AWS::Events::EventBusPolicy
The
AWS::Events::EventBusPolicy resource creates an event bus policy for Amazon CloudWatch Events. An event bus
policy enables your account to receive events from other AWS accounts. These events
can trigger CloudWatch Events rules created
in your account. For more information, see
Sending and Receiving Events
Between AWS Accounts in the Amazon CloudWatch Events User Guide.
Note
If you grant permission to other accounts using Condition
and specifying an organization, then accounts in that
organization must specify a RoleArn with proper permissions
when they use PutTarget to add your account's event bus as a
target.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Events::EventBusPolicy", "Properties" : { "Action" :String, "Condition" : Condition, "Principal" :String, "StatementId" :String} }
YAML
Type: "AWS::Events::EventBusPolicy" Properties: Action:StringCondition: Condition Principal:StringStatementId:String
Properties
Action-
The action that you are enabling the other account to perform. Currently, this must be
events:PutEvents.Required: Yes
Type: String
Update requires: No interruption
Condition-
A JSON string which you can use to limit the event bus permissions you are granting to only accounts that fulfill the condition. Currently, the only supported condition is membership in a certain AWS organization. The string must contain
Type,Key, andValuefields.Currently, the
Typemust beStringEquals, theKeymust beaws:PrincipalOrgID, and theValuefield specifies the ID of the AWS organization.If you specify
Conditionwith an AWS organization ID, you must specify "*" as the value forPrincipal. This grants permission to all the accounts in the named organization.Required: No
Type: Condition
Update requires: No interruption
Principal-
The 12-digit AWS account ID that you are permitting to put events to your default event bus. Specify
*to permit any account to put events to your default event bus, or if you are specifying an organization ID in theConditionobject.Required: Yes
Type: String
Update requires: No interruption
StatementId-
An identifier string for the external account to which you are granting permissions. To later revoke the permission for this external account, you need to know this string.
Required: Yes
Type: String
Update requires: Replacement
Return Values
Ref
When you pass the logical ID of an
AWS::Events::EventBusPolicy
resource to the intrinsic
Ref function, the function returns the
event bus policy ID, such as
EventBusPolicy-1aBCdeFGh2J3.
For more information, see Ref.
Examples
Grant Permission to One Account
The following example grants permission to one AWS account with an account ID of 111122223333.
JSON
"SampleEventBusPolicy": { "Type": "AWS::Events::EventBusPolicy", "Properties": { "Action": "events:PutEvents", "Principal": "111122223333", "StatementId": "MyStatement" } }
YAML
SampleEventBusPolicy: Type: AWS::Events::EventBusPolicy, Properties: Action: "events:PutEvents" Principal: "111122223333" StatementId: "MyStatement"
Grant Permission to an Organization
The following example grants permission to all AWS accounts in the organization with
an organization ID of o-1234567890.
JSON
"SampleEventBusPolicy": { "Type": "AWS::Events::EventBusPolicy", "Properties": { "Action": "events:PutEvents", "Principal": "*", "StatementId": "MyStatement", "Condition": { "Type": "StringEquals", "Key": "aws:PrincipalOrgID", "Value": "o-1234567890" } } }
YAML
SampleEventBusPolicy: Type: AWS::Events::EventBusPolicy, Properties: Action: "events:PutEvents" Principal: "*" StatementId: "MyStatement" Condition: Type: "StringEquals", Key: "aws:PrincipalOrgID", Value: "o-1234567890"
See Also
-
Sending and Receiving Events Between AWS Accounts in the Amazon CloudWatch User Guide
-
PutPermission in the Amazon CloudWatch API Reference
