How do I specify another AWS account's Event Bus as a target of an EventBridge rule using CloudFormation or CDK?

Question

How do I specify another AWS account's event bus as the target of a CloudWatch Rule using CloudFormation or CDK?

Here is an example Rule using CDK where I try to send CodeDeploy events to another account:

Rule codedeployCreateDeploymentEventRule = Rule.Builder.create(this, "CodedeployCreateDeploymentEventRule")
                                                   .description("CloudWatch event rule covering CodeDeploy CreateDeployment notifications.")
                                                   .ruleName("MyRule")
                                                   .enabled(true)
                                                   .targets(List.of(...something here...))
                                                   .eventPattern(EventPattern.builder()
                                                                             .source(List.of("aws.codedeploy"))
                                                                             .detail(Map.of("eventName", List.of("CreateDeployment")))
                                                                             .build())
                                                   .build();

How do I specify another account's EventBus as the target? What's the syntax - is it an ARN or what?

Answer 1

To relay CW events from Acc1 to Acc2 in CloudFormation, three things are needed:

1. Acc2 - EventBusPolicy

AWS::Events::EventBusPolicy which allows Acc1 to submit events. Eg:

  MyEventBusPolicy:
    Type: AWS::Events::EventBusPolicy
    Properties: 
      Action: events:PutEvents
      EventBusName: default
      Principal: 2234322123 # Account1 Id
      StatementId: AcceptEventsFromAcc1

2. Acc1 - Iam Role for CW

IAM role that allows CW Events in Acc1 to publish events to Acc 2. Example:

  MyCWEventsRole:
    Type: AWS::IAM::Role
    Properties: 
      AssumeRolePolicyDocument:                   
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: [events.amazonaws.com]
            Action: ["sts:AssumeRole"]
      Description: Role for CW event to be able to publish events to acc2
      Policies: 
        - PolicyName: MyEventPolicy
          PolicyDocument: !Sub |
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "events:PutEvents"
                        ],
                        "Resource": [
                            "arn:aws:events:${RegionId}:${AccountId}:event-bus/default"
                         ]
                    }
                ]
            }

where AccountId and RegionId are Acc2 values, not Acc1.

3. Acc1 - CW Event rule to rely events to Acc2's bus

It will use IAM role from step 2. For example, to rely CodeCommits events (I set it up before, so I know it works):

  MyRule:
    Type: AWS::Events::Rule
    Properties: 
      Description: Monitor master branch of our repo and rely to Acc2
      EventPattern: !Sub |
            {
              "source": [
                "aws.codecommit"
              ],
              "detail-type": [
                "CodeCommit Repository State Change"
              ],
              "resources": [
                "${GitRepoArn}"
              ],
              "detail": {
                "event": [
                  "referenceCreated",
                  "referenceUpdated"
                ],
                "referenceType": [
                  "branch"
                ],
                "referenceName": [
                  "master"
                ]
               }
             }  
      State: ENABLED
      Targets: 
        - Arn: !Sub "arn:aws:events:${RegionId}:${AccountId}:event-bus/default"
          Id: MyEventToAcc2
          RoleArn: !GetAtt MyCWEventsRole.Arn

where AccountId and RegionId are Acc2 values, not Acc1.