How do I troubleshoot issues with cross-account or cross-Region EventBridge rules?

Short description

Events might fail to publish across accounts or Regions for the following reasons:

• The event rule on the source account didn't initiate, or the target invocations failed.
• The source account or organization doesn't have the correct permissions.
• The event rule on the destination account didn't initiate, or the target invocations failed.

Resolution

The event rule on the source account didn't initiate, or the target invocations failed

EventBridge publishes an event across accounts only when the source account initiates an event rule and invokes the target.

EventBridge initiates a rule when its pattern matches the incoming event. If there's a pattern match, then EventBridge sends a value of 1 to the TriggeredRules metric that corresponds to the matched event. For more information about EventBridge metrics, see Monitoring Amazon EventBridge.

If EventBridge triggers the rule, then check the Invocations metric for the corresponding rule to confirm that EventBridge invoked the target. The Invocations metric shows only that EventBridge tried to invoke the target. The metric doesn't confirm that the invocation completed. To check the completion status of the target invocation, use the FailedInvocations metric for the corresponding rule. If there's no data point in the FailedInvocations metric but there's a corresponding data point in the Invocations metric, then EventBridge successfully invoked the target.

Failed invocations might occur because the destination account's event bus doesn't have the required permissions. Insufficient AWS Identity and Access Management (IAM) permissions on the source account rule's target can also cause failed invocations.

The source account or organization doesn't have the correct permissions

To receive events from other accounts or AWS Organizations, the source account must have the permission to send events. Confirm that the resource-based policy that's attached to the event bus grants the appropriate permission to the source account.

Example policy with appropriate permissions:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "WebStoreCrossAccountPublish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::SOURCE-ACC-ID:root"
    },
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:REGION:DESTINATION-ACC-ID:event-bus/destination-account-bus-name"
  }]
}

Note: Replace SOURCE-ACC-ID with the source account's ID and DESTINATION-ACC-ID with the destination account's ID.

When the target of the rule is an event bus, use an IAM role to grant permission to send events to a different account or Region. Attach the following resource-based policy to the IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ActionsForResource",
            "Effect": "Allow",
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                "arn:aws:events:REGION:<DESTINATION-ACC-ID>:event-bus/destination-account-bus-name"
            ]
        }
    ]
}

Note: Replace DESTINATION-ACC-ID with your destination account's ID

The source account can then perform a PutEvents API call on the destination account's event bus.

If you use PutTargets to manually create the rule's target and set permissions for the entire organization on the event bus, then specify an IAM role.

For more information about the required IAM permissions, see Grant permissions to allow events from other AWS accounts. Also, see Permissions for event buses in Amazon EventBridge.

The event rule on the destination account didn't initiate, or the target invocations failed

When you publish an event to the destination account's event bus, configure an event rule on the event bus to match the event.

To confirm that the rule's pattern matches the incoming event that initiates it, check the destination account's rule metrics. Verify that the target's invocation is successful.