- Newest
- Most votes
- Most comments
Hi there,
At this point sending events cross-account is only supported via Event Buses which means that it is not possible to directly set a target of Lambda-in-AccountA to an EventBridge Rule Rule-in-AccountB. The supported flow would be as below:
Event-Bus-AccountB => Rule-in-AccountB => Event-Bus-AccountA as one of the Target => Rule-in-AccountA to match the events coming from AccountB and with a Target of Lambda-in-AccountA.
To help you further understand, here are some useful resources Sending and Receiving events between AWS Accounts and Simplifying cross-account access with Amazon EventBridge Resource policies
Hope this helps, and please let me know if you have any further questions
Update: Amazon EventBridge announced support for cross-account targets for Event Buses on 21 Jan 2025 [1], which allows you to send events directly to targets, such as Amazon SQS, AWS Lambda, and Amazon SNS, located in other accounts.
In the blogpost, a note says: "The following example describes setting up cross-account event delivery to an SQS queue. You can apply the same technique to other target types as well, such as Lambda functions or SNS topics.". Indeed, after correctly setting up a resource-based policy on the target Lambda function, allowing the EventBus role as Principal, I was able to make it work.
I don't think this is possible.
With EventBridge, it's possible to configure an event bus to receive events from different sources including sources from other AWS accounts. To invoke a lambda function - this would be done via Event Bus -> Rule -> Target (in this case, the target would be a lambda function). Currently, it seems that the Lambda function must be in the same account as the Rule.
If you're looking to do extra architecture, a couple solutions could be as follows:
- Event Bus (B) -> Rule (B) -> SQS (B) -> Lambda (A) https://aws.amazon.com/about-aws/whats-new/2021/09/aws-lambda-lambda-function-amazon-sqs-queue/ For this, you will need to configure cross-account access and the resource policies (https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html#grant-cross-account-permissions-to-role-and-user-name)
- Event Bus (B) -> Rule (B) -> Lambda (B) -> Lambda (A) This could be done a few different ways. In theory, you would still need to do a cross-account access somehow, either through invocation (Lambda Permissions), or cross-account role assumption.
Relevant content
- asked 3 years ago
- asked 2 years ago
The flow Event-Bus-AccountB=>Rule-in-AccountB=>SQS-in-AccountB=>Lambda-in-AccountA looks to be supported now. As recently Lambda service announced the support of invocation from SQS Queue in a different AWS account. You can check the details from https://aws.amazon.com/about-aws/whats-new/2021/09/aws-lambda-lambda-function-amazon-sqs-queue/
In case it's not possible to use event bus in account A as a target. Any other options to invoke Lambda-in-AccountA when an event is published on Event-Bus-AccountB? Is Event-Bus-AccountB=>Rule-in-AccountB=>SQS-in-AccountB=>Lambda-in-AccountA a feasible alternative?
However, could you please describe a crucial aspect: the trust relationship and permission policies of the various components.