Profile Applicability

  • Level 2

Description

Amazon EventBridge event buses can be configured to allow cross-account access for event delivery. However, unrestricted or unknown cross-account access can expose your event buses to unauthorized use, leading to potential security risks. Ensuring that only trusted AWS accounts or organizations have access to your event buses helps maintain a secure and controlled environment.

Rationale

  • Enhanced Security: Prevents unauthorized accounts from sending events to your event buses.

  • Risk Mitigation: Reduces the risk of malicious activities or data breaches.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Protects event buses from unauthorized access.

  • Reduces the risk of data misuse or malicious event injection.

  • Enhances overall security posture.

Cons:

  • Requires careful management of resource policies for event buses.

  • May limit collaboration if not properly configured.

Default Value

By default, EventBridge event buses do not allow cross-account access unless explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • events:DescribeEventBus

  • events:PutPermission

  • events:RemovePermission

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EventBridge > Event Buses.

  3. Select an event bus and review its Resource Policy.

  4. Identify any policies that allow access to unknown accounts or * (wildcard).

Using AWS CLI:

  1. Describe the event bus:

    aws events describe-event-bus --name <event-bus-name>

  2. Check the Policy field in the output for any wildcard (*) or unknown account permissions.

Implementation Steps:

Using AWS Console:

  1. Navigate to Amazon EventBridge > Event Buses.

  2. Select the event bus to update.

  3. Edit the Resource Policy to remove any wildcard (*) or unknown account permissions.

  4. Save the changes.

Using AWS CLI:

  1. Remove unknown cross-account permissions:

    aws events remove-permission --event-bus-name <event-bus-name> --statement-id <statement-id>

  2. Add permissions for trusted accounts or organizations:

    aws events put-permission --event-bus-name <event-bus-name> --action "events:PutEvents" --principal <trusted-account-id>

  3. Verify the updated policy:

    aws events describe-event-bus --name <event-bus-name>

Backout Plan

Using AWS Console:

  1. If restricting access to unknown cross-account access causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon EventBridge, select the event bus, and modify the resource policy to re-enable access for any AWS account (although this is not recommended).

  3. Save the changes and verify that the event bus is once again exposed to all AWS accounts.

Using AWS CLI:

  1. To revert the event bus policy to allow unknown cross-account access, use the following command:

    aws events put-permission --event-bus-name <EVENT_BUS_NAME> --action "PutEvents" --principal "*" --region <REGION>

  2. Verify that the policy has been reverted:

    aws events describe-event-bus --name <EVENT_BUS_NAME> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.