Profile Applicability:
- Level 1
Description:
Amazon EventBridge is a serverless event bus service that enables you to easily connect different applications using events. An EventBus is the central hub that collects, routes, and processes events from various sources to targets in AWS. Ensuring that the EventBridge event bus is not exposed to everyone is crucial for securing your event-driven architectures.
By configuring proper permissions on your EventBridge event bus, you can control which users, services, and accounts have access to your events. This SOP ensures that only authorized entities can publish events to your event bus, preventing any unauthorized access.
Rationale:
Security: Exposing an EventBridge event bus to everyone can lead to unauthorized access or malicious activity. By ensuring proper access controls, you can mitigate the risk of unauthorized event publication or consumption.
Data Privacy: By restricting access to the event bus, you ensure that sensitive data is not accidentally or maliciously exposed.
Compliance: Regulatory frameworks, such as SOC 2, PCI-DSS, and HIPAA, require that event sources and targets are appropriately secured to protect sensitive data.
Operational Integrity: Limiting access to authorized users helps ensure that events are published and consumed only by trusted systems, which is essential for maintaining system reliability and security.
Impact:
Pros:
Improved Security: Restricting access to the event bus helps prevent unauthorized or malicious users from interacting with your event-driven architecture.
Data Protection: Reduces the risk of sensitive or business-critical data being exposed or tampered with.
Compliance: Ensures that your AWS environment complies with industry security standards and regulatory requirements.
Auditing and Monitoring: Ensures that only authorized actions are being logged and monitored, making it easier to detect and respond to potential security incidents.
Cons:
Operational Complexity: Configuring and maintaining permissions can introduce additional complexity, especially if different applications or users need specific access to the event bus.
Potential Service Disruption: If not configured correctly, restricting access could result in valid event publishers or consumers being unintentionally blocked, affecting service functionality.
Default Value:
By default, EventBridge event buses are not publicly exposed. However, if permissions are misconfigured, it is possible for the event bus to become accessible to everyone.
Pre-requisite:
AWS IAM Permissions:
events:DescribeEventBus
events:PutRule
events:PutTargets
events:RemoveTargets
AWS CLI installed and configured.
AWS EventBridge Event Bus created and configured for event routing.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon EventBridge under Services.
In the EventBridge Dashboard, go to Event buses and select the EventBus to review.
In the EventBus settings, verify the Resource-based permissions:
If the event bus is exposed to everyone, you will see policies allowing access from * (everyone).
If the event bus is properly secured, only the required AWS accounts, services, or principals will be listed.
If access is exposed to everyone, update the resource policy to limit access to only specific AWS accounts or services.
Using AWS CLI:
To check if the event bus has resource-based permissions allowing access from everyone, run:
aws events describe-event-bus --name <event-bus-name>
In the Policy section of the output, verify that the Principal is not set to * (everyone). If Principal: "*", the event bus is exposed to everyone.
To restrict access, modify the event bus policy to limit access to specific AWS accounts or services:
aws events put-policy --name <event-bus-name> --policy '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:root" }, "Action": "events:PutEvents", "Resource": "*" } ] }'
Verify that the permissions have been updated:
aws events describe-event-bus --name <event-bus-name>
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to Amazon EventBridge.
In the EventBridge Dashboard, go to Event Buses and choose the EventBus you want to modify.
In the Event Bus Details section, click on Permissions.
Review the Resource-based policies:
If the Principal is *, this means the event bus is publicly accessible. Click Edit and modify the Policy to restrict access to only specific accounts or services.
Save the changes and verify that the event bus is no longer exposed to everyone.
Using AWS CLI:
To update the event bus policy, run:
aws events put-policy --name <event-bus-name> --policy '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:root" }, "Action": "events:PutEvents", "Resource": "*" } ] }'
Verify the event bus is no longer exposed to everyone:
aws events describe-event-bus --name <event-bus-name>
Backout Plan:
Using AWS Console:
If restricting access causes issues, sign in to the AWS Management Console.
Navigate to Amazon EventBridge, select the event bus, and go to resource policy.
If necessary, revert the policy to a more permissive state (e.g., allow public access by using Principal: "*", although this is not recommended).
Save the changes and verify that the event bus access is restored.
Using AWS CLI:
To revert the event bus policy and allow public access, use:
aws events put-permission --event-bus-name <EVENT_BUS_NAME> --action "PutEvents" --principal "*" --region <REGION>
Verify the policy update:
aws events describe-event-bus --name <EVENT_BUS_NAME> --region <REGION>