[events] Grant events:PutEvents to specific EventBridge bus

[SZubarev]

Right now EventBus has static method grantPutEvents() which grants access to all EventBridge buses in account.
It would be useful to add same method or move it to instance method so it could grant access to send events only to the bus which method is called.

Use Case

This would allow to manage grants more granular

Proposed Solution

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[michaelwiles]

It's not possible to restrict access in a policy to a specific event bus.

Comment on grantPutEvents method
// It's currently not possible to restrict PutEvents to specific resources.
// See https://docs.aws.amazon.com/eventbridge/latest/userguide/permissions-reference-eventbridge.html

I can't find a definitive reference in the event bridge docs that you can't provide a specific event bus but then I can't find a reference that you can either.

So right now you can only give a policy permission to send to any event bus or not send to any event bus.

[shivlaks]

@michaelwiles - I'm not sure whether that comment is still accurate. The IAM docs seem to indicate that resource-level permissions are supported for EventBridge.

However, this is probably best clarified by testing it out. I'll mark it as a p2 for now and will update once we sort out the best path forward.

[jogold]

This is my comment there on grantPutEvents() :)

From the docs it still looks to me that it's not possible:

The table lists each EventBridge API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

[thantos]

EventBridge released this ability on Nov 19th 2020 (yesterday).

https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/

They also changed the form of EventBusPolicy, which is not currently supported by the L1 CfnEventBusPolicy construct.

[thantos]

If anyone is stuck on this, here is a really hacky workaround that I wrote. Was able to get through the stack deploy.

/**
 * https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/
 */
class CfnEventBusPolicy2 extends cdk.CfnResource {
    constructor(scope: cdk.Construct, id: string, private props: CfnEventBusPolicy2Props) {
        super(scope, id, {type: CfnEventBusPolicy.CFN_RESOURCE_TYPE_NAME, properties: props})
    }

    protected get cfnProperties(): { [p: string]: any } {
        return this.props;
    }

    protected renderProperties(props: { [p: string]: any }): { [p: string]: any } {
        return super.renderProperties(cfnEventBusPolicyPropsToCloudFormation(this.cfnProperties));
    }

    protected validate(): string[] {
        return [];
    }
}

function cfnEventBusPolicyPropsToCloudFormation(properties: any) {
    if (!cdk.canInspect(properties)) {
        return properties;
    }
    return {
        Statement: (properties.statement as PolicyStatement).toStatementJson(),
        StatementId: cdk.stringToCloudFormation(properties.statementId),
        EventBusName: cdk.stringToCloudFormation(properties.eventBusName),
    };
}

interface CfnEventBusPolicy2Props {
    readonly statementId: string;
    readonly eventBusName?: string;
    readonly statement: PolicyStatement,
}

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.