Search code examples
amazon-web-servicesaws-lambdaamazon-cloudwatchaws-event-bridge

AWS invoke cross account lambda via Cloudwatch Event Bus

I have a AWS lambda function deployed in multiple accounts. I'm looking for a way to schedule to trigger these lambda function from master account via Cloudwatch Event Bus. Is this possible?

Solution

  • In line with what @amitd is suggesting you need to implement something like this (Using EventBridge , EventBus).

    enter image description here

    To configure cross-account event bridge communication following needs to be done. I am providing sample events and filters, you can replace the event and filters as per requirement.

    Steps to be performed on Account B: Receiver account

    1. Create an event bus named event-bus-b. Put the resource-based policy as shown below.
    {
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "WebStoreCrossAccountPublish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<account-A>:root"
    },
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b"
  }]
}

    1. Create a rule in account B let's calls it eb-rule-b. In this Rule select event-bus-b as a source event bus.

    2. Provision following event filter pattern:

    Event pattern:

    {
  "detail-type": [
    "uoe"
  ],
  "source": [
    "somesource"
  ]
}

    Also, test the pattern using the test event.

    Test Event:

      {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

    1. Select the event bus event-bus-b in the drop-down.

    2. Select the target "Lambda"

    3. Put the ARN of the event bus which you have created in Account B.

    arn:aws:lambda:<your-region>:<AccountB>:function:<AccountBLambda>

    1. Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables lambda execution.

    2. Click on create and create the rule.

    3. Now click on the event bus event-bus-a and click on Send events button.

    4. Send a dummy event as shown below and validate that the communication between event bus and the lambda in account B is all ok.

    5. If you face some issue in this plumbing refer to :https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html#eb-lam-function-not-invoked

    6. Once we are good in Account B ( i.e we are able to invoke the lambda by sending events on the event bus, configure other accounts by following the same steps.

    Steps to be performed on Account A: Sender account

    1. Create an event bus event-bus-a in account A.

    2. Create a rule eb-rule-a in account A with the following details:

    Event pattern:

    {
  "detail-type": [
    "uoe"
  ],
  "source": [
    "somesource"
  ]
}

    Also, test the pattern using the test event.

    Test Event:

      {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

    1. Select the event bus event-bus-a in the drop-down.

    2. Select the target "Event bus in different account or Region"

    3. Put the ARN of the event bus which you have created in Account B.

    arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
    1. Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables the users in account A to publish on account b event bus. The below policy is auto-created and you don't need to do anything.
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
            ]
        }
    ]
}

    1. Click on create and create the rule.

    2. Now click on the event bus event-bus-a and click on Send events button.

    3. Provide details and click on send.

    enter image description here

    Sample event:

      {
  "version": "0",
  "id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
  "detail-type": "uoe",
  "source": "somesource",
  "account": "<ACCOUNT_ID>",
  "time": "2020-04-24T13:53:21Z",
  "region": "<YOUR_REGION>",
  "resources": [],
  "detail": {
   "userOrg" : "OrgName" 
  }
}

    1. Event will propagate to the event bus defined in account B.

    2. Repete from steps 4- 10 for all other accounts ( i.e create multiple targets in the same rule).

    3. Once configured a single event in Account A will propagates to multiple accounts and you will achieve the necessary fanning.