How do I troubleshoot issues with cross-account or cross-Region Amazon EventBridge rules?

Short description

Amazon EventBridge allows you to send or receive events from event buses in different AWS accounts or Regions. For more information, see Introducing cross-Region event routing with Amazon EventBridge.

The delivery of cross-account events depends on:

• The configuration of the EventBridge rule and the target in the source account
• Configuration of the rule and target in the destination account
• Restrictions imposed on the service level

Resolution

Review the following reasons why events fail to publish across AWS accounts:

Event rule on the source account didn't trigger or the target invocations failed

• EventBridge publishes an event across AWS accounts only when the source account triggers an event rule and invokes the target.
• EventBridge triggers a rule when its pattern matches the incoming event. If there's a pattern match, then a value of 1 is pushed to the TriggeredRules metric that corresponds to the matched event. For more information on EventBridge metrics, see Monitoring Amazon EventBridge.
• If EventBridge triggered the rule, then check the Invocations metric for the corresponding rule to confirm that EventBridge invoked the target. Note that the data points in the Invocations metric indicate that EventBridge attempted to invoke the target but they don't confirm its successful completion.
• To check the completion status of the target invocation, refer to the FailedInvocations metric for the corresponding rule. This metric shows the number of failed invocations. If there's no data point in the FailedInvocations metric but there's a corresponding data point in the Invocations metric, EventBridge successfully invoked the target.
• Failed invocations often occur because the destination account's event bus doesn't have the required permissions. Failed invocations can also be caused by inadequate AWS Identity and Access Management (IAM) permissions on the source account rule's target.

Inadequate permissions

• The permissions on the event bus of the destination account must authorize the source account. Only then can EventBridge publish an event to an event bus of a different account. You can grant these permissions to an individual account ID or to an entire organization. Confirm that the permissions on the destination account's event bus are accurate.
• Make sure to attach the IAM role to the target of the rule you created using the AWS Management Console. This attachment allows the source account to use the role to perform a PutEvents API call on the destination account's event bus.
• If you created the rule's target manually using PutTargets API, attach the IAM role.
  Note: Do this only if the permissions on the destination account event bus are set for the entire organization.
• For more information on the required IAM permissions, see Sending and receiving events between AWS accounts.

Event rule on the destination account didn't trigger or the target invocations failed

• When you publish an event to the destination account's event bus, configure an event rule on the event bus to match the event.
• Check the metrics for the destination account's rule to confirm that the rule's pattern matches the incoming event that's triggering it. Verify that the invocation of the target succeeded.