3

I'm trying to set up cross account event bridge from Account A to Account B to trigger codepipeline which is in ACCOUNT B. ACCOUNT A - I have set up S3 ,AWS EVENT BUS to send the event when the object is added to s3 to ACCOUNT B. ACCOUNT B - I have set up AWS EVENT BUS to receive the event from ACCOUNT A and codepipeline as target to trigger.

I have an issue with sending the event from ACCOUNT A to ACCOUNT B using event bus and also i want to setup policy and permission in ACCOUNT B to receive event from ACCOUNT A and trigger codepipeline.

How can this be achieved?

I'm following the script : https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html

Abhishek Hc
  • 93
  • 2
  • 9

1 Answers1

5

To configure cross-account event bridge communication following needs to be done. I am providing sample event and filters, you can replace the event and filters as per requirment. Focus on to resolve inter account connectivity.

enter image description here

Steps to be performed on Account B: Receiver account

  1. Create an event bus named event-bus-b. Put the resource-based policy as shown below.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "WebStoreCrossAccountPublish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<account-A>:root"
    },
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b"
  }]
}

Steps to be performed on Account A: Sender account

  1. Create an event bus event-bus-a in account A.

  2. Create a rule eb-rule-a in account A with the following details:

Event pattern:

{
  "detail-type": [
    "uoe"
  ],
  "source": [
    "somesource"
  ]
}

Also, test the pattern using the test event.

Test Event:

  {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

  1. Select the event bus event-bus-a in the drop-down.

  2. Select the target "Event bus in different account or Region"

  3. Put the ARN of the event bus which you have created in Account B.

arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
  1. Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables the users in account A to publish on account b event bus. The below policy is auto-created and you don't need to do anything.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
            ]
        }
    ]
}

  1. Click on create and create the rule.

  2. Now click on the event bus event-bus-a and click on Send events button.

  3. Provide details and click on send.

enter image description here

Sample event:

  {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}
  1. Event will propagate to the event bus defined in account B. You can validate that by replicating the rule which we have created in account A in account B and just attach a lambda as a target to that rule and print the event on logs.
Amit Meena
  • 2,884
  • 2
  • 21
  • 33