messages sent while the secrets are out of sync will fail because of incorrect signatures. Wait until the Twilio and CloudFormation secrets are in sync, then try again.

1. Create a new Twilio secret. For more information, see [Auth Tokens and How To Change Them](https://support.twilio.com/hc/en-us/articles/223136027-Auth-Tokens-and-How-to-Change-Them) in the Twilio documentation.

1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

1. From the navigation pane, choose **Stacks**.

1. Choose the stack for the webhook that includes the secret you want to update.

1. Choose **Update**.

1. Make sure **Use current template** is selected and choose **Next**.

1. Under **TwilioWebhookSecret**, clear **Use existing value**, enter the new Twilio secret you created in step 1, and choose **Next**.

1. Choose **Next**.

1. Choose **Update stack**.

It may take up to one hour for the secret to propagate. To reduce this downtime, you can refresh the Lambda execution context.

## Update Lambda function
<a name="furls-update-function"></a>

The Lambda function that's created by the CloudFormation stack creates the basic webhook. If you want to customize the Lambda function for a specific use case, such as customized logging, use the CloudFormation console to access the function and then use the Lambda console to update the Lambda function code.

**Access the Lambda function**

1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

1. From the navigation pane, choose **Stacks**.

1. Choose the stack for the webhook that includes the Lambda function you want to update.

1. Choose **Resources** tab.

1. To open the Lambda function in the Lambda console, under **Physical ID**, choose the ID of the Lambda function.

Now that you've accessed the Lambda function, use the Lambda console to update the function code.

**Update the Lambda function code**

1. Under **Actions**, choose **Export function**.

1. Choose **Download deployment package** and save the file to your computer.

1. Unzip the deployment package .zip file, update the `app.py` file, and zip the updated deployment package, making sure all the files in the original .zip file are included.

1. In the Lambda console, choose the **Code** tab.

1. Under **Code source**, choose **Upload from**.

1. Choose **.zip file**, and then choose **Upload**. 

   1. In the file chooser, select the file you updated, choose **Open**, and then choose **Save**.

1. Under **Actions**, choose **Publish new version**.

## Available event types
<a name="furls-event-types"></a>

The following event types are currently supported by CloudFormation event buses:
+ **GitHub** – [All event types](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads) are supported.
+ **Twilio** – [Post-event webhooks](https://www.twilio.com/docs/chat/webhook-events) are supported.

## Quotas, error codes, and retrying delivery
<a name="furls-quotas-errors"></a>

### Quotas
<a name="furls-quotas"></a>

The number of incoming requests to the webhook is capped by the underlying AWS services. The following table includes the relevant quotas.


| Service | Quota | 
| --- | --- | 
|  AWS Lambda  |  Default: 10 concurrent executions For more information about quotas, including requesting quota increases, see [Lambda quotas](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html).  | 
|  AWS Secrets Manager  |  Default: 5,000 requests per second For more information about quotas, including requesting quota increases, see [AWS Secrets Manager quotas](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html). The number of requests per second is minimized using the [AWS Secrets Manager Python caching client](https://github.com/aws/aws-secretsmanager-caching-python#cache-configuration).  | 
|  Amazon EventBridge  |  1 MB maximum entry size for PutEvents actions.  EventBridge enforces Region-based rate quotas. For more information, see [EventBridge event bus quotas](eb-quota.md#eb-limits).  | 

### Error codes
<a name="furls-errors"></a>

Each AWS service returns specific error codes when errors occur. The following table includes the relevant error codes.


| Service | Error code | Description | 
| --- | --- | --- | 
|  AWS Lambda  |  429 “TooManyRequestsExption”  |  The concurrent execution quota is exceeded.  | 
|  AWS Secrets Manager  |  500 “Internal Server Error”  |  The requests per second quota is exceeded.  | 
|  Amazon EventBridge  |  500 “Internal Server Error”  |  The rate quota is exceeded for the Region.  | 

### Event redelivery
<a name="furls-redelivery"></a>

When errors happen you can retry delivery of the affected events. Each SaaS provider has different retry procedures.

#### GitHub
<a name="furls-redelivery-github"></a>

Use the GitHub webhooks API to check the deliver status of any webhook call and redeliver the event, if needed. For more information, see the following GitHub documentation:
+ **Organization** – [Redeliver a delivery for an organization webhook](https://docs.github.com/en/rest/orgs/webhooks#redeliver-a-delivery-for-an-organization-webhook)
+ **Repository** – [Redeliver a delivery for a repository webhook](https://docs.github.com/en/rest/webhooks/repo-deliveries#redeliver-a-delivery-for-a-repository-webhook)
+ **App** – [Redeliver a delivery for an app webhook](https://docs.github.com/en/rest/apps/webhooks#redeliver-a-delivery-for-an-app-webhook)

#### Twilio
<a name="furls-redelivery-twilio"></a>

Twilio users can customize event retry options using connection overrides. For more information, see [Webhooks (HTTP callbacks): Connection Overrides ](https://www.twilio.com/docs/usage/webhooks/webhooks-connection-overrides) in the Twilio documentation.

# Receiving events from Salesforce in Amazon EventBridge
<a name="eb-saas-salesforce"></a>

You can use Amazon EventBridge to receive [events](eb-events.md) from Salesforce in following ways:
+ By using Salesforce's Event Bus Relay feature to receive events directly on an EventBridge partner event bus.
+ By configuring a flow in [Amazon AppFlow](https://aws.amazon.com/appflow/) that uses Salesforce as a data source. Amazon AppFlow then sends Salesforce events to EventBridge by using a [partner event bus](eb-saas.md).

You can send event information to Salesforce using API destinations. Once the event is sent to Salesforce, it can be processed by [Flows](https://help.salesforce.com/s/articleView?id=flow.htm) or [Apex triggers](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_triggers.htm). For more information about setting up a Salesforce API destination, see [Tutorial: Send events to Salesforce from Amazon EventBridge](eb-tutorial-salesforce.md).

**Topics**
+ [Receiving events from Salesforce using Event Bus Relay](#eb-saas-salesforce-relay)
+ [Receiving events from Salesforce using Amazon AppFlow](#eb-saas-salesforce-appflow)

## Receiving events from Salesforce using Event Bus Relay
<a name="eb-saas-salesforce-relay"></a>

### Step 1: Set up Salesforce Event Bus Relay and an EventBridge partner event source
<a name="eb-set-up-relay"></a>

When you create an event relay configuration on Salesforce, Salesforce creates a partner event source in EventBridge in the pending state.

**To configure Salesforce Event Bus Relay**

1. [Set Up a REST API Tool](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.z63eim1tqkm3)

1. [(Optional) Define a Platform Event](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.2m5t2i52o23m)

1. [Create a Channel for a Custom Platform Event](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.s0spl5puf9d0)

1. [Create a Channel Member to Associate the Custom Platform Event](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.rdhi4awp8cvv)

1. [Create a Named Credential](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.etec44jyv3og)

1. [Create an Event Relay Configuration](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.43rfyeehz0w5)

### Step 2: Activate Salesforce partner event source in the EventBridge console and start the event relay
<a name="eb-salesforce-activate-source"></a>

1. Open the [Partner event sources](https://console.aws.amazon.com/events/home?#/partners) page in the EventBridge console. 

1. Select the Salesforce partner event source that you created in Step 1.

1. Choose **Associate with event bus**.

1. Validate the name of the partner event bus.

1. Choose **Associate**. 

1. [Start the Event Relay](https://resources.docs.salesforce.com/rel1/doc/en-us/static/pdf/Salesforce_Event_Bus_Relay_Pilot.pdf#h.t01b3xp87vhu)

Now that you've set up and started the Event Bus Relay and configured the partner event source you can create an [EventBridge rule that reacts to events](eb-create-rule-visual.md) to filter and send the data to a [target](eb-targets.md).

## Receiving events from Salesforce using Amazon AppFlow
<a name="eb-saas-salesforce-appflow"></a>

Amazon AppFlow encapsulates events from Salesforce in an EventBridge event envelope. The following example shows a Salesforce event received by an EventBridge partner event bus.

```
{
    "version": "0",
    "id": "5c42b99e-e005-43b3-c744-07990c50d2cc",
    "detail-type": "AccountChangeEvent",
    "source": "aws.partner/appflow.test/salesforce.com/364228160620/CustomSF-Source-Final",
    "account": "000000000",
    "time": "2020-08-20T18:25:51Z",
    "region": "us-west-2",
    "resources": [],
    "detail": {
        "ChangeEventHeader": {
            "commitNumber": 248197218874,
            "commitUser": "0056g000003XW7AAAW",
            "sequenceNumber": 1,
            "entityName": "Account",
            "changeType": "UPDATE",
            "changedFields": [
                "LastModifiedDate",
                "Region__c"
            ],
            "changeOrigin": "com/salesforce/api/soap/49.0;client=SfdcInternalAPI/",
            "transactionKey": "000035af-b239-0581-9f14-461e4187de11",
            "commitTimestamp": 1597947935000,
            "recordIds": [
                "0016g00000MLhLeAAL"
            ]
        },
        "LastModifiedDate": "2020-08-20T18:25:35.000Z",
        "Region__c": "America"
    }
}
```

### Step 1: Configure Amazon AppFlow to use Salesforce as a partner event source
<a name="eb-configure-appflow"></a>

To send events to EventBridge, you first need to configure Amazon AppFlow to use Salesforce as a partner event source.

1. In the [Amazon AppFlow console](https://console.aws.amazon.com/appflow/), choose **Create flow**.

1. In the **Flow details** section, in **Flow name** enter a name for your flow.

1. (Optional) Enter a description for the flow and then choose **Next**.

1. Under **Source details**, choose *Salesforce* from the **Source name** drop-down, and then choose **Connect** to create a new connection.

1. In the **Connect to Salesforce** dialog box, choose either **Production** or **Sandbox** for the Salesforce environment.

1. In the **Connection name** field, enter a unique name for the connection, and then choose **Continue**.

1. In the Salesforce dialog box, do the following:

   1. Enter your Salesforce sign-in credentials to log in to Salesforce.

   1. Select Salesforce events for the types of data for Amazon AppFlow to process.

1. In the **Choose Salesforce event** drop-down, select the type of event to send to EventBridge.

1. For a destination, select **Amazon EventBridge**.

1. Select **Create new partner event source**.

1. (Optional) Specify a unique suffix for the partner event source.

1. Choose **Generate partner event source**.

1. Choose an Amazon S3 bucket to store event payload files that are larger than 1 MB.

1. In the **Flow trigger** section, ensure that **Run flow on event** is selected. This setting ensures that the flow is executed when a new Salesforce event occurs.

1. Choose **Next**.

1. For field mapping, select **Map all fields directly**. Alternatively, you can select the fields that are of interest from the **Source field name** list.

   For more information about field mapping, see [Map data fields](https://docs.aws.amazon.com//appflow/latest/userguide/getting-started.html#map-fields).

1. Choose **Next**.

1. (Optional) Configure filters for data fields in Amazon AppFlow.

1. Choose **Next**.

1. Review the settings and then choose **Create flow**.

With the flow configured, Amazon AppFlow creates a new partner event source that you then need to associate with a partner event bus in your account.

### Step 2: Configure EventBridge to receive Salesforce events
<a name="eb-salesforce-events"></a>

Ensure that the Amazon AppFlow flow that is triggered from Salesforce events with EventBridge as a destination is configured before following instructions in this section. 

**To configure EventBridge to receive Salesforce events**

1. Open the [Partner event sources](https://console.aws.amazon.com/events/home?#/partners) page in the EventBridge console. 

1. Select the Salesforce partner event source that you created in Step 1.

1. Choose **Associate with event bus**.

1. Validate the name of the partner event bus.

1. Choose **Associate**. 

1. In the Amazon AppFlow console, open the flow you created and choose **Activate flow**.

1. Open the [Rules](https://console.aws.amazon.com/events/home?#/rules) page in the EventBridge console.

1. Choose **Create rule**.

1. Enter a unique name for the rule.

1. Choose **Event pattern** in the **Define pattern** section.

1. For **Event matching pattern**, select **Pre-defined pattern by service**.

1. For **Service provider** section, select **All Events**. 

1. For **Select event bus**, choose **Custom or partner event bus**.

1. Select the event bus that you associated with the Amazon AppFlow partner event source.

1. For **Select targets**, choose the AWS service that is to act when the rule runs. One rule can have up to five targets.

1. Choose **Create**.

The target service receives all Salesforce events configured for your account. To filter the events or send some events to different targets, you can use [content-based filtering with event patterns](eb-create-pattern.md#eb-event-patterns-content-based-filtering). 

**Note**  
For events larger than 1 MB, Amazon AppFlow doesn't send the full event to EventBridge. Instead, Amazon AppFlow puts the event into an S3 bucket in your account, and then sends an event to EventBridge with a pointer to the Amazon S3 bucket. You can use the pointer to get the full event from the bucket.