AWS eventbridge documentation change
Summary
Restructured and expanded documentation for EventBridge managed IAM policies. Added details about ApiDestinationsServiceRolePolicy with Secrets Manager/KMS permissions, clarified service-linked roles, and documented new Scheduler/Pipes policies. Updated policy examples and access descriptions.
Security assessment
Added documentation for AmazonEventBridgeApiDestinationsServiceRolePolicy showing explicit Secrets Manager and KMS permissions for secret management, which qualifies as security feature documentation. No evidence of addressing an existing vulnerability is present.
Diff
diff --git a/eventbridge/latest/userguide/eb-use-identity-based.md b/eventbridge/latest/userguide/eb-use-identity-based.md index 1faf9f002..7ab867ce0 100644 --- a//eventbridge/latest/userguide/eb-use-identity-based.md +++ b//eventbridge/latest/userguide/eb-use-identity-based.md @@ -3 +3 @@ -AWS managed policies for EventBridgePermissions required for EventBridge to access targets using IAM rolesCustomer-managed policy example: Using tagging to control access to rulesPolicy updates +EventBridge managed policiesAmazonEventBridgeFullAccessAmazonEventBridgeReadOnlyAccessAmazonEventBridgeApiDestinationsServiceRolePolicySchema policiesScheduler policiesPipes policiesIAM roles for sending eventsPermissions to access targetsCustomer-managed policy examplePolicy updates @@ -22 +22 @@ The following AWS managed policies that you can attach to users in your account -### AmazonEventBridgeFullAccess policy +## AWS managed policy: AmazonEventBridgeFullAccess @@ -35,2 +34,0 @@ The AmazonEventBridgeFullAccess policy grants permissions to use all EventBridge -The following JSON shows the AmazonEventBridgeFullAccess policy. - @@ -112,5 +110 @@ The following JSON shows the AmazonEventBridgeFullAccess policy. -###### Note - -The information in this section also applies to the `CloudWatchEventsFullAccess` policy. However, it is strongly recommended that you use Amazon EventBridge instead of Amazon CloudWatch Events. - -### AmazonEventBridgeReadOnlyAccess policy +## AWS managed policy: AmazonEventBridgeReadOnlyAccess @@ -120,2 +113,0 @@ The AmazonEventBridgeReadOnlyAccess policy grants permissions to use all read Ev -The following JSON shows the AmazonEventBridgeReadOnlyAccess policy. - @@ -176 +168 @@ The following JSON shows the AmazonEventBridgeReadOnlyAccess policy. -###### Note +## AWS managed policy: AmazonEventBridgeApiDestinationsServiceRolePolicy @@ -178 +170 @@ The following JSON shows the AmazonEventBridgeReadOnlyAccess policy. -The information in this section also applies to the `CloudWatchEventsReadOnlyAccess` policy. However, it is strongly recommended that you use Amazon EventBridge instead of Amazon CloudWatch Events. +You can't attach [AmazonEventBridgeApiDestinationsServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEventBridgeApiDestinationsServiceRolePolicy.html) to your IAM entities. This policy is attached to a service-linked role that allows EventBridge permissions to access AWS Secrets Manager resources on your behalf. @@ -180 +172,40 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc -### EventBridge Schema-specific managed policies + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "secretsmanager:CreateSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:DescribeSecret", + "secretsmanager:DeleteSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue" + ], + "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey" + ], + "Resource": "arn:aws:kms:*:*:key/*", + "Condition": { + "StringLike": { + "kms:ViaService": "secretsmanager.*.amazonaws.com", + "kms:EncryptionContext:SecretARN": [ + "arn:aws:secretsmanager:*:*:secret:events!connection/*" + ] + }, + "StringEquals": { + "aws:ResourceTag/EventBridgeApiDestinations": "true" + } + } + } + ] + } + +## AWS managed policies: EventBridge Schemas @@ -184 +215,7 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc - * [AmazonEventBridgeSchemasServiceRolePolicy](https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/aws-service-role/AmazonEventBridgeSchemasServiceRolePolicy$jsonEditor) + * [AmazonEventBridgeSchemasFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEventBridgeSchemasFullAccess.html) + +You can attach the AmazonEventBridgeSchemasFullAccess policy to your IAM identities. + +Provides full access to EventBridge schemas. + + * [AmazonEventBridgeSchemasReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEventBridgeSchemasReadOnlyAccess.html) @@ -186 +223 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc - * [AmazonEventBridgeSchemasFullAccess](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEventBridgeSchemasFullAccess$jsonEditor) +You can attach the AmazonEventBridgeSchemasReadOnlyAccess policy to your IAM identities. @@ -188 +225 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc - * [AmazonEventBridgeSchemasReadOnlyAccess](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEventBridgeSchemasReadOnlyAccess$jsonEditor) +Provides read only access to EventBridge Schemas. @@ -189,0 +227 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc + * [AmazonEventBridgeSchemasServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEventBridgeSchemasServiceRolePolicy.html) @@ -190,0 +229 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc +You can't attach AmazonEventBridgeSchemasServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows EventBridge permissions to managed rules created by EventBridge schemas. @@ -193 +232,3 @@ The information in this section also applies to the `CloudWatchEventsReadOnlyAcc -### EventBridge Scheduler-specific managed policies + + +## AWS managed policies: EventBridge Scheduler @@ -197 +238,3 @@ Amazon EventBridge Scheduler is a serverless scheduler that allows you to create -### EventBridge Pipes-specific managed policies +## AWS managed policies: EventBridge Pipes + +EventBridge Pipes connects event sources to targets. Pipes reduces the need for specialized knowledge and integration code when developing event driven architectures. This helps ensures consistency across your company’s applications. The following AWS managed policies specific to EventBridge Pipes are available: @@ -199 +242 @@ Amazon EventBridge Scheduler is a serverless scheduler that allows you to create -Amazon EventBridge Pipes connects event sources to targets. Pipes reduces the need for specialized knowledge and integration code when developing event driven architectures. This helps ensures consistency across your company’s applications. The following AWS managed policies specific to EventBridge Pipes are available: + * [AmazonEventBridgePipesFullAccess](aws-managed-policy/latest/reference/AmazonEventBridgePipesFullAccess.html) @@ -201 +244 @@ Amazon EventBridge Pipes connects event sources to targets. Pipes reduces the ne - * [AmazonEventBridgePipesFullAccess](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEventBridgePipesFullAccess$jsonEditor) +You can attach the AmazonEventBridgePipesFullAccess policy to your IAM identities. @@ -203 +246 @@ Amazon EventBridge Pipes connects event sources to targets. Pipes reduces the ne -Provides full access to Amazon EventBridge Pipes. +Provides full access to EventBridge Pipes. @@ -209 +252,5 @@ This policy provides `iam:PassRole` – EventBridge Pipes requires this permissi - * [AmazonEventBridgePipesReadOnlyAccess](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEventBridgePipesReadOnlyAccess$jsonEditor) + * [AmazonEventBridgePipesReadOnlyAccess](aws-managed-policy/latest/reference/AmazonEventBridgePipesReadOnlyAccess.html) + +You can attach the AmazonEventBridgePipesReadOnlyAccess policy to your IAM identities. + +Provides read-only access to EventBridge Pipes. @@ -211 +258 @@ This policy provides `iam:PassRole` – EventBridge Pipes requires this permissi -Provides read-only access to Amazon EventBridge Pipes. + * [AmazonEventBridgePipesOperatorAccess](aws-managed-policy/latest/reference/AmazonEventBridgePipesOperatorAccess.html) @@ -213 +260 @@ Provides read-only access to Amazon EventBridge Pipes. - * [AmazonEventBridgePipesOperatorAccess](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEventBridgePipesOperatorAccess$jsonEditor) +You can attach the AmazonEventBridgePipesOperatorAccess policy to your IAM identities. @@ -215 +262 @@ Provides read-only access to Amazon EventBridge Pipes. -Provides read-only and operator (that is, the ability to stop and start running Pipes) access to Amazon EventBridge Pipes. +Provides read-only and operator (that is, the ability to stop and start running Pipes) access to EventBridge Pipes. @@ -220 +267 @@ Provides read-only and operator (that is, the ability to stop and start running -### IAM roles for sending events +## IAM roles for sending events @@ -440,0 +488 @@ Change | Description | Date +AmazonEventBridgeApiDestinationsServiceRolePolicy – Updated policy | EventBridge updated policy to grant AWS KMS encrypt and decrypt permissions via Secrets Manager. This enables EventBridge to update connection secret resources with new OAuth token value when access token refresh is required. | March 28, 2025 @@ -453 +501 @@ AmazonEventBridgePipesReadOnlyAccess – New policy added | EventBridge added m -AmazonEventBridgePipesOperatorAccess – New policy added | EventBridge added managed policy for for permissions to view EventBridge Pipes information, as well as start and stop running pipes. | December 1, 2022 +AmazonEventBridgePipesOperatorAccess – New policy added | EventBridge added managed policy for permissions to view EventBridge Pipes information, as well as start and stop running pipes. | December 1, 2022