AWS::Events::EventBusPolicy
Running PutPermission permits the specified Amazon account or Amazon organization
to put events to the specified event bus. Amazon EventBridge (CloudWatch
Events) rules in your account are triggered by these events arriving to an event bus in your
account.
For another account to send events to your account, that external account must have an EventBridge rule with your account's event bus as a target.
To enable multiple Amazon accounts to put events to your event bus, run
PutPermission once for each of these accounts. Or, if all the accounts are
members of the same Amazon organization, you can run PutPermission once specifying
Principal as "*" and specifying the Amazon organization ID in
Condition, to grant permissions to all accounts in that organization.
If you grant permissions using an organization, then accounts in that organization must
specify a RoleArn with proper permissions when they use PutTarget to
add your account's event bus as a target. For more information, see Sending and
Receiving Events Between Amazon Accounts in the Amazon EventBridge User
Guide.
The permission policy on the event bus cannot exceed 10 KB in size.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Events::EventBusPolicy", "Properties" : { "Action" :String, "Condition" :Condition, "EventBusName" :String, "Principal" :String, "Statement" :Json, "StatementId" :String} }
YAML
Type: AWS::Events::EventBusPolicy Properties: Action:StringCondition:ConditionEventBusName:StringPrincipal:StringStatement:JsonStatementId:String
Properties
Action-
The action that you are enabling the other account to perform.
Required: No
Type: String
Minimum:
1Maximum:
64Pattern:
events:[a-zA-Z]+Update requires: No interruption
Condition-
This parameter enables you to limit the permission to accounts that fulfill a certain condition, such as being a member of a certain Amazon organization. For more information about Amazon Organizations, see What Is Amazon Organizations in the Amazon Organizations User Guide.
If you specify
Conditionwith an Amazon organization ID, and specify "*" as the value forPrincipal, you grant permission to all the accounts in the named organization.The
Conditionis a JSON string which must containType,Key, andValuefields.Required: No
Type: Condition
Update requires: No interruption
EventBusName-
The name of the event bus associated with the rule. If you omit this, the default event bus is used.
Required: No
Type: String
Minimum:
1Maximum:
256Pattern:
[\.\-_A-Za-z0-9]+Update requires: Replacement
Principal-
The 12-digit Amazon account ID that you are permitting to put events to your default event bus. Specify "*" to permit any account to put events to your default event bus.
If you specify "*" without specifying
Condition, avoid creating rules that may match undesirable events. To create more secure rules, make sure that the event pattern for each rule contains anaccountfield with a specific account ID from which to receive events. Rules with an account field do not match any events sent from other accounts.Required: No
Type: String
Minimum:
1Maximum:
12Pattern:
(\d{12}|\*)Update requires: No interruption
Statement-
A JSON string that describes the permission policy statement. You can include a
Policyparameter in the request instead of using theStatementId,Action,Principal, orConditionparameters.Required: No
Type: Json
Update requires: No interruption
StatementId-
An identifier string for the external account that you are granting permissions to. If you later want to revoke the permission for this external account, specify this
StatementIdwhen you run RemovePermission.Note
Each
StatementIdmust be unique.Required: Yes
Type: String
Minimum:
1Maximum:
64Pattern:
[a-zA-Z0-9-_]+Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the event bus policy ID, such as
EventBusPolicy-1aBCdeFGh2J3.
For more information about using the Reffunction, see Ref.
Examples
Grant Permission to One Account
The following example grants permission to one Amazon account with an account ID of
111122223333.
JSON
"SampleEventBusPolicy": { "Type": "AWS::Events::EventBusPolicy", "Properties": { "StatementId": "MyStatement", "Statement": { "Effect": "Allow", "Principal" : {"AWS" : "arn:aws:iam::111122223333:root"}, "Action": "events:PutEvents", "Resource": "arn:aws:events:us-east-1:111122223333:event-bus/default" } } }
YAML
SampleEventBusPolicy: Type: AWS::Events::EventBusPolicy Properties: StatementId: "MyStatement" Statement: Effect: "Allow" Principal: AWS: "arn:aws:iam::111122223333:root" Action: "events:PutEvents" Resource: "arn:aws:events:us-east-1:111122223333:event-bus/default"
Grant Permission to an Organization
The following example grants permission to all Amazon accounts in the organization with
an organization ID of o-1234567890.
JSON
"SampleEventBusPolicy": { "Type": "AWS::Events::EventBusPolicy", "Properties": { "StatementId": "MyStatement", "Statement": { "Effect": "Allow", "Principal" : "*", "Action": "events:PutEvents", "Resource": "arn:aws:events:us-east-1:111122223333:event-bus/default", "Condition": { "StringEquals": {"aws:PrincipalOrgID": "o-1234567890"} } } } }
YAML
SampleEventBusPolicy: Type: AWS::Events::EventBusPolicy Properties: StatementId: "MyStatement" Statement: Effect: "Allow" Principal: "*" Action: "events:PutEvents" Resource: "arn:aws:events:us-east-1:111122223333:event-bus/default" Condition: StringEquals: "aws:PrincipalOrgID": "o-1234567890"
Deny policy using multiple principals and actions
The following example demonstrates a deny policy statement using multiple principals and actions.
JSON
"SampleDenyEventBusPolicy": { "Type": "AWS::Events::EventBusPolicy", "Properties": { "StatementId": "MyDenyStatement", "Statement": { "Effect": "Deny", "Principal" : {"AWS" : ["arn:aws:iam::111122223333:user/alice", "arn:aws:iam::111122223333:user/bob"]}, "Action": [ "events:PutEvents", "events:PutRule" ], "Resource": "arn:aws:events:us-east-1:111122223333:event-bus/default" } } }
YAML
SampleDenyEventBusPolicy: Type: AWS::Events::EventBusPolicy Properties: StatementId: "MyDenyStatement" Statement: Effect: "Deny" Principal: AWS: - "arn:aws:iam::111122223333:user/alice" - "arn:aws:iam::111122223333:user/bob" Action: - "events:PutEvents" - "events:PutRule" Resource: "arn:aws:events:us-east-1:111122223333:event-bus/default"
Grant Permission to an Organization using a custom event bus
The following example grants permission to all Amazon accounts in the organization with an organization ID of o-1234567890 using a custom event bus.
JSON
"SampleCustomEventBus": { "Type": "AWS::Events::EventBus", "Properties": { "Name": "MyCustomEventBus" } }, "SampleCustomEventBusPolicy": { "Type": "AWS::Events::EventBusPolicy", "Properties": { "EventBusName": { "Ref": "SampleCustomEventBus" }, "StatementId": "MyCustomEventBusStatement", "Statement": { "Effect": "Allow", "Principal" : "*", "Action": "events:PutEvents", "Resource": { "Fn::GetAtt": [ "SampleCustomEventBus", "Arn" ] }, "Condition": { "StringEquals": {"aws:PrincipalOrgID": "o-1234567890"} } } } }
YAML
SampleCustomEventBus: Type: AWS::Events::EventBus Properties: Name: "MyCustomEventBus" SampleCustomEventBusPolicy: Type: AWS::Events::EventBusPolicy Properties: EventBusName: Ref: "SampleCustomEventBus" StatementId: "MyCustomEventBusStatement" Statement: Effect: "Allow" Principal: "*" Action: "events:PutEvents" Resource: !GetAtt "SampleCustomEventBus.Arn" Condition: StringEquals: "aws:PrincipalOrgID": "o-1234567890"