Using resource-based policies for Amazon EventBridge
When a rule runs in EventBridge, all of the targets associated with the rule are invoked. Rules can invoke AWS Lambda functions, publish to Amazon SNS topics, or relay the event to Kinesis streams. To make API calls against the resources you own, EventBridge needs the appropriate permissions. For Lambda, Amazon SNS, Amazon SQS, and Amazon CloudWatch Logs resources, EventBridge uses resource-based policies. For Kinesis streams, EventBridge uses identity-based policies.
You use the AWS CLI to add permissions to your targets. For information about how to install and configure the AWS CLI, see Getting Set Up with the AWS Command Line Interface in the AWS Command Line Interface User Guide.
Topics
Amazon API Gateway permissions
To invoke your Amazon API Gateway endpoint by using a EventBridge rule, add the following permission to the policy of your API Gateway endpoint.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "execute-api:Invoke", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:events:
region
:account-id
:rule/rule-name
" } }, "Resource": [ "execute-api:/stage/GET/api" ] } ] }
CloudWatch Logs permissions
When CloudWatch Logs is the target of a rule, EventBridge creates log streams, and CloudWatch Logs stores the text from the events as log entries. To allow EventBridge to create the log stream and log the events, CloudWatch Logs must include a resource-based policy that enables EventBridge to write to CloudWatch Logs.
If you use the AWS Management Console to add CloudWatch Logs as the target of a rule, the resource-based policy is created automatically. If you use the AWS CLI to add the target, and the policy doesn't already exist, you must create it.
The following example allows EventBridge to write to all log groups that have names that
start with /aws/events/
. If you use a different naming policy for these
types of logs, adjust the example accordingly.
{ "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Principal": { "Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"] }, "Resource": "arn:aws:logs:
region
:account
:log-group:/aws/events/*:*", "Sid": "TrustEventsToStoreLogEvent" } ], "Version": "2012-10-17" }
For more information, see PutResourcePolicy in the CloudWatch Logs API Reference guide.
AWS Lambda permissions
To invoke your AWS Lambda function by using a EventBridge rule, add the following permission to the policy of your Lambda function.
{ "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:
region
:account-id
:function:function-name
", "Principal": { "Service": "events.amazonaws.com" }, "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:events:region
:account-id
:rule/rule-name
" } }, "Sid": "InvokeLambdaFunction" }
To add the above permissions that enable EventBridge to invoke Lambda functions using the AWS CLI
-
At a command prompt, enter the following command.
aws lambda add-permission --statement-id "InvokeLambdaFunction" \ --action "lambda:InvokeFunction" \ --principal "events.amazonaws.com" \ --function-name "arn:aws:lambda:
region
:account-id
:function:function-name
" \ --source-arn "arn:aws:events:region
:account-id
:rule/rule-name
"
For more information about setting permissions that enable EventBridge to invoke Lambda functions, see AddPermission and Using Lambda with Scheduled Events in the AWS Lambda Developer Guide.
Amazon SNS permissions
To allow EventBridge to publish to an Amazon SNS topic, use the aws sns
get-topic-attributes
and the aws sns set-topic-attributes
commands.
Note
You can't use Condition
blocks in Amazon SNS topic policies for
EventBridge.
To add permissions that enable EventBridge to publish SNS topics
-
To list the attributes of an SNS topic, use the following command.
aws sns get-topic-attributes --topic-arn "arn:aws:sns:
region
:account-id
:topic-name
"The following example shows the result of a new SNS topic.
{ "Attributes": { "SubscriptionsConfirmed": "0", "DisplayName": "", "SubscriptionsDeleted": "0", "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false}}", "Owner": "
account-id
", "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\"],\"Resource\":\"arn:aws:sns:region
:account-id
:topic-name
\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"account-id
\"}}}]}", "TopicArn": "arn:aws:sns:region
:account-id
:topic-name
", "SubscriptionsPending": "0" } } -
Use a JSON to string converter
to convert the following statement to a string. { "Sid": "PublishEventsToMyTopic", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:
region
:account-id
:topic-name
" }After you convert the statement to a string, it looks like the following example.
{\"Sid\":\"PublishEventsToMyTopic\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"sns:Publish\",\"Resource\":\"arn:aws:sns:
region
:account-id
:topic-name
\"} -
Add the string you created in the previous step to the
"Statement"
collection inside the"Policy"
attribute. -
Use the
aws sns set-topic-attributes
command to set the new policy.aws sns set-topic-attributes --topic-arn "arn:aws:sns:
region
:account-id
:topic-name
" \ --attribute-name Policy \ --attribute-value "{\"Version\":\"2012-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\"],\"Resource\":\"arn:aws:sns:region
:account-id
:topic-name
\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"account-id
\"}}}, {\"Sid\":\"PublishEventsToMyTopic\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"sns:Publish\",\"Resource\":\"arn:aws:sns:region
:account-id
:topic-name
\"}]}"
For more information, see the SetTopicAttributes action in the Amazon Simple Notification Service API Reference.
Amazon SQS permissions
To allow an EventBridge rule to invoke an Amazon SQS queue, use the aws sqs
get-queue-attributes
and aws sqs set-queue-attributes
commands.
If the policy for the SQS queue is empty, you first need to create a policy and then you can add the permissions statement to it. A new SQS queue has an empty policy.
If the SQS queue already has a policy, you need to copy the original policy and combine it with a new statement to add the permissions statement to it.
To add permissions that enable EventBridge rules to invoke an SQS queue
-
To list SQS queue attributes. At a command prompt, enter the following command.
aws sqs get-queue-attributes \ --queue-url https://sqs.
region
.amazonaws.com/account-id
/queue-name
\ --attribute-names Policy -
Add the following statement.
{ "Sid": "AWSEvents_custom-eventbus-ack-sqs-rule_dlq_sqs-rule-target", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:
region
:account-id
:queue-name
", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:events:region
:account-id
:rule/bus-name
/rule-name
" } } } -
Use a JSON to string converter
to convert the preceding statement into a string. After you convert the policy to a string, it looks like the following. {\"Sid\": \"EventsToMyQueue\", \"Effect\": \"Allow\", \"Principal\": {\"Service\": \"events.amazonaws.com\"}, \"Action\": \"sqs:SendMessage\", \"Resource\": \"arn:aws:sqs:
region
:account-id
:queue-name
\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"arn:aws:events:region
:account-id
:rule/rule-name
\"}} -
Create a file called
set-queue-attributes.json
with the following content.{ "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"arn:aws:sqs:
region
:account-id
:queue-name
/SQSDefaultPolicy\",\"Statement\":[{\"Sid\": \"EventsToMyQueue\", \"Effect\": \"Allow\", \"Principal\": {\"Service\": \"events.amazonaws.com\"}, \"Action\": \"sqs:SendMessage\", \"Resource\": \"arn:aws:sqs:region
:account-id
:queue-name
\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"arn:aws:events:region
:account-id
:rule/rule-name
\"}}}]}" } -
Set the policy attribute by using the
set-queue-attributes.json
file you just created as the input, as shown in the following command.aws sqs set-queue-attributes \ --queue-url https://sqs.
region
.amazonaws.com/account-id
/queue-name
\ --attributes file://set-queue-attributes.json
For more information, see Amazon SQS Policy Examples in the Amazon Simple Queue Service Developer Guide.
EventBridge Pipes specifics
EventBridge Pipes does not support resource-based policies and has no APIs which support resource based policy conditions.
However, if you configure pipe access through an interface VPC endpoint, that VPC endpoint supports resource policies that enable you to manage access to EventBridge Pipe APIs. For more information, see Using Amazon EventBridge with Interface VPC endpoints