AWS recently announced a new feature for Amazon EventBridge that allows users to deliver events directly to AWS services in different accounts. According to the company, this enhancement enables the use of multiple accounts to improve security and simplify business processes.
Amazon EventBridge Event Bus is a serverless event broker that enables scalable event-driven applications by routing events between applications, third-party SaaS, and AWS services. The newly introduced feature lets users directly target services in another account without additional infrastructure. Chris McPeek, a Principal Solution Architect at AWS, explains in an AWS Compute blog post:
With this new EventBridge feature, you can deliver events directly from the source event bus to the desired targets in different accounts. This simplifies the architecture and permission model and reduces latency in your event-driven solutions by having fewer components process events along the path from source to target.
For example, users can route events from their EventBridge Event Bus to a different team’s SQS queue in another account, with the receiving team only needing to grant Identity Access Management (IAM) permissions for access. Events can be delivered across accounts to targets that support resource-based IAM policies, including Amazon SQS, AWS Lambda, Amazon Kinesis Data Streams, Amazon SNS, and Amazon API Gateway.
(Source: AWS Compute blog post)
The company recommends enabling cross-account event delivery by establishing mutual trust between source and target accounts. Source event bus rules must use an AWS IAM role to send events to designated targets, achieved by attaching an execution role to those rules.
Targets in different accounts need a resource access policy to receive events from the source account’s execution role. Targets like Amazon SQS queues, Amazon SNS topics, and AWS Lambda functions support this process.
Having an IAM role in the source account and a resource policy in the target account allows for fine-grained control over the PutEvents action. Users can also define service control policies (SCPs) to regulate who can send and receive events in their organization.
To set up cross-account event delivery (assuming the source event bus exists), users can follow these three steps:
- Target account: Create a delivery target (e.g., SQS queue).
- Source account: Configure a rule for event delivery, set the target SQS queue ARN, and attach an execution role with permissions to send messages.
- Target account: Apply a resource policy to the SQS queue to allow the source event bus execution role to send events.
Yan Cui, a Serverless Hero, tweeted on X:
This is AWESOME! EventBridge now delivers events to cross-account targets directly, without having to send them to the default bus in the target account first.
With Cross-Account Event Delivery, AWS brings another feature to the service after adding features like AppSync Integration. In a LinkedIn post, Sheen Brisals, an AWS Serverless Hero, stated:
In a way, this feature now pushes EventBridge to become a ‘true’ enterprise event-streaming platform. There are still gaps to fill, but we are getting there.
Users can find more information and guidance on Amazon EventBridge on the documentation pages and GitHub repository. In addition, more details for the pricing of Event Bridge are available on the pricing page.
