Listen to this Post
Amazon EventBridge is a powerful AWS service for building scalable, event-driven architectures. A recent update allows direct interaction with resources in other AWS accounts, eliminating the need to set up EventBridge buses in each account. Supported cross-account targets include:
– SQS queues
– SNS topics
– Kinesis Data Streams
– Lambda functions
– API Gateway
This simplifies cross-account event routing while maintaining security through IAM permissions.
Read more in the official AWS blog:
Introducing Cross-Account Targets for Amazon EventBridge Event Buses
You Should Know:
1. Setting Up Cross-Account EventBridge Permissions
To allow EventBridge in Account A to send events to a Lambda function in Account B, apply the following IAM policy in Account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com",
"AWS": "arn:aws:iam::AccountA-ID:root"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:region:AccountB-ID:function:FunctionName"
}
]
}
- Creating an EventBridge Rule for Cross-Account SQS
Use the AWS CLI to define a rule sending events to an SQS queue in another account:
aws events put-rule --name "CrossAccountSQSRule" --event-pattern '{"source": ["aws.ec2"]}'
aws events put-targets --rule CrossAccountSQSRule --targets "Id"="1","Arn"="arn:aws:sqs:region:AccountB-ID:QueueName"
3. Verifying Cross-Account Event Delivery
Check CloudWatch Logs for Lambda invocations or use:
aws logs filter-log-events --log-group-name "/aws/lambda/TargetFunction" --start-time $(date -d "-5 mins" +%s)
4. Securing Cross-Account SNS Topics
Ensure the SNS topic policy in Account B permits EventBridge from Account A:
aws sns set-topic-attributes --topic-arn "arn:aws:sns:region:AccountB-ID:TopicName" --attribute-name Policy --attribute-value '{
"Version": "2008-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::AccountA-ID:root"},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:region:AccountB-ID:TopicName"
}]
}'
What Undercode Say:
Cross-account EventBridge unlocks seamless serverless integrations while reducing bus management overhead. Key takeaways:
– Use IAM resource policies for secure cross-account access.
– Monitor events via CloudWatch or Lambda logs.
– AWS CLI commands streamline rule and target setup.
For Linux/Windows admins, similar event-driven automation can be achieved using:
– Linux: cron, systemd, `inotifywait` for file events.
– Windows: Task Scheduler, Event Viewer filters, Get-WinEvent -FilterHashtable.
Expected Output:
A scalable cross-account event architecture with verified AWS CLI commands and IAM policies.
Introducing Cross-Account Targets for Amazon EventBridge Event Buses
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
