Why is the EventBridge rule that was created using AWS CLI or AWS CloudFormation failing to invoke its target?

Short description

Targets need AWS Identity and Access Management (AWS IAM) or resource-based policies to grant permissions to an Amazon EventBridge rule to access or invoke the target.

Review these best practices when you create or update an EventBridge rule using AWS CLI, API, or AWS CloudFormation:

• When you create or modify an EventBridge rule using the EventBridge console, EventBridge automatically adds the appropriate permissions to the target's policy.
• When you create or update an EventBridge rule using the AWS CLI, SDK, or AWS CloudFormation, you must manually apply the permission in target policies.
  Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

Resolution

EventBridge uses two permission models to manage the rule's access to target resources: resource-based policies and identity-based policies. For more information, see the section Managing access to resources in Managing access permissions to your Amazon EventBridge resources.

Review the EventBridge rule metrics to confirm the invocation failures

1. Open the Amazon EventBridge console.
2. From the navigation pane on the left, under Buses, select Rules.
3. Click on the rule name.
4. Click on the Monitoring tab under the rule details.
5. Review the FailedInvocations metrics by selecting the appropriate time in the dashboard. FailedInvocations represent a permanent failure and might be the result of incorrect permissions or a misconfigured target. For more information see EventBridge metrics.

Confirm that the EventBridge rule has the necessary permissions to invoke its target

Use the following links to confirm that the EventBridge rule has the required permissions for the configured target.

Resource-based policies

The following targets use a resource-based policy:

• AWS Lambda
• API Gateway
• Amazon Simple Notification Service (Amazon SNS)
• Amazon Simple Queue Service (Amazon SQS)
• Amazon CloudWatch log groups

For information on creating a rule for CloudWatch logs as target, see How can I create a CloudWatch log group to use as a target for an EventBridge rule?

Identity-based policies

These targets need the proper IAM policy permissions. For more information, see Permissions required for EventBridge to access targets using IAM roles.
Note: For information on adding IAM policies, see Adding and removing IAM identity permissions.

• Amazon API destination
• Systems Manager
• Step Functions state machine
• ECS task
• Amazon Elastic Compute Cloud (Amazon EC2)
• Kinesis Streams
• Amazon SageMaker Pipeline
  Note: For more information on creating a rule for SageMaker Pipeline as a target, see the section Create an EventBridge rule using CLI in Amazon EventBridge integration.

Policies for cross-account, cross-Region, and event bus targets

• If target is a cross-account, cross-Region, or another event bus, see permissions for Amazon EventBridge event buses for resource-based policies. For information on configuring cross-account or cross-region rules, see A step-by-step guidance for setting up cross-account or cross-Region rules.

API Gateway target policies

• API Gateway targets can use either resource or IAM roles.

Add an Amazon SQS dead-letter queue to the target

If the EventBridge rule's target reports a failed invocation after you added the required policy, use Amazon SQS dead-letter queue (DLQ) as a target to store the event's metadata. Use the stored data to analyze why the Eventbridge rule failed to invoke and deliver the event to the configured target. For more information on how to validate targets, see How can I troubleshoot issues with EventBridge rules?

Related information

Why wasn't my Lambda function triggered by my EventBridge rule?

Troubleshooting Amazon EventBridge