Questions tagged with Amazon EventBridge

I am trying to setup an eventbridge input transformer, and am following the example instructions on this page: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html I need to use reserved variables, so I am testing by trying to use the input template with the description: > Including reserved variables in JSON Here is my Input Template: ``` { "instance" : <instance>, "state": <state>, "ruleArn" : <aws.events.rule-arn>, "ruleName" : <aws.events.rule-name>, "originalEvent" : <aws.events.event> } ``` According to the docs, `Generate Output` is supposed to result in: ``` { "instance" : "i-0123456789", "state": "RUNNING", "ruleArn" : "arn:aws:events:us-east-2:123456789012:rule/example", "ruleName" : "example", "originalEvent" : { ... // commented for brevity } } ``` but instead I am getting: ``` { "instance" : i-0123456789, "state": RUNNING, "ruleArn" : <aws.events.rule-arn>, "ruleName" : <aws.events.rule-name>, "originalEvent" : <aws.events.event> } ``` Is this broken, or am I missing something? I also need to transform the input before being sent to an `EventBridge event bus` in another account as a Target, but when I select that as the target, the ability to configure the target input as an Input Transformer disappears from the `Additional Settings` section. Is this not supported?

Hi, I'd like a Lambda function to be notified when a new client connects to our AWS Client VPN endpoint so that it can take some action to update our private hosted zone in Route53. Is there any way to send a notification from our AWS Client VPN endpoint to Lambda either via SNS or Eventbridge? Many thanks in advance.

Hi, I need to subscribe to AMQP broker which is hosted outside of AWS and consume the content. Is there a serverless service that is able to maintain the connection without need to run an EC2 instance and forward the data to other services? I have tried to work with Kinesis and EventBridge, but these services doesn't seem to be able to consume amqp, while MQ is only able to setup a broker.

Apologize to all for the duplicate post. I created my login under the wrong account when I initially posted this question. I’m able to generate a new OpsItem for any EC2, SecurityGroup, or VPC configuration change using an EventBridge rule with the following event pattern. { "source": "aws.config", "detail-type": "Config Configuration Item Change", "detail": { "messageType": "ConfigurationItemChangeNotification", "configurationItem": { "resourceType": "AWS::EC2::Instance", "AWS::EC2::SecurityGroup", "AWS::EC2::VPC" } } } The rule and target work great when using Matched event for the Input but I noticed that launching one EC2 using the AWS wizard creates at least three OpsItems, one for each resourceType. Therefore I’d like to implement a deduplication string to cut down on the number of OpsItems generated to one if possible and I’d also like to attach a category and severity to the new OpsItem. I’m trying to use an Input Transformer as recommended by the AWS documentation but even the most simplest of Input Transformers when applied prevent any new OpsItems from being generated. When I've tested, I've also ensured that all previous OpsItems were resolved. Can anyone tell me what might be blocking the creation of any new OpsItems when using this Input Transformer configuration? Here’s what I have configured now. Input path { "awsAccountId": "$.detail.configurationItem.awsAccountId", "awsRegion": "$.detail.configurationItem.awsRegion", "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime", "detail-type": "$.detail-type", "messageType": "$.detail.messageType", "notificationCreationTime": "$.detail.notificationCreationTime", "region": "$.region", "resourceId": "$.detail.configurationItem.resourceId", "resourceType": "$.detail.configurationItem.resourceType", "resources": "$.resources", "source": "$.source", "time": "$.time" } Input template { "awsAccountId": "<awsAccountId>", "awsRegion": "<awsRegion>", "configurationItemCaptureTime": "<configurationItemCaptureTime>", "resourceId": "<resourceId>", "resourceType": "<resourceType>", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "<detail-type>", "source": "<source>", "time": "<time>", "region": "<region>", "resources": "<resources>", "messageType": "<messageType>", "notificationCreationTime": "<notificationCreationTime>", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"ConfigurationItemChangeNotification\"}" } } } Output when using the AWS supplied Sample event called “Config Configuration Item Change” { "awsAccountId": "123456789012", "awsRegion": "us-east-1", "configurationItemCaptureTime": "2022-03-16T01:10:50.837Z", "resourceId": "fs-01f0d526165b57f95", "resourceType": "AWS::EFS::FileSystem", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "Config Configuration Item Change", "source": "aws.config", "time": "2022-03-16T01:10:51Z", "region": "us-east-1", "resources": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "messageType": "ConfigurationItemChangeNotification", "notificationCreationTime": "2022-03-16T01:10:51.976Z", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{"dedupString":"ConfigurationItemChangeNotification"}" } } }

I’m able to generate a new OpsItem for any EC2, SecurityGroup, or VPC configuration change using an EventBridge rule with the following event pattern. { "source": ["aws.config"], "detail-type": ["Config Configuration Item Change"], "detail": { "messageType": ["ConfigurationItemChangeNotification"], "configurationItem": { "resourceType": ["AWS::EC2::Instance", "AWS::EC2::SecurityGroup", "AWS::EC2::VPC"] } } } The rule and target work great when using Matched event for the Input but I noticed that launching one EC2 using the AWS wizard creates at least three OpsItems, one for each resourceType. Therefore I’d like to implement a deduplication string to cut down on the number of OpsItems generated to one if possible and I’d also like to attach a category and severity to the new OpsItem. I’m trying to use an Input Transformer as recommended by the AWS documentation but even the most simplest of Input Transformers when applied prevent any new OpsItems from being generated. When I've tested, I've also ensured that all previous OpsItems were resolved. Can anyone tell me what might be blocking the creation of any new OpsItems when using this Input Transformer configuration? Here’s what I have configured now. Input path { "awsAccountId": "$.detail.configurationItem.awsAccountId", "awsRegion": "$.detail.configurationItem.awsRegion", "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime", "detail-type": "$.detail-type", "messageType": "$.detail.messageType", "notificationCreationTime": "$.detail.notificationCreationTime", "region": "$.region", "resourceId": "$.detail.configurationItem.resourceId", "resourceType": "$.detail.configurationItem.resourceType", "resources": "$.resources", "source": "$.source", "time": "$.time" } Input template { "awsAccountId": "<awsAccountId>", "awsRegion": "<awsRegion>", "configurationItemCaptureTime": "<configurationItemCaptureTime>", "resourceId": "<resourceId>", "resourceType": "<resourceType>", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "<detail-type>", "source": "<source>", "time": "<time>", "region": "<region>", "resources": "<resources>", "messageType": "<messageType>", "notificationCreationTime": "<notificationCreationTime>", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"ConfigurationItemChangeNotification\"}" } } } Output when using the AWS supplied Sample event called “Config Configuration Item Change” { "awsAccountId": "123456789012", "awsRegion": "us-east-1", "configurationItemCaptureTime": "2022-03-16T01:10:50.837Z", "resourceId": "fs-01f0d526165b57f95", "resourceType": "AWS::EFS::FileSystem", "title": "Template under ConfigDrift-EC2-Dedup4", "description": "Configuration Drift Detected.", "category": "Security", "severity": "3", "origination": "EventBridge Rule - ConfigDrift-EC2-Dedup", "detail-type": "Config Configuration Item Change", "source": "aws.config", "time": "2022-03-16T01:10:51Z", "region": "us-east-1", "resources": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "messageType": "ConfigurationItemChangeNotification", "notificationCreationTime": "2022-03-16T01:10:51.976Z", "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{"dedupString":"ConfigurationItemChangeNotification"}" } } }

I am setting up a project which will publish events to EventBridge. One of the targets of these events will be an HTTP Api in Google Cloud. I know EventBridge supports Api Destinations and I am trying to set that up to send these events. I have been unable to get the connection working to the Google Api and could use some suggestions. I am trying to use OAuth credentials from the Google account to create an Api Destination/Connection. So far, the Connection is always marked as "Deauthorized". I have not been able to find any details or debug information about the connection attempt that fails. I created credentials in the Google account and downloaded the credentials json file. Setting up the connection in AWS console, I used the "client_id" property from the json file as the "Client ID" field for the connection. I think one issue may be the "Client secret" value. I was surprised that the "private_key" property in the Google json file looks like: ``` "private_key": "-----BEGIN PRIVATE KEY-----\n<lots of Base64 and several newlines>\n-----END PRIVATE KEY-----\n" ``` I tried using the value between the BEGIN PRIVATE KEY and END PRIVATE KEY tags but AWS rejected that saying it was too long. I tried a single value from between newlines, which I was allowed to save, but doesn't work. I have also tried setting this value to the "private_key_id" which also doesn't work (I didn't really expect it to, but worth a shot). There are also options to send OAuth Http Parameters and Invocation Http Parameters. I've tried adding key="scopes" and value="https://www.googleapis.com/auth/cloud-platform" for both Parameters. Has anyone had luck setting up a Connection like this to a Google account? I've also looked at Google's Workload Identity Federation, but it appears there isn't a way to use that in a no-code case like the EventBridge Api Destinations.

I am using the Amazon Selling Partner API (SP-API) and am trying to set up a Pub/Sub like system for receiving customer orders etc. The Notifications API in SP-API sends notifications of different types in 2 different ways depending on what event you are using. Some send directly to eventBridge and others are sent to SQS. https://developer-docs.amazon.com/sp-api/docs/notifications-api-v1-use-case-guide#section-notification-workflows I have correctly set up the notifications that are directly sent to eventBridge, but am struggling to work the SQS notifications. I want all notifications to be send to my own endpoint. For the SQS model, I am receiving notifications in SQS, which is set as a trigger for a Lambda function (This part works). The destination for this function is set as another eventBridge (this is that part that doesn't work). This gives the architecture as: `SQS => Lambda => eventBridge => my endpoint` Why is lambda not triggering my eventBridge destination in order to send the notifications? **Execution Role Policies:** * Lambda 1. AWSLambdaBasicExecutionRole 2. AmazonSQSFullAccess 3. AmazonEventBridgeFullAccess 4. AWSLambda_FullAccess * EventBridge 1. Amazon_EventBridge_Invoke_Api_Destination 2. AmazonEventBridgeFullAccess 3. AWSLambda_FullAccess **EventBridge Event Pattern:** `{"source": ["aws.lambda"]}` **Execution Role Trusted Entities:** * EventBridge Role `"Service": [ "events.amazonaws.com", "lambda.amazonaws.com", "sqs.amazonaws.com" ]` * Lambda Role `"Service": [ "lambda.amazonaws.com", "events.amazonaws.com", "sqs.amazonaws.com" ]` **Lambda Code:** ``` exports.handler = function(event, context, callback) { console.log("Received event: ", event); context.callbackWaitForEmptyEventLoop = false callback(null, event); return { statusCode: 200, } } ```

We installed Greengrass v2 on several EC2s that simulate edge devices. We subscribed to telemetry data from them as explained in the docs: https://docs.aws.amazon.com/greengrass/v2/developerguide/telemetry.html. We defined a very general rule on eventBridge using the default event bus and the following event pattern : { "source": ["aws.greengrass"] } We forwarded the events to a CloudWatch log group. However, we received almost no data. We notice that every time we restart the ec2, the first MQTT message is always received, but then, after a while (2-4 days), we didn't receive the messages anymore (even if we didn't change anything in the ec2 or in the Greengrass components). In the docs, it says that the telemetry agent tries to send an MQTT message every day with QOS 0, so some misses could be expected. But since we are using EC2, we assume to have an internet connection almost all the time and we expect to receive more telemetry messages. Why is this not happening? We received the expected messages only for 2/4 days. For instance, for the core device GGv2-CoreDevice, we received telemetry data on 2022-04-21 and 2022-04-22 and we didn't receive any message on the following days. Should we expect worse performance when we will use on-premise edges? IoT Greengrass Core software version: 2.5.5

I have a few team members want to work on different parts of a solution architecture. They should be able to create the following resources in their accounts, consume any updates from other team members updates to the whole solution architecture and test. These are the resources: 1. EventBridge (1 ESB) 2. C# Lambdas (6 Lambdas) 3. Cron Jobs (4 Cron Jobs) 4. On-Prem client applications (1 JavaScript applicaiton) This is our SDLC process: 1. We will use the AWS C# CDK to create the resources and roles. 2. On-Prem Jenkins to create a CI/CD To accomplish smooth development and deployment of the projects, what is the recommended way to split the projects into GitHub repositories? 1. Should the CDK (Infrastructure as Code) to create all the resources be a separate repository? Can this help the developer to deploy the resources in a single execution? 2. Should the CDK (Infrastructure as Code) to create the resource be part of the lambda or cron job itself? Any suggestions appreciated.

I sending CloudTrail API event for event source ec2 to CW Events. Following is the Event Pattern configured in EventBridge ``` { "detail": { "eventName": ["RunInstances"] "eventSource": ["ec2.amazonaws.com"] }, "detail-type": ["AWS API Call via CloudTrail"] "source": ["aws.ec2"] } ``` I am not getting complete event but the following message ``` { "omitted": true, "originalSize": 109435, "reason": "responseElements too large" } ``` If I check Quotas in CloudTrail user guide, it is mentioned that events can have a max size of 256 KB. The original size mentioned above is less than that, could anyone help me with understanding why I am not getting the complete event? Thanks!

Hello - I have a docker container that is setup as a Fargate task on an ECS cluster. Standalone this works fine. I have also setup two event rule to detect when an object is 'put' on an s3 bucket. Rule 1: posts a message to an SNS topic which is set to send me an email; Rule 2: Invoke ECS Fargate task. Both tasks appear to run, according to the event bridge monitoring. Rule 1 does indeed send an email. Rule 2, however never seems to invoke the ECS fargate task. Does anyone have ideas on what I am missing? Is there a permission or setting that needs to be added? Thank you...

We are trying to trigger a lambda when certain AWS Config rules are breached. Currently, we have linked AWS Config with AWS Cloudwatch event bridge and this triggers the lambda on any rule breach. This works great for a single region, but for multiple regions, we will have to set up AWS config rules in that region and an event bridge integration, and a lambda handler in that region as well. This is a lot of additional setups to extend this trigger to multiple regions. So, we set up an AWS Config aggregator which collects AWS config rule breaches from all regions and accounts and consolidates them in one place. If we can set up an AWS Cloudwatch event bridge trigger on the AWS Config Aggregator, it will solve our problem. I could not find anything regarding this. Also, if there is any other way to solve this problem, please let us know. Any input is greatly appreciated. Thanks.

Hi team, I create a bucket with CDK and set the property **eventBridgeEnabled to true** ``` const bucket = new Bucket( this, "myBucket", { versioned: false, publicReadAccess: false, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, **eventBridgeEnabled: true**, } ); ``` but when I go to the** s3 console** and check the properties tab/ EventBridge it's still **showing "off" instead of "on"** is there anything missing? Thank you.

Hi team, I want to enable eventBridge notification on my S3 bucket via CDK, I saw it was added as a property to the bucket props as part of this PR : https://github.com/aws/aws-cdk/pull/18150 but I can't find it on the props ``` import { BlockPublicAccess, Bucket} from "@aws-cdk/aws-s3"; const myS3Bucket= new Bucket( this, "myS3Bucket", { versioned: false, publicReadAccess: false, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, eventBridgeEnabled: true, -- error here ..... } ); ``` I have this error : `eventBridgeEnabled: boolean; }' is not assignable to parameter of type 'BucketProps'.` I even tried with CfnBucket but had same error ``` const bucket = new CfnBucket(this, 'MyEventBridgeBucket', { eventBridgeEnabled: true, }); ``` `Argument of type '{ eventBridgeEnabled: boolean; }' is not assignable to parameter of type 'CfnBucketProps'. Object literal may only specify known properties, and 'eventBridgeEnabled' does not exist in type 'CfnBucketProps'` I want to simply to add it in my first declaration so I can keep those properties : ``` versioned: false, publicReadAccess: false, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, ``` how can I enable eventBridge on my S3 bucket via CDK ? Thank you!

Hi team, I want to create a glue trigger via the CDK and associate it with a workflow, after 5 eventBridge events => glue workflow as destination fire my glue trigger of type = "EVENT"=> glue trigger call the job the trigger is of type "EVENT" I want to add the following config to my trigger via CDK : ``` "EventBatchingCondition": { "BatchSize": 5, "BatchWindow": 900 } ``` but did not find any object allowing me to add this config to the CfnTrigger. this is my CDK code : ``` const glueEdwWorkflowTrigger = new glue.CfnTrigger( this, "trigger", { name: "trigger", workflowName: myWorkFlow.name, type: "EVENT", predicate:{conditions:[{}]}, actions: [ { jobName: myCfnJob.name, arguments: {}, }, ] } ); ``` how can I add EventBatchingCondition (BatchSize) info to my CfnTrigger? so that my trigger is fired after 5 event bridge events thanks a lot.

I'm trying to setup an aws batch job to run daily. Through the AWS batch GUI I've created the job definition, job queue & compute environment. The job can successfully run when, via batch, a new job is manually configured & submitted. I'm now trying to use an Event Bridge rule to automate the daily job execution but running into an issue. The trigger runs but returns the following error (from CloudTrail): ```json "responseElements": { "message": "shareIdentifier must be specified.", "__type": "ClientException" }, ``` When manually executing the batch job there's an option to enter a `share identifier` but when configuring the Event Bridge rule this option doesn't exist. When defining the Event Bridge rule, the following configuration has been used: * Rule Type: Schedule * Target: * Target Type: AWS Service * Select a target: Batch Job queue * The job queue, definition & name are entered Further to this, I've tried to configure target inputs (`Constant (JSON text) `) & tried the following approaches: ### First Attempt ```json { "ContainerOverrides": { "shareIdentifier": "*" } } ``` ### Second Attempt ```json { "schedulingPriorityOverride": 1, "shareIdentifier": "*" } ``` But none of these have worked. In fact, when examining Cloud Trail neither attempt appears in `requestParameters`. Any suggestions or working examples for how to solve it?

Hi, Currently we have not been able to find a way for a job to retry execution after a failure, and this is because if there is a communication failure with OnPrem, it is required that the job be re-executed automatically to guarantee the data integrity. Exist any way to do that? i mean using AWS Eventbridge or a workaround related ? Thanks in advance for any help,

I have created appflow in console.Chose Source- Salesforce event (AccountChangeEvent) & Destination - Amazon EventBridge and created flow.After that in eventbridge created event bus and associated appflow to bus. Activated flow in appflow console. Then created Rule in AWS eventbridge where chose custom API as target. Now i have to do the transformation in rule to pass SF event few data to target API, any help would be appreciated. Thanks.

Hi! We are currently using Amazon Aurora and want to scale the Read Replicas based on schedule instead of a Target Tracking Policy. While this is not natively available through the console, we plan on doing it through a Lambda function and an EventBridge rule. Is there a better way to approach our method?

I am trying to set up to receive alerts from Amazon EventBridge partners Selling Partner API (SP-API). Through the api already created destination and subscriptions. Associated with the event bus and created an API destination, Created a role in which only the account was specified as a pattern, as described in the documentation: ``` { "account": [ "1234567890" ] } ``` to increase the chance of receiving an event at an endpoint represented by an external server. I tried to create a custom bus, tied roles to it and tested it on several services, my own and https://webhook.site I tried to reproduce exactly the same actions as demonstrated in this video from the documentation https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-api-destinations.html But not a single event reached the endpoint. Even what was exactly reproduced in the video above Can you tell me the scheme in which an event is generated in the aws.partner/sellingpartnerapi.amazon.com bus and can be transmitted to an external service outside of AWS in the form of a webhook, according to the same principle as shown in the video from the documentation? What needs to be taken into account when configuring where you can look for answers, I unfortunately reached a dead end, I will be grateful for any help.

I have a Development account which only needs monitoring during business hours. Currently, notifications are being routed to OpsGenie via an SNS topic. There are options to silence the alerts at the OpsGenie level, but they are still generated, which skews alert metrics. Is there any way to prevent alerts from being sent to the topic outside of 9-5 business hours? Thanks!

I have 5 crons which have separate destination lambdas. All lambdas do same work except they just pass a different parameter to a common downstream. Currently there is no way to pass additional parameter alongside cron so that I can have 1 lambda as destination for 5 crons instead of 5 different ones. Can you add this feature?

I think there is an issue with how auth tokens are being handled/supplied. When my event bus receives an event and my rule passes the event into my API Destination my API rejects the communication with a 403. After looking at the bearer token jwt, the token creation date iat value is set to the time the API Destination & connection was authorized, even hours later. The concept of bearer tokens are to be short lived and I would expect that the API Destination would request a new bearer token each time it is invoked. example: 1. I created an API Destination w/ a valid connection on Friday Apr 1 at 7am. 2. My bearer tokens have a 60 min TTL 3. My event bus receives a valid event on Friday Apr 1 at 730am 4. A rule sends the event into my API Destination which uses its token send the event to my API and it is successful 5. My event bus receives another valid event on Friday Apr 1 at 830am 6. A rule sends the event into my API Destination which uses its token send the event to my API and it fails. For step 4 & 6 above the token is identical. I would have expected the API destination to call the auth url with its credentials to get a new bearer token From what I can tell the JWT created time will always be this date/time here and I have been fully unable to get a valid & unexpired JWT created anytime after an hour from launching the API Destination. Two supporting images [here](https://photos.app.goo.gl/nkKJG6YpKuE31fQq5)

Is there an Open Source .NET Framework that abstract out AWS CDK calls like sending message to EventBridge, logging etc...? The purpose is to focus on the business logic and not on infrastructure. [MassTransit](https://masstransit-project.com/quick-starts/sqs.html) is such a framework but does not work with EventBridge.

I'm looking for sample C# code to create EventBridge Bus, Rules, a few Lambdas and IM Security Roles to access them. I prefer infrastructure as code versus cloud formation script.

Hi there, hope you are fine. Recently I came across Sagemaker Async inference API, there we can scale down even to 0 instances. What I want is that I deploy my solution to EC2 instances using FastAPI, uvicorn and Celery or Rabbit-MQ(as message broker, for queuing). Then I can scale up and scale down instances based on traffic. Also, if that's not the case, then I keep a minimal CPU instance on always and based on that I scale up and scale down GPU instances for handling requests. Thanks , for any help. Best Regards Muhammad Ali

I am trying to setup the [AWS node termination handler](https://github.com/aws/aws-node-termination-handler), and am running into an issue where the EventBridge rule is invoked, but no messages are showing up in the sqs queue. I have tested and the termination handler is able to communicate with the SQS queue. I have also tested spinning instances up and down, and see the rule invocations for the EventBridge rules. However, there are no messages appearing in the queue... NOTE: I tried adding a photo here from cloudwatch showing rule invocations but no messages appearing in the queue, it seems like pictures are not supported here yet... Below are my configs for this: SQS policy: ```hcl resource "aws_sqs_queue_policy" "termination_handler_queue_policy" { queue_url = module.termination_handler_queue.sqs_queue_id policy = jsonencode({ "Version" : "2012-10-17", "Id" : "sqspolicy", "Statement" : [ { "Sid" : "TermEventsToHandlerQueue", "Effect" : "Allow", "Principal" : { "Service" : ["events.amazonaws.com", "sqs.amazonaws.com"] }, "Action" : "sqs:*", "Resource" : "${module.termination_handler_queue.sqs_queue_name}", "Condition" : { "ArnEquals" : { "aws:SourceArn" : ["arn:aws:events:us-east-2:${local.account_id}:rule/node-termination-asg-lifecycle-rule", "arn:aws:events:us-east-2:${local.account_id}:rule/node-termination-ec2-status-rule", "arn:aws:events:us-east-2:${local.account_id}:rule/node-termination-ec2-spot-interruption-rule", "arn:aws:events:us-east-2:${local.account_id}:rule/node-termination-ec2-rebalance-rule" ] } } } ] }) } ``` EventBridge Config: ```hcl module "termination_handler_eventbridge" { source = "terraform-aws-modules/eventbridge/aws" version = "~> 1.14.0" create_bus = false rules = { node-termination-asg-lifecycle = { description = "Capture eks asg lifecycle events." event_pattern = jsonencode({ "source" : ["aws.autoscaling"], "detail-type" : ["EC2 Instance Launch Successful", "EC2 Instance Terminate Successful", "EC2 Instance Launch Unsuccessful", "EC2 Instance Terminate Unsuccessful", "EC2 Instance-launch Lifecycle Action", "EC2 Instance-terminate Lifecycle Action"], "detail" : { "AutoScalingGroupName" : ["eks-Group_A", "eks-Group_B"] } }) enabled = true } node-termination-ec2-status = { description = "Capture ec2 status events" event_pattern = jsonencode({ "source" : ["aws.ec2"], "detail-type" : ["EC2 Instance State-change Notification"] }) enabled = true } node-termination-ec2-spot-interruption = { description = "Capture spot interruption events" event_pattern = jsonencode({ "source" : ["aws.ec2"], "detail-type" : ["EC2 Spot Instance Interruption Warning"] }) enabled = true } node-termination-ec2-rebalance = { description = "Capture ec2 rebalance events" event_pattern = jsonencode({ "source" : ["aws.ec2"], "detail-type" : ["EC2 Instance Rebalance Recommendation"] }) enabled = true } } targets = { node-termination-asg-lifecycle = [ { name = "termination_handler-sqs-life" arn = module.termination_handler_queue.sqs_queue_arn }, ] node-termination-ec2-status = [ { name = "termination_handler-sqs-status" arn = module.termination_handler_queue.sqs_queue_arn }, ] node-termination-ec2-spot-interruption = [ { name = "termination_handler-sqs-int" arn = module.termination_handler_queue.sqs_queue_arn }, ] node-termination-ec2-rebalance = [ { name = "termination_handler-sqs-rebalance" arn = module.termination_handler_queue.sqs_queue_arn }, ] } tags = { Name = "node-termination-handler-bus" Service = "aws-node-termination-handler" } } ```

The team comprises of 4 developers who would be working on features parallelly. The resources being used are **EventBridge**, **ECS**, **Fargate** etc... My questions are: 1. Is there any framework and CLI available to create **EventBridge** and other resources locally on developers' laptop? 2. Should the developers use the same **EventBridge** from the AWS Environment during the development? This can create conflicts between developers if they share some code. 3. Should the developers create their own environment with **EventBridge** in their AWS account during development? This can avoid conflicts. 4. Should the developers use the same AWS environment but create their own resources with different names?

I have a UI application which is not responsive sometimes. As a result, the user clicks the *submit* button multiple times. I'm planning to integrate this application with **EventBridge**. It is possible that the application can send the same message from the UI multiple times. We want to filter out the duplicate messages that come from the UI. Is there any **AWS framework CDK** which is written with *de-duplication* in mind and can be used along with *EventBridge*?

I'm using the following scenario to explain the problem. I have an ecommerce app which allows the customers to sign up and get an immediate coupon to use in the application. I want to use **EventBridge ** and a few other resources like a Microsoft SQL Database and Lambdas. The coupon is retrieved from a third-party API which exists outside of AWS. The event flow is: Customer --- *sends web form data* --> EventBridge Bus --> Lambda -- *create customer in SQL DB* --*get a coupon from third-party API* -- *sends customer created successfully event* --> EventBridge Bus Creating a customer in SQL DB, getting the coupon from the third-party API should happen in a single transaction. There is a good chance that either of that can fail due to network error or whatever information that the customer provides. Even if the customer has provided the correct data and a new customer is created in the SQL DB, the third-party API call can fail. These two operations should succeed only if both succeed. Does EventBridge provide distributed transaction through its .NET SDK? In the above example, if the third-party call fails, the data created in the SQL database for the customer is rolled back as well as the message is sent back to the queue so it can be tried again later. I'm looking for something similar to [TransactionScope](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/servicebus/Azure.Messaging.ServiceBus/samples/Sample06_Transactions.md) that is available in Azure. If that is not available, how can I achieve distributed transaction with EventBridge, other AWS resources and third-party services which have a greater chance of failure as a unit.

I have setup the following workflow: - private REST API with sources `/POST/event` and `/POST/process` - a `VPCLink` to an `NLB` (which points to an `ALB` pointing to a microservice running on `EKS`) - a `VPC endpoint` with DNS name `vpce-<id>-<id>.execute-api.eu-central-1.vpce.amazonaws.com` with `Private DNS enabled` - an EventBridge `EventBus` with a rule that has two targets: 1 `API Destination` for debugging/testing and 1 `AWS Service` which points to my private REST Api on the source `/POST/process` - all required `Resource Policies` and `Roles` - all resources are defined within the same AWS Account The **designed** worflow is as follows: - invoke `POST/event` on the VPC endpoint (any other invocation is prohibited by the `Resource Policy`) with an `event` payload - the API puts the `event` payload to the `EventBus` - the `EventBusRule` is triggered and sends the `event` payload to the `POST/process` endpoint on the private REST API - the `POST/process` endpoint proxies the payload to a microservice running on EKS (via `VPCLink` > `NLB` > `ALB`> `k8s Service`) **What does work** so far: - invoking `POST/event` on the VPC endpoint - putting the `event` payload to the `EventBus` - forwarding the `event` payload to the `API Destination` set up for testing/debugging (it's a temporary endpoint on https://webhook.site) - testing the `POST/event` and `POST/process` integration in the AWS Console (the latter is verified by checking that the `event` payload reaches the microservice on EKS successfully) That is all single steps in the workflow seem to work, and all permissions seem to be set properly. **Whad does not work **is invoking the `POST/process` endpoint from the `EventBusRule`, i.e. invoking `POST/event` does not invoke `POST/process` via the `EventBus`, _although_ the `EventBusRule` was triggered. So my **question** is: **How to invoke a private REST API endpoint from an EventBusRule?** **What I have already tried:** - change the order of the `EventBusRule targets` - create a Route 53 record pointing to the `VPC endpoint` and treat it as an (external) `API Destination` - allow access from _anywhere_ by _anyone_ to the REST API (temporarily only, of course) **Remark on the design:** I create _two_ endpoints (one for receiving an `event`, one for processing it) with an EventBus in between because - I have to expect a delay of several minutes between the `Event Creation/Notification` and the successful `Event Processing` - I expect several hundred `event sources`, which are different AWS and Azure accounts - I want to keep track of all events that _reach_ our API and of their successful _processing_ in one central EventBus and _not_ inside each AWS account where the event stems from - I want to keep track each _failed_ event processing in the same central EventBus with only one central DeadLetterQueue

I have created an ECS Fargate Task, which I can manually run. It updates a Dynomodb and I get logs. Now I want this to run on a schedule. I have setup a scheduled ECS task through EventBridge and through the UI in the ECS cluster. However, this does not run. My looking at the EventBridge logs I can see that the container has been stopped for the following stopped reason: ``` ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr.... ``` I thought this might be a problem with permissions. However, I tested giving the Task Execution Role full power user permissions and I still get the same error. Could the problem be something else?

Configuration: DynamoDB streams (delete event - ttl 90 minutes) => lambda => Event Bridge => Kinesis Firehose (Delivery stream with Direct PUT => S3 bucket (firehose destination) => SQS (triggerd on object create) => lambda X We are seeing 1-3 days delay in the lambda function X from being invoked. In some cases we are not seeing it invoked. No errors. No errors in the kinesis error logs. It looks like object is getting created after a delay in s3 bucket. Max retry is 24 hours. Where could the delay occur? Whats the best way to troubleshoot this?

We're trying to send an event to EventBridge after a producer publishes to a Kinesis Data Stream. We then want to configure EventBridge api destination to send event to Salesforce and create a platform event. Kinesis -> EventBridge-> Rule+ Bus + Api Destination-> Salesforce 1) We first thought that we can setup a rule on EventBridge so that certain kinesis events based on filtering criteria can be routed to an event bus. We were unsuccessful to find any kinesis events routed to EventBridge. **Do we need an additional layer between Kinesis and EventBridge? ** 2) We then tried lambda based approach. Wrote a lambda with Kinesis as trigger and EventBridge as destination. While we saw lambda function getting executed but destination never gets invoked. On further research it seems that on success destination isn't supported on a lambda where Kinesis is configured as trigger. Can someone confirm this? Looking for some guidance on if pattern 1 and pattern 2 are at all feasible and any pointers on implementation.

I have a target configured to log eventbridge events on the default bus. I just activated events from an s3 bucket, then I uploaded 3 files to the bucket, waited a few minutes, and deleted the files. Finally (about 1 hour later) I uploaded one more file. I see exactly 1 'Object Deleted' event from around the time I deleted 3. I would expect to see 3 'Object Created', 3 'Objected Deleted' at the earlier time, then one 'Object Created' at the subsequent time; no apparent errors in CloudTrail; all of this done using the console (after a similar pattern observed when updates were made via CloudFormation). Anything else I can do to debug?

Hi, Is even Bridge is Truly FIFO. Are events in event bridge in FIFO manner or Random? Regards Jo

I am trying to automate Fargate AWS Batch jobs by means of AWS Cloudwatch Events. So far, so good. I am trying to run the same job definition with different configurations. I am able to set the batch job as a cloudwatch event target. I have learned how to use the Constant (JSON text) configuration to set a parameter of the job. Thus, I can set the name parameter successfully and the job runs. However, I am not able to also set the memory and cpu settings in the Cloudwatch event. I would like to use a larger machine for a a bigger port such as Singapore, without changing the job definition. After all, at the moment it still uses the default vpcu and memory settings of the job definition. ``` { "Parameters": {"name":"wilhelmshaven"}, "ContainerOverrides": { "Command": ["upload_to_day.py", "-port_name","Ref::name"], "resourceRequirements": [ {"type": "MEMORY", "value": "4096"}, {"type": "VCPU", "value": "2"} ] } } ``` Does any one know how to set the Constant (JSON text) configuration or input transformer correctly? Edit: If I try the same thing using the AWS CLI, I can achieve what I would like to do. ``` aws batch submit-job \ --job-name "run-wilhelmshaven" \ --job-queue "arn:aws:batch:eu-central-1:123666072061:job-queue/upload-raw-to-day-vtexplorer" \ --job-definition "arn:aws:batch:eu-central-1:123666072061:job-definition/upload-to-day:2" \ --container-overrides '{"command": ["upload_to_day.py", "-port_name","wilhelmshaven"], "resourceRequirements": [{"value": "2", "type": "VCPU"}, {"value": "4096", "type": "MEMORY"}]}' ```

I'm going to share parameter stored in SSM Parameter Store to all accounts in my AWS Organization. I would like track when then parameter was read (to gather statistics for parameter usage across my accounts) I noticed that EventBridge is only catching SSM Parameter Store changes like: Update, Delete, Create Is there an option to track reads?

As I understand in order to put events on to the default bus, I need to associate/create a role with PutEvents permission. How can I do that in cdk to put aws apigateway events on to default bus. Thanks

I have created an ECS Fargate Task, which I can manually run. It updates a Dynomodb and I get logs. Now I want this to run on a schedule. I have setup a scheduled ECS task through EventBridge and through the UI in the ECS cluster. However, this does not run. I have used the cron scheduler and I have also tried the 'Run at fixed interval' option, which also doesn't work. As far as possible I am using the same settings when I run the task manually and in EventBridge. I've tried the default capacity provider (and made sure that's set to Fargate in the cluster). I've tried using manually defined permissions and I've tried letting EventBridge make it's own permissions. I see a 'Failed Invocation' in CloudWatch metrics, for every invocation of the task. But I am unable to find any other logs to debug. The task seems to not start: no logs are generated and the failed invocation happens at the same time as the invocation. Are there any logs I could share that would help diagnose? Does anyone have any suggestions for what might be causing this failure?

Hey, since I started logging my API calls I realized there might be some bugs in Eventbridge scheduled HTTP Api Invocations. In general, the Apis don't get invoked when they should be. Often they get invoked twice instead of once. For example my Eventbridge cron expression is: 10 8-18 ? \* 2-6 \* so at minute 10 from 8-18 on any day of the month on any month from 2nd to 6th day of the week (which ends up being Monday to Friday) and any year. Now my API logs for this look like this: - 2022-03-14 13:30:08.963665 +00:00 - 2022-03-14 13:34:02.215564 +00:00 - 2022-03-14 13:38:29.776793 +00:00 - 2022-03-14 13:43:29.320522 +00:00 - 2022-03-14 13:46:57.916126 +00:00 - 2022-03-14 13:51:55.419461 +00:00 - 2022-03-14 13:56:47.090243 +00:00 - 2022-03-14 14:00:41.538169 +00:00 - 2022-03-14 14:06:09.226878 +00:00 - 2022-03-14 14:09:23.691206 +00:00 - 2022-03-14 14:10:22.682902 +00:00 - 2022-03-14 14:11:25.746832 +00:00 - 2022-03-14 14:13:23.880627 +00:00 - 2022-03-14 14:15:23.361370 +00:00 - 2022-03-14 14:16:43.967781 +00:00 - 2022-03-14 14:19:01.799442 +00:00 - 2022-03-14 14:24:30.163322 +00:00 - 2022-03-14 14:25:09.470810 +00:00 - 2022-03-14 14:27:52.924405 +00:00 - 2022-03-14 14:33:32.610750 +00:00 - 2022-03-14 14:33:44.313787 +00:00 It gets invoked many more times!!! Day of the week, month etc. seem to work and in the header it shows AWS eventbridge. "user-agent": "Amazon/EventBridge/ApiDestinations" so it definitely gets invoked by Evenbridge. What is going on??

Hello, I am using eventbride to issue EC2 RebootInstances API Call to a number of machines. Most shutdown and boot well. 1 does not seem to receive the shutdown request and does a dirty restart. I can see that successful machines have an event 109: 'The kernel power manager has initiated a shutdown transition. Shutdown Reason: Kernel API' . The failed machine does not. Checking the SSM logs on a good and bad machine, the log before the reboot looks identical other than time stamps. These two comparison machines are same ssm agent version, same windows, instance type. Cloudtrail / eventbridge logs don't show failures. Can anybody give me a pointer where to look for this issue? thank you

Hi, Just want to check that by default in event bridge events are Processed in FIFO order. Can you please guide me how to change the priority/order of the event? Regards JO

I have many glue jobs with similar job names, and I'm using Eventbridge to monitor these jobs, once a job failed, trigger lambda to send email. below is current schema, there're too many glue jobs, the length of json exceeded the limit, so I have to create 2 rules to cover all the jobs. Q: can I use regular expression in "jobName" ? or can I use another parameter instead of "jobName" to filter glue jobs? ``` { "detail-type": ["Glue Job State Change"], "source": ["aws.glue"], "detail": { "jobName": ["glue_job_1", "glue_job_2", "glue_job_3", "glue_job_4", "glue_job_5".....], "state": ["FAILED"] }, "region": ["ap-southeast-1"], "account": ["xxxxxxxx"] } ``` Thanks for your answer!

I have created a brand new AWS account (just to troubleshoot this issue) and the default VPC and subnets of every region in this account are left pristine and unmodified. Here's the default VPC in `us-east-1`: $ aws ec2 describe-vpcs { "Vpcs": [ { "CidrBlock": "172.31.0.0/16", "DhcpOptionsId": "dopt-095a7873b289557a1", "State": "available", "VpcId": "vpc-08ba51697a37c5ad9", "OwnerId": "...", "InstanceTenancy": "default", "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dba5df7b176877b7", "CidrBlock": "172.31.0.0/16", "CidrBlockState": { "State": "associated" } } ], "IsDefault": true } ] } Here's the route table for this VPC: $ aws ec2 describe-route-tables --filters Name=vpc-id,Values=vpc-08ba51697a37c5ad9 { "RouteTables": [ { "Associations": [ { "Main": true, "RouteTableAssociationId": "rtbassoc-08e6f9833f341f6c4", "RouteTableId": "rtb-000d61d5d0236d276", "AssociationState": { "State": "associated" } } ], "PropagatingVgws": [], "RouteTableId": "rtb-000d61d5d0236d276", "Routes": [ { "DestinationCidrBlock": "172.31.0.0/16", "GatewayId": "local", "Origin": "CreateRouteTable", "State": "active" }, { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": "igw-0b7ed209f5cd38fa6", "Origin": "CreateRoute", "State": "active" } ], "Tags": [], "VpcId": "vpc-08ba51697a37c5ad9", "OwnerId": "..." } ] } As you can see, the second route permits egress to the internet: { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": "igw-0b7ed209f5cd38fa6", "Origin": "CreateRoute", "State": "active" } So I assume if I deploy an ECS Fargate task in this VPC, it should be able to pull `amazoncorretto:17-alpine3.15` from `docker.io`. Despite that, whenever I deploy my CloudFormation stack, ECS fails to run the scheduled task as it cannot fetch the images from DockerHub and prints this error: > CannotPullContainerError: > inspect image has been retried 5 time(s): > failed to resolve ref "docker.io/library/amazoncorretto:17-alpine3.15": > failed to do request: Head https://registry-1.docker.io/v2/library/amazoncorretto/manifests/17-alpine3.15: dial ... Here's my CloudFormation template (I have intentionally given wide open permissions to all the roles involved to make sure this issue is not due to insufficient IAM permissions): AWSTemplateFormatVersion: "2010-09-09" Description: ECS Cron Task Parameters: AppName: Type: String Default: CronTask AppImage: Type: String Default: amazoncorretto:17-alpine3.15 AppLogGroup: Type: String Default: ECS AppLogPrefix: Type: String Default: CronTask ScheduledTaskSubnets: Type: List<AWS::EC2::Subnet::Id> Default: "subnet-0031a6eaf7e52173c, subnet-01950a0d2d1e04dc1, subnet-0a1aa70f0421e2025, subnet-036abb95995a86c73, subnet-0f8b5043babfb9a7e, subnet-07cb2210ce2d5bb8f" Resources: Cluster: Type: AWS::ECS::Cluster TaskRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Policies: - PolicyName: AdminAccess PolicyDocument: Version: "2012-10-17" Statement: - Action: "*" Effect: Allow Resource: "*" TaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Policies: - PolicyName: AdminAccess PolicyDocument: Version: "2012-10-17" Statement: - Action: "*" Effect: Allow Resource: "*" TaskScheduleRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: events.amazonaws.com Path: / Policies: - PolicyName: AdminAccess PolicyDocument: Statement: - Action: "*" Effect: Allow Resource: "*" TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Cpu: 256 Memory: 512 NetworkMode: awsvpc TaskRoleArn: !Ref TaskRole ExecutionRoleArn: !Ref TaskExecutionRole Family: !Ref AppName RequiresCompatibilities: - FARGATE ContainerDefinitions: - Name: !Ref AppName Image: !Ref AppImage Command: ["java", "--version"] Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-create-group: true awslogs-group: !Ref AppLogGroup awslogs-region: !Ref "AWS::Region" awslogs-stream-prefix: !Ref AppLogPrefix TaskSchedule: Type: AWS::Events::Rule DependsOn: - TaskScheduleRole - DeadLetterQueue Properties: Description: Trigger the task once every minute ScheduleExpression: cron(0/1 * * * ? *) State: ENABLED Targets: - Arn: !GetAtt Cluster.Arn Id: ClusterTarget RoleArn: !GetAtt TaskScheduleRole.Arn DeadLetterConfig: Arn: !GetAtt DeadLetterQueue.Arn EcsParameters: LaunchType: FARGATE TaskCount: 1 TaskDefinitionArn: !Ref TaskDefinition NetworkConfiguration: AwsVpcConfiguration: Subnets: !Ref ScheduledTaskSubnets DeadLetterQueue: Type: AWS::SQS::Queue Properties: QueueName: "CronTaskDeadLetterQueue" DeadLetterQueuePolicy: Type: AWS::SQS::QueuePolicy Properties: Queues: - !Ref DeadLetterQueue PolicyDocument: Statement: - Action: "*" Effect: Allow Resource: "*" What am I missing here? Why despite running the task in a public subnet/VPC (below), AWS cannot pull the image from `docker.io`? Is something missing in my `TaskSchedule` resource? TaskSchedule: Type: AWS::Events::Rule ... Properties: ... Targets: - ... EcsParameters: LaunchType: FARGATE TaskCount: 1 TaskDefinitionArn: !Ref TaskDefinition NetworkConfiguration: AwsVpcConfiguration: Subnets: !Ref ScheduledTaskSubnets Thanks in advance.

Hello! I have two separate serverless.yml projects that have to interact with an EventBridge rule and I'm struggling to figure out how to update the resources section in both to support this. Here's an example of what I mean: **EntryPoint Lambda**: This lambda gets the request from the front end and then submits a message to the EventBridge rule we have setup. The EventBridge rule is setup in the serverless.yml file like so: ``` resources: Resources: RegisterEventBridge: Type: "AWS::Events::Rule" Properties: Name: "RegisterCloseEventBridge" Description: "Event rule for Closing Register event." State: "ENABLED" EventPattern: source: - "register.close.${self:provider.stage}" ``` **Consumer**: This lambda function gets triggered by a SQS message. The SQS is a target for the EventBridge rule so it seems like the queue itself should be created in this service. Below is the resources: ``` resources: Resources: ClosingRegisterQueue: Type: "AWS::SQS::Queue" Properties: QueueName: "closing-register-sqs-${self:provider.stage}" RegisterEventBridge: Type: "AWS::Events::Rule" Properties: Name: "RegisterCloseEventBridge" EventPattern: source: - "register.close.${self:provider.stage}" Targets: - Arn: !GetAtt ClosingRegisterQueue.Arn Id: "SA" ``` But obviously this does not work because the RegisterEventBridge rule already exists in the previous stack. Is there any way I can simply import it into this stack for this purpose?

We would like to use an EventBridge Rule to trigger a webhook for one of our internal applications. The problem is that it appears as if API Destinations can't connect to applications inside of our VPC. Our application is behind an internal ALB so it can't be connected to from the Internet. Is there some way for EventBridge to hit a HTTPS endpoint on an internal ALB?

Hi Everyone, I use a lambda with an EventBridge set to 2 minutes to scan an FTP server where some files are stored. Every two minutes, my lambda goes and check if there are new files that have not been previoulsy uploaded to a target S3 bucket. If there is a such a file, it downloads it in the lambda tmp folder and then uploads it to the S3. I never have a lot of files to download at once, but it may happen in the future. As a consequence, I am wondering what is happening after the 2 minutes set for the EventBridge. Does the same lambda stops and clears its tmp folder and restarts again? If It was in the middle of uploading a file to the S3 from its tmp folder, will it stop? Many thanks Antoine

I have created a topic and subscribed with an email endpoint, targeting to be mailed for any anomalies such as aborted backups and failed backups through an email. Have created a rule in Event bridge to collect backup job state change event and pointed to the SNS topic. Have tried a subscription filtering policy on the topic as below: { "state": [ { "anything-but": [ "CREATED", "PENDING", "RUNNING", "COMPLETED" ] } ] } yet the result is not as expected.

Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization. We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty. Is there any out of box solution or recommended approach? I am considering two approaches: 1. Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient. 2. Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/ I favor second approach, but maybe there are some other options. thanks

Starting a Glue workflow with an EventBridge event set only (as Run properties) the IDs of the events that started the workflow. Are passing the full EventBridge events supported in Glue Workflows?

I have setup a Slack API Destination in Eventbridge. I've test the api destination with custom pattern using simple message, it works. But when I add additional rule to use AWS Pre-defined event pattern for Elastic Beanstalk resource status change, the notification never arrived in the slack channel. I updated the rule with below configuration as instructed in documentation. But still not working * Include a header parameter that defines the content type as “application/json;charset=utf-8”. * Use an input transformer to map the input event to the expected output for the Slack API, namely ensure that the payload sent to the Slack API has “channel” and “text” key/value pairs.

I was writing a CF template today that creates a periodic EventBridge rule. One of the parameters my template therefore accepts is the cron expression for setting the ScheduleExpression on this rule. I struggled for a while getting the expression right for my own use case, and wanted to add an AllowedPattern rule to my parameter. I went looking for a RegEx that I could use, and had no luck. There is a Gist, not updated in a few years, out there that presents this monster: ``` "^(rate\\(((1 (hour|minute|day))|(\\d+ (hours|minutes|days)))\\))|(cron\\(\\s*($|#|\\w+\\s*=|(\\?|\\*|(?:[0-5]?\\d)(?:(?:-|\/|\\,)(?:[0-5]?\\d))?(?:,(?:[0-5]?\\d)(?:(?:-|\/|\\,)(?:[0-5]?\\d))?)*)\\s+(\\?|\\*|(?:[0-5]?\\d)(?:(?:-|\/|\\,)(?:[0-5]?\\d))?(?:,(?:[0-5]?\\d)(?:(?:-|\/|\\,)(?:[0-5]?\\d))?)*)\\s+(\\?|\\*|(?:[01]?\\d|2[0-3])(?:(?:-|\/|\\,)(?:[01]?\\d|2[0-3]))?(?:,(?:[01]?\\d|2[0-3])(?:(?:-|\/|\\,)(?:[01]?\\d|2[0-3]))?)*)\\s+(\\?|\\*|(?:0?[1-9]|[12]\\d|3[01])(?:(?:-|\/|\\,)(?:0?[1-9]|[12]\\d|3[01]))?(?:,(?:0?[1-9]|[12]\\d|3[01])(?:(?:-|\/|\\,)(?:0?[1-9]|[12]\\d|3[01]))?)*)\\s+(\\?|\\*|(?:[1-9]|1[012])(?:(?:-|\/|\\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|\/|\\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\\?|\\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\\s+(\\?|\\*|(?:[0-6])(?:(?:-|\/|\\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|\/|\\,|#)(?:[0-6]))?(?:L)?)*|\\?|\\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\\s)+(\\?|\\*|(?:|\\d{4})(?:(?:-|\/|\\,)(?:|\\d{4}))?(?:,(?:|\\d{4})(?:(?:-|\/|\\,)(?:|\\d{4}))?)*))\\))$" ``` However, when I tried to use this in a CF template... ``` Parameters: Schedule: { Type: String, Description: "AWS Schedule Expression representing how often the Lambda will run. Default is once per week, Sunday at noon.", AllowedPattern: "^(rate\\(((1 (hour|minute|day))|(\\d+ (hours|minutes|days)))\\))|(cron\\(\\s*($|#|\\w+\\s*=|(\... ...?)*))\\))$" } ``` This failed and said my yaml was invalid. The column specified pointed to the cause being the escaped forward slashes, i.e. "\/". I have read some places that "\/" is not a valid escape sequence in the version of yaml that CF uses. Is this true, and does anyone have a regex for ScheduleExpressions that works in a yaml CF template? The Gist I can the above RegEx from is here: [https://gist.github.com/andrew-templeton/aca7fc6c166e9b8a46aa]()

I'm trying to use EventBridge to listen for EC2 autoscaling termination events, and send a shell command to the instance to do some work before the instance terminates. I followed this guide: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ec2-run-command.html However, it doesn't explain how Target Key and Target Value input boxes are used. I don't understand why it uses tag:environment in this case. I assume I'm supposed to input the instance id of the EC2 instance, and I know that the instance id is in the json body of the termination event. Is there a way I can pass variables to the Target Key and Target Value?

When an event is sent to an API Destination, does the connection associated with the API Destination do 1 read from AWS Secrets Manager. So if 10000 events are sent to an API destination, would that cost $0.05 + $0.40c for AWS Secrets Manager per month? Thanks

Is it possible to send an event to an http endpoint that has no basic/api key/ oauth? In the console when creating the connection for the API destination you must select at least one form of auth.

I have an ApiGatewayv2 EventBridge-PutEvents Integration running. The POST body is sent into event bridge as the event Detail. The Integration request parameters are as below: ``` { 'Source': 'com.me.api', 'DetailType': 'ApiEvent', 'Detail': $request.body, 'EventBusName': BUS_NAME, } ``` If I post {"foo": "bar"} to the API endpoint, I end up with an event in my bus with {"foo": "bar"} as the `Detail`. So far, all straightforward. I have also enabled an authorizer on the API GW and I want to pass the context from that authorizer into the event Detail as well. I'm testing with an IAM authorizer for now, but would like to use Cognito. I can update the request parameters to change the DetailType to `$context.identity.caller` and I get my Access Key in the DetailType of the Event. This isn't what I want, but it shows that I **can** access these [context variables][1] in my integration. What I want is for that to be in the Detail though - not the DetailType. So, when I POST {"foo": "bar"} to my API GW I get an event with Detail: ``` { "body": {"foo":, "bar"}, "auth": {"user": "AAA1111ACCESSKEY"} } ``` But, I can't use anything other than `$request.body` as the Detail value in the Integration's request parameters. If I use a Detail like `{"body": $request.body}` I get an error on saving the integration - `Invalid selection expression specified: Validation Result: warnings : [], errors : [Invalid source: {"body": $request.body} specified for destination: Detail]` And, I've tried that with stringified {\"body\": $request.body} as well. How can I wrap the POST data in a key like "body" within the event's Detail, and add key/values from the context variables I get from the authorizer. Or, some other way to inject the authorizer context into my Event. Should I just give up and use a lambda to access the ApiGw context and run PutEvent? Seems defeatist! [1]: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables.html

I currently have an input transformer that is modifying an event and forwarding on certain values to an API Destination. I am hoping that it is also possible to access some values in parameter store, so that I can also add these values to my transformed event. Is this possible?

If you go into DMS service there is a tab for Event Subscription. if you register a topic, then you will get notification of every event that happens in the event tab. For example, then you reboot a DMS instance, there will be two events (replication application shutdown followed by replication application restarted.) if on the other hand, you use EventBridge, then you will only get a single event from CloudTrail called "RebootReplicationInstance". The same holds true with events surrounding tasks. We intentionally caused an issue with a task by deleting the source database. within the DMS application, we can see the following: * Replication task has started * Replication task has failed. Reason: Last Error ODBC general error. Stop Reason RECOVERABLE_ERROR Error Level RECOVERABLE. But if you look at the events emitted by EventBridge, you only see the StartReplicationTask coming from CloudTrails. Sorry for the long question, but why does EventBridge not provide the same sequence of events that you can see within the Application.

Hello all, Our environment contains: - AWS EventBridge event to run an AWS Fargate task once an hour; - AWS ECS event and lambda to monitor task status changes Lately, we sometimes see that the AWS Fargate task fails to start due to the stopReason: > Rate limit exceeded while preparing network interface to be attached to instance I have checked our quotas, and we are very far (<50 ENIs out of 5000 per region). 1. What is the cause for this error? 2. Is a retry (the lambda to RunTask the task) a good workaround? Thank you in advance, Boris.

We have a business requirement to transform and send a request via a POST, with a custom 'origin' header value. When trying to send the request with the header key 'origin' and the header value 'blah' I can see that it arrives at the destination with **any** origin header. If I send the header 'origin1' with value blah, I can see this arrive at the destination. Is there a list of hidden reserve headers that cannot be modified? Is an alternative solution to integrate with API Gateway or a Lambda that could add this header and send the request on?

I created an event bridge rule which should trigger on any DMS event. Currently the event bridge rule sends the message to SNS which sends an email to my personal email address. within DMS I reboot a DMS instance which produces two events: *dms-instance replication-instance January 24, 2022, 11:45:33 (UTC-05:00) Replication application restarted dms-instance replication-instance January 24, 2022, 11:45:20 (UTC-05:00) Replication application shutdown * however, I don't see these two events triggering my Event Bridge Rule. Not sure if i am doing something wrong. In Event Bridge rule, the event pattern is: { "source": ["aws.dms"] } and the single target is: Name: Default_CloudWatch_Alarms_Topic Type: SNS topic (sends email)

When uploading a large file (I tried it with 60 MB) to S3 using e.g. browser upload with an AWS KMS managed customer master key (SSE-KMS)(!), no 'ObjectCreated'-Events will be triggered. As a consequence an attached lambda function won't trigger. The same setup works without any kind of issues when uploading smaller files (I tried it with 2MB) That is quite strange and I wonder, why it has not been fixed yet. Can you provide guidance here? Further evidence next to my own observation: https://stackoverflow.com/questions/67917878/aws-s3-lambda-function-doesnt-trigger-when-upload-large-file#comment125169885_67917878 https://stackoverflow.com/questions/61125071/lambda-not-invoking-if-the-uploaded-files-are-large-in-size-in-s3-bucket#comment125169907_61125071 https://forums.aws.amazon.com/thread.jspa?messageID=588242&#588242 (last post) Since no one was able to provide an answer that actually tackles the problem in those posts, it looks like this a bug to me. In that case I would suggest to fix it :)

Hi all, I'm trying to implement a simple webservice which processes uploaded files and returns a response to the uploader. Based on AWS I've got this (incomplete) workflow in my mind: 1. Client uploads file to S3. 2. Client sends SQS message which triggers the Lambda function. 3. Lambda downloads and processes the file and uploads the result to S3. 4. As soon as processing is finished the individual uploader is notified and downloads the result from S3. Now I'm facing the following problem: I'd like to benefit from the advantages of combing AWS Lambda with SQS. On the other hand, I lose the capability to directly return sth from the Lambda function to the client. How could this loss be replaced? I've already had SNS in mind, which seems rather suitable for publishing notifications to a whole bunch of (less dynamic) recipients instead of one individual client per Lambda call. Is EventBridge with AWS Gateway as target maybe the right direction? I again face the problem of filtering out the correct recipient for an individual "AWS Lambda response event". Or is it the only solution to drop the SQS service which then allows to directly send Lambda output to the client? Remarks: Input file size: 1-25MB Lambda processing time: ~20sec thanks for any advice!

Hi, I created an EventBridge rule that is triggered on a cron schedule and invokes an API destination. When the rule fires, I am seeing an error message in the DLQ that has the following details: ERROR_CODE | String | NO_PERMISSIONS ERROR_MESSAGE | String | Unable to invoke ApiDestination endpoint: Internal Failure I assume it's IAM related, however the IAM role was auto-generated when the rule was created. I am unsure of what I need to add/update in order to mitigate the error. For reference, a similar question was asked here: https://forums.aws.amazon.com/thread.jspa?threadID=340331 I'm happy to provide more details as necessary. Thanks.

I have two, almost identical, EventBridge Rules and one runs but the other fails and I don't know why. These rules both run a CodeBuild job to rebuild our database every Saturday morning. They are generated with almost identical CloudFormation stacks doing almost the exact same thing. If I run the CodeBuild jobs manually, it works fine, so I don't think it's the job itself. However, one EventBridge Rule runs every week and the other fails. Since EventBridge doesn't generate any logs of any kind, how can I determine what the problem is? I've tried moving the cron() schedule around to see if there is some sort of issue, but nothing seems to work. The Rule fires and fails, every time.

When working with Lambda Functions to handle EventBridge events from an S3 bucket with versioning enabled, I find that the VersionId field of the AWS Event object always shows a null value instead of the true value. For example, here is the JSON AWSEvent that uses the aws.s3@ObjectDeleted schema. This JSON was the event payload that went to my Lambda Function when I deleted an object from a bucket that had versioning enabled: Note that $.object.versionId is null but when I look in the bucket, I see unique Version ID values for both the original cat pic "BeardCat.jpg" and its delete marker. Also, I found the same problem in the AWSEvent JSON for an aws.s3@ObjectCreated event, too. There should have been a non-null VersionId in the ObjectCreated event and the ObjectDeleted event. Have I found a bug? Note: Where you see 'xxxx' or 'XXXXXXXXX' I was simply redacting AWS Account numbers and S3 bucket names for privacy reasons. ``` { detail: class ObjectDeleted { bucket: class Bucket { name: tails-dev-images-xxxx } object: class Object { etag: d41d8cd98f00b204e9800998ecf8427e key: BeardCat.jpg sequencer: 0061CDD784B140A4CB versionId: null } deletionType: null reason: DeleteObject requestId: null requester: XXXXXXXXX sourceIpAddress: null version: 0 } detailType: null resources: [arn:aws:s3:::tails-dev-images-xxxx] id: 82b7602e-a2fe-cffb-67c8-73b4c8753f5f source: aws.s3 time: Thu Dec 30 16:00:04 UTC 2021 region: us-east-2 version: 0 account: XXXXXXXXXX } ```

Hi, I am trying to trigger a run command document on a bunch of ec2 instances when a parameter in parameter store is updated. The rule gets triggered as expected but I can see from the Events in CloudWatch that all invocations fail. I'm a bit lost as how to troubleshoot it as there don't seem to be any logs available in Event Bridge. I'm thinking it might be to do with the IAM role used for the targets. If you set up the targets manually through the Event Bridge console this role can be created automatically, however I am required to create all infra via Terraform so I need to create and assign the role separately. Documentation on the role requirements is a bit thin on the ground, but this is what I have so far ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": "arn:aws:ec2:eu-west-2:xxxxxxxxxxxx:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/os_type": "*" } } }, { "Sid": "", "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent" }, { "Sid": "", "Effect": "Allow", "Action": "ssm:GetParameter", "Resource": "arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux" } ] } ``` with `events.amazonaws.com` being able to assume the role. Any suggestions on how to troubleshoot this further, or advice on how the IAM role permissions required would be much appreciated. Many thanks.

Is it possible to invoke a lambda function in account A directly from event bridge (custom event bus) in account B without integrating with an event bus in account A?

Hi, I try to execute an ECS task every night for copying some data. My configuration is very simple: []( https://i.ibb.co/p1M1mK1/Screenshot-2021-12-20-at-14-49-38.png) If I look at the metrics in CloudWatch, the task is successfully invoked: [](https://i.ibb.co/VwkbJj0/Screenshot-2021-12-20-at-15-10-06.png) But when I look at the logs in CloudWatch, I only see my tests¹ (2021-12-16 at around 3PM UTC+1) and the first nightly invocation of 2021-12-17 4AM UTC+1. I don’t see the next ones (2021-12-18, 2021-12-19 and 2021-12-20). I can confirm that no data were copied these days. [](https://i.ibb.co/GVZQR5D/Screenshot-2021-12-20-at-15-18-34.png) Why my task is not executed every night? What I am missing? 1: for the tests, the task was scheduled to run minutely (`cron(0 3 * * ? *)`)

What is the best way to collect EB events and Step Function State Machines status, preferably in one place and on a shoestring budget? My scenario: Working on an MVP whereby Eventbridge launches a bunch of Step Function State Machines. These grab data from DDB, do some text processing, post results back to the table then put the status of the completed job to SNS (the topic emails me although I might switch to Slack) and lastly back to EB. Of course everything is logged in Cloudwatch in (mostly) individual logs. Clearly this is a flood of notifications but as this is my first MVP with serverless, and soon to launch, I want to stay on top of things. Are there better solutions?

Hi, I'm aware EventBridge can be configured to trigger a specific alias of a Lambda every min. However, it would simply call one of the instances (the routing strategy is internal to Amazon). I would love a solution (ideally in EventBridge) to configure a broadcast event to trigger all instances of a Lambda (provisioned and on-demand instances) that are active at the triggering time. This would allow me to guarantee that all Lambdas have open connections to DynamoDb to avoid the additional cost of connecting as part of the request. Scheduling a task to make a call to DynamoDb with ScheduledExecutorService.scheduleAtFixedRate from Lambda's constructor doesn't work because it won't get executed when lambda is not processing any request. Thanks.

Hi, In MongoDB (Atlas) it is possible to setup a trigger and select ordering, it is then possible to select Event Bridge as the target, if we have a single lambda instance reading the event bus in our account would the ordering be maintained ? Appreciate event bridge is not fifo but seems strange Atlas would allow ordering option on the trigger with Event bridge integration if there was not a way of reading the events in order ? Many thanks, Lawrence

When building a rule targeting a specific ECS Task version (not latest), we're observing that the rule fails to be invoked. Let me provide some scenarios: 1. * In the EventBirdge-> Events-> Rules-> Add Target UI, define everything about your ECS Task. Do not update the task definition revision. * Verify your event invokes successfully. * Pull up the json from aws cli for referencing: aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here * Edit your rule/target to "Configure task definition revision and task count" to a Revision of the latest version for your task. * Observe if your rule invokes successfully or not. From my tests, it will fail. You can see this in the Cloudwatch "Monitoring" of the rule and observe your Invocations and FailedInvocations. * Pull up the json from aws cli for referencing: aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here You will notice the working version does not contain the version appended to the end (i.e. Works - "arn::aws::task-definition" vs Non-working "arn::aws::task-definition:16") 2. In Cloudformation, build your CF template with the appropriate settings that can be matched/compared with #1. Example (with lots of actual links replaced) Targets: - Arn: !GetAtt ClusterArn.Value RoleArn: !GetAtt RoleArn.Value Id: project-name-here EcsParameters: TaskCount: 1 TaskDefinitionArn: !GetAtt RoleArn.Value LaunchType: FARGATE NetworkConfiguration: AwsVpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: Fn::Split: - "," - Fn::ImportValue: !Sub ${EnvironmentName}:sec-groups Subnets: Fn::Split: - "," - Fn::ImportValue: !Sub ${EnvironmentName}:subnets If you attempt this CF, it will build the stack successfully when providing a valid ARN for the ecs task definition (The rule invoking this target will fail). If you try to provide the task definition Arn without the version, that's not a valid ARN, so CF will fail during stack creation. Let me know if more information is required to test this scenario in other environments, but we have validated it on our end to not be working as expected. Any help/guidance would be greatly appreciated! Edited by: rsNate on Jun 29, 2021 2:32 PM Edited by: rsNate on Jun 29, 2021 2:32 PM

I have setup an example with eventbridge: ec2 -> eventbridge -> sqs. This example works well, but I didn't create IAM role for ec2, I wonder that does the EC2 need an IAM role to access my default bus or not?

Hey there! I'm trying to use activateEventSource and deactivateEventSource on Lambda using aws-sdk. We have a rule with the following name: example_name-rule When we try calling the API methods, the following response is returned: ValidationException: 1 validation error detected: Value 'example_name-rule' at 'name' failed to satisfy constraint: Member must satisfy regular expression pattern: aws.partner(/\[.-_A-Za-z0-9]+){2,} It looks to me that this is a bug. Note this bit: `(/\[.-_A-Za-z0-9]+){2,}` (Link for proper formatting: https://regexr.com/5gnfl) Shouldn't this be (/\[.\-_A-Za-z0-9]+){2,}? (Link for proper formatting: https://regexr.com/5gnfu) Dashes are allowed in names, which is why we could create the rule in the first place. Am I doing something wrong?

Hi, I am using Constant JSON text to define the parameter for my Batch target. I am having problem overriding the vcpus for the target job. I am aware the parameter naming should be in camel case but I having problem overriding the cpus. For example, I want to override the vcpus to 6, but below will run the batch job but fail to override the vcpus. { "ContainerOverrides": { "VCpus" : 6, "Memory" : 2000, "Command": \["run_job.sh"]}} Thanks in advance.

Needed some clarifications for a customer discussion. I understand EventBridge has at least once semantics and can try delivery up to 24 hrs. Can we explicitly expire or remove messages from the bus? I also see quota limits on number of rules and targets per rule. Is there a maximum number of subscribers? I'd think this is limited by the rules * targets per rule Is there a limit on messages on the bus? Thanks

I currently use S3 PutObject Event to trigger a Lambda Function. This lambda function receives details of the object (such as name) and then starts an ECS task where it passes relevant details via environment variables. I recently came across this [tutorial][1] that shows how to use CloudWatch rules (now handled by Event Bridge) to start an ECS task when a file is uploaded to S3. The tutorial explains how to configure the S3 Event and how to configure the ECS task that will be triggered. What i can't find is how to get details of the S3 Event into the ECS Task. Is there a way to pass details from the originating S3 event into the ECS task? [1]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatch-Events-tutorial-ECS.html

Customer wants to fully understand when to use EventBridge, Lambda, and SNS for event-driven architectures - use cases, pros and cons for each of these technologies. For example, Amazon SNS is recommended for high throughput or low latency messages published by other applications or microservices.

Why do I need to set the header X-Amz-Target as &#39;AWSEvents.PutEvents&#39; while integrating API Gateway with EventBridge? I never had to do similar for Firehose, S3, SQS, etc.. The Action is already set to PutEvents so why the target header is required again? Please clarify. Thanks, Sheen

I played around with AWS a little bit and ended up at AWS EventBridge. I tried to write a Lambda for testing and understanding, but got an error just at the beginning. ``` import json, boto3 def lambda_handler(event, context): client = boto3.client('events') response = client.create_event_bus( Name='TestEventBus', EventSourceName='SomeSoucreEvent' ) return { 'statusCode': 200, 'body': json.dumps(response) } ``` I get the following error message: ``` Response: { "errorMessage": "'CloudWatchEvents' object has no attribute 'create_event_bus'", "errorType": "AttributeError", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 5, in lambda_handler\n response = client.create_event_bus(\n", " File \"/var/runtime/botocore/client.py\", line 563, in getattr\n self.class.name, item)\n" ] } ``` The version of Boto running in the Lambda is 1.9.42

I'm currently using another cloud provider to provide a service bus with flexible scheduling of messages because of the 15 minute maximum delay on SQS messages. I'm wondering if I can use EventBridge for my use case, so a couple of questions: 1) Are there any restrictions on the 'time' field in PutEventsRequestEntry (https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutEventsRequestEntry.html)? Eg. is a timestamp in an hour supported? A timestamp next week? Next year? 2) Is there any way to view/manage/cancel events that have been submitted using PutEvents (https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutEvents.html)? The most important is cancelling - if I send an event using PutEvents with a future time, is there anything I can use to later cancel that event from firing? Is there a way to view all events that have been scheduled in an event bus for a future time? It'd be great to not have the complexity of using another cloud provider for this part of our app, and EventBridge looks like the closest thing AWS might have to the same service. Is this sort of use case supported? Thanks! Callum