Check EventBrige implementation on AWS LZ

[silavjy]

Evaluate the impact on the change being implemented by AWS regarding IAM roles and EventBridge

Notice from AWS

We would like to notify you about an upcoming change for EventBridge cross account event bus targets. At AWS, security is our top priority. We are constantly working on improving our security posture and introducing controls, where necessary, to help our customers secure their applications on AWS. Today, Amazon EventBridge does not require you to create an IAM role when sending events to a cross account event bus target. IAM roles allow you to grant users access to resources in another account and set organization boundaries using Service Control Policies (SCPs) to determine who can send and receive events from accounts in your organization.

Beginning February 16, 2023, Amazon EventBridge will start requiring IAM roles for all new cross account event bus targets. We are providing you a 90-day notice to give you time to update your Infrastructure-as-Code templates for any new event bus targets. EventBridge already requires IAM roles for all other event bus to event bus delivery use cases, such as cross-region or within the same account. This change will ensure consistency between all routing use cases.

Our records indicate that you have one or more cross account event bus targets configured without IAM roles. We recommend using IAM roles when the target of a rule is an event bus. You can attach IAM roles using EventBridge PutTarget calls. You can also ask the destination accounts to set IAM roles if they have permission to make PutTargets API call on your event buses. As part of the AWS Shared Responsibility Model [1], you are responsible for controlling who can access your event bus resources and create IAM roles. This means that EventBridge cannot create IAM roles without being authorized by you as a customer. You can follow the documentation [2] and other blog posts [3][4] as reference for adding IAM roles to your cross account targets.