Amazon EventBridge Configuration

12 min read Beginner

EventBridge is a serverless event bus that routes events between AWS services, custom applications, and SaaS providers. For security operations, EventBridge connects detection services to notification and remediation workflows. This guide covers event patterns for security services, rule configuration, and common automation patterns.

Quick Start

Create a rule to route high-severity GuardDuty findings to SNS:

bash 
# Create the rule
aws events put-rule \
  --name high-severity-guardduty \
  --event-pattern '{"source":["aws.guardduty"],"detail-type":["GuardDuty Finding"],"detail":{"severity":[{"numeric":[">=",7]}]}}'

# Add SNS target
aws events put-targets \
  --rule high-severity-guardduty \
  --targets Id=1,Arn=arn:aws:sns:us-east-1:123456789012:security-alerts

EventBridge begins routing matching events immediately. See the Amazon EventBridge documentation for complete feature details.

Core Concepts

EventBridge consists of three main components:

Event Bus Receives events from sources (default bus receives AWS service events)
Rules Match events using patterns and route to targets
Targets Destinations for matched events (Lambda, SNS, SQS, Step Functions)

Event Structure

All EventBridge events follow a standard structure:

  • source - Service or application that generated the event
  • detail-type - Type of event (e.g., "GuardDuty Finding")
  • detail - Event-specific payload
  • account - AWS account ID
  • region - AWS region
  • time - Event timestamp

Security Event Patterns

Common event patterns for AWS security services:

GuardDuty High-Severity Findings

json 
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{ "numeric": [">=", 7] }]
  }
}

Security Hub Critical/High Findings

json 
{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Severity": {
        "Label": ["CRITICAL", "HIGH"]
      }
    }
  }
}

AWS Config Non-Compliant Resources

json 
{
  "source": ["aws.config"],
  "detail-type": ["Config Rules Compliance Change"],
  "detail": {
    "newEvaluationResult": {
      "complianceType": ["NON_COMPLIANT"]
    }
  }
}

IAM Policy Changes (via CloudTrail)

json 
{
  "source": ["aws.iam"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventName": [
      "PutRolePolicy",
      "AttachRolePolicy",
      "DetachRolePolicy",
      "DeleteRolePolicy",
      "UpdateAssumeRolePolicy"
    ]
  }
}
Pattern Matching: EventBridge uses content-based filtering. Only the fields specified in the pattern are evaluated. Unspecified fields are ignored, allowing flexible matching.

Rule Configuration

Terraform configuration for security event routing:

hcl 
resource "aws_cloudwatch_event_rule" "security_alerts" {
  name        = "high-severity-security-findings"
  description = "Route high-severity security findings to notification targets"

  event_pattern = jsonencode({
    source      = ["aws.guardduty", "aws.securityhub"]
    detail-type = ["GuardDuty Finding", "Security Hub Findings - Imported"]
    detail = {
      severity = [{ numeric = [">=", 7] }]
    }
  })

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

resource "aws_cloudwatch_event_target" "sns_notification" {
  rule      = aws_cloudwatch_event_rule.security_alerts.name
  target_id = "SecurityAlertsSNS"
  arn       = aws_sns_topic.security_alerts.arn
}

Rule Best Practices

Specific Patterns Use specific event patterns to avoid unnecessary target invocations and costs.
Descriptive Names Use clear, descriptive rule names indicating the event source and action.
Multiple Targets A single rule can have up to 5 targets. Use for parallel notification and processing.
Dead Letter Queues Configure DLQ for targets to capture failed event deliveries.

Targets

Common targets for security automation:

Target Use Case Configuration Notes
SNS Topic Email/SMS notifications Requires SNS topic policy allowing EventBridge
Lambda Function Custom processing, remediation Requires Lambda resource-based policy
SQS Queue Buffering, batch processing Requires SQS queue policy allowing EventBridge
Step Functions Complex workflows, approval chains Requires IAM role for EventBridge
CloudWatch Logs Event archival, debugging Requires log group resource policy
Another Event Bus Cross-account routing Requires event bus policy on target
Permissions: Each target type requires specific permissions. Lambda and SNS require resource-based policies. Step Functions requires an IAM role. Missing permissions result in silent delivery failures.

Scheduled Rules

EventBridge supports time-based triggers for scheduled tasks:

hcl 
resource "aws_cloudwatch_event_rule" "compliance_report" {
  name                = "weekly-compliance-report"
  description         = "Trigger weekly compliance report generation"
  schedule_expression = "cron(0 8 ? * MON *)"

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

resource "aws_cloudwatch_event_target" "report_lambda" {
  rule      = aws_cloudwatch_event_rule.compliance_report.name
  target_id = "ComplianceReportLambda"
  arn       = aws_lambda_function.report_generator.arn
}

Schedule Expressions

Expression Description
rate(5 minutes) Every 5 minutes
rate(1 hour) Every hour
rate(1 day) Every day
cron(0 8 ? * MON *) Every Monday at 8:00 AM UTC
cron(0 0 1 * ? *) First day of every month at midnight
cron(0 0 1 1,4,7,10 ? *) Quarterly (Jan, Apr, Jul, Oct)
Use Cases: Scheduled rules are useful for periodic compliance reports, security posture assessments, and maintenance tasks such as log rotation or snapshot creation.

Cross-Account Events

EventBridge supports routing events across AWS accounts:

Architecture Pattern

  • Source Account: Creates rule targeting event bus in destination account
  • Destination Account: Event bus policy allows events from source account
  • Central Security Account: Aggregates security events from all member accounts
bash 
# In destination account - allow events from source account
aws events put-permission \
  --event-bus-name default \
  --action events:PutEvents \
  --principal 111111111111 \
  --statement-id AllowSourceAccount
Organization Events: For AWS Organizations, use organization ID in the event bus policy condition to allow all member accounts without listing individual account IDs.

Cost Considerations

EventBridge pricing is based on events published:

Component Pricing Notes
Custom events $1.00 per million events Events published to custom event bus
AWS service events Free Events from AWS services to default bus
Cross-account events $1.00 per million events Events sent to another account's bus
Archive and replay $0.10 per GB archived Plus replay costs at custom event rate
Schema registry Free Included with EventBridge
Cost Optimization: AWS service events (GuardDuty, Security Hub, Config) are free to receive on the default event bus. Costs are incurred only when using custom event buses or cross-account routing.

Integration Points

EventBridge serves as the routing layer connecting AWS security services:

GuardDuty Publishes threat detection findings to EventBridge for routing
Security Hub Sends aggregated findings to EventBridge for notification workflows
AWS Config Publishes compliance change events for remediation triggers
CloudTrail Sends API activity events for real-time security monitoring
Architecture Pattern: EventBridge acts as the central event router. Security services publish events, EventBridge matches patterns and routes to targets. SNS delivers notifications, Lambda executes remediation, Step Functions orchestrates complex workflows.

Next Steps

  1. Create rules for GuardDuty high-severity findings
  2. Configure Security Hub finding notifications
  3. Set up AWS Config compliance change alerts
  4. Implement Lambda targets for automated remediation
  5. Configure dead letter queues for failed event delivery