Why does my EventBridge rule for IAM events only trigger in the us-east-1 Region?

2 minute read

I want to know why the Amazon EventBridge rule that receives events from global services doesn’t work in Regions outside us-east-1 Region.

Short description

AWS global services such as AWS Identity and Asset Management (IAM) and Amazon Route 53 are available only in the us-east-1 Region. The default event bus for this Region receives all the events that are generated from these services.

Resolution

If you already set up the EventBridge resources in the us-east-2 Region, invoke the targets for global services as follows:

Recreate the EventBridge rule and the targets in the us-east-1 Region

If your EventBridge targets are in us-east-1 Region, then follow these steps:

Delete the EventBridge resources in the us-east-2 Region.
Recreate the same rule, pattern, and targets in the us-east-1 Region.
Important: If your targets are located outside the us-east-1 Region, follow the option listed in the next section.

Route events from the us-east-1 Region to the us-east-2 Region event bus (console)

With cross-Region routing capabilities, you can now route the events from the us-east-1 Region to an event bus in then us-east-2 Region. This allows events originating in the us-east-1 Region to invoke targets in the us-east-2 Region.

Open the EventBridge console in the us-east-1 Region.
From the left panel, choose Buses. Then, select Rules from the dropdown list.
Choose Create rule. Copy and paste the same pattern that was used in the us-east-2 Region.
For Target types, choose EventBridge event bus. Then, select Event bus in a different account or Region.
For Event bus, enter the Amazon Resource Name (ARN) of the default event bus in the us-east-2 Region.
Keep the default option Create a new role for this specific resource. This creates the necessary AWS Identity and Access Management (IAM) permissions that allow the rule to put events on the target bus.
Choose Next. Then, choose Update rule.

Note: Don't delete the EventBridge rule in the us-east-2 Region because the rules must coexist in both Regions for the cross-Region routing to work.

In your new configuration, all the events from the us-east-1 Region are routed to the event bus in the us-east-2 Region. An event triggers your existing rule in then us-east-2 Region. This then invokes your targets in the same Region.

Topics

Serverless Application Integration

Relevant content

Does the IAM Access Analyzer consider Data Events as well as Management Events in CloudTrail Trail logs?
Accepted Answer
rePost-User-3291816
asked 2 years ago
CloudTrail global service events vs regional events
Abhishek
asked 7 months ago
IAM Identity Centre Cloudwatch events
Accepted Answer
DevS
asked a year ago
Outside of AWS IAM Identity Center, does AWS support FIDOs/WebAuthn protocols for MFA, such as for Yubikeys when you access Workspaces?
Accepted Answer
rePost-User-0313018
asked 24 days ago
AWS IAM Identity Center - EventBridge Rules
Accepted Answer
Peter Eskandar
asked a year ago
Why is my EventBridge rule not working in Regions other than the one I created it in?
AWS OFFICIALUpdated 7 months ago
Why does my IAM credential report show my AWS Config managed rules as not compliant?
AWS OFFICIALUpdated a year ago
Why wasn't my Lambda function triggered by my EventBridge rule?
AWS OFFICIALUpdated 8 months ago
Does using the IAM Identity Center affect my IAM identities or federation configuration?
AWS OFFICIALUpdated a year ago
A step-by-step guide to cross-account and cross-region events with EventBridge
EXPERT
Antonio_Lagrotteria
published a year ago