0

I have a AWS lambda function deployed in multiple accounts. I'm looking for a way to schedule to trigger these lambda function from master account via Cloudwatch Event Bus. Is this possible?

amitd
  • 1,497
  • 4
  • 11
Nandeesh
  • 107
  • 5
  • 14

2 Answers2

3

In line with what @amitd is suggesting you need to implement something like this (Using EventBridge , EventBus).

enter image description here

To configure cross-account event bridge communication following needs to be done. I am providing sample events and filters, you can replace the event and filters as per requirement.

Steps to be performed on Account B: Receiver account

  1. Create an event bus named event-bus-b. Put the resource-based policy as shown below.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "WebStoreCrossAccountPublish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<account-A>:root"
    },
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b"
  }]
}

  1. Create a rule in account B let's calls it eb-rule-b. In this Rule select event-bus-b as a source event bus.

  2. Provision following event filter pattern:

Event pattern:

{
  "detail-type": [
    "uoe"
  ],
  "source": [
    "somesource"
  ]
}

Also, test the pattern using the test event.

Test Event:

  {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

  1. Select the event bus event-bus-b in the drop-down.

  2. Select the target "Lambda"

  3. Put the ARN of the event bus which you have created in Account B.

arn:aws:lambda:<your-region>:<AccountB>:function:<AccountBLambda>

  1. Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables lambda execution.

  2. Click on create and create the rule.

  3. Now click on the event bus event-bus-a and click on Send events button.

  4. Send a dummy event as shown below and validate that the communication between event bus and the lambda in account B is all ok.

  5. If you face some issue in this plumbing refer to :https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html#eb-lam-function-not-invoked

  6. Once we are good in Account B ( i.e we are able to invoke the lambda by sending events on the event bus, configure other accounts by following the same steps.

Steps to be performed on Account A: Sender account

  1. Create an event bus event-bus-a in account A.

  2. Create a rule eb-rule-a in account A with the following details:

Event pattern:

{
  "detail-type": [
    "uoe"
  ],
  "source": [
    "somesource"
  ]
}

Also, test the pattern using the test event.

Test Event:

  {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

  1. Select the event bus event-bus-a in the drop-down.

  2. Select the target "Event bus in different account or Region"

  3. Put the ARN of the event bus which you have created in Account B.

arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
  1. Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables the users in account A to publish on account b event bus. The below policy is auto-created and you don't need to do anything.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
            ]
        }
    ]
}

  1. Click on create and create the rule.

  2. Now click on the event bus event-bus-a and click on Send events button.

  3. Provide details and click on send.

enter image description here

Sample event:

  {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

  1. Event will propagate to the event bus defined in account B.

  2. Repete from steps 4- 10 for all other accounts ( i.e create multiple targets in the same rule).

  3. Once configured a single event in Account A will propagates to multiple accounts and you will achieve the necessary fanning.

Amit Meena
  • 2,884
  • 2
  • 21
  • 33
2

Please refer following options and related documentation from AWS;

  1. Using CloudWatchEvents:

a. Sending and Receiving Events Between AWS Accounts

b. Cross-Account Delivery of CloudWatch Events

OR

  1. Using Amazon EventBridge:

a. Simplifying cross-account access with Amazon EventBridge

b. Sending and recieving Amazon EventBridge events between AWS accounts

amitd
  • 1,497
  • 4
  • 11
  • In the **master account** is it possible to schedule and put event something like this where user defined key/value passed to indicate which lambda function to be triggered `{ "version": "0", "id": "89d1a02d-5ec7-412e-82f5-13505f849b41", "detail-type": "Scheduled Event", "source": "aws.events", "account": "123456789012", "time": "2016-12-30T18:44:49Z", "region": "us-east-1", "resources": [ "arn:aws:events:us-east-1:123456789012:rule/SampleRule" ], ** "detail": { "lamdaToInvoke": "Pass the labmda function name/arn to be invoked" }** }` – Nandeesh Apr 08 '21 at 05:43