Finding Cross-Account AWS EventBridge Usage
November 30, 2022
Overview
Recently, AWS sent out customer notification emails regarding upcoming changes for EventBridge cross-account event bus targets. This email was titled Security posture recommendations for your cross-account invocations.
This notification email went to customers who were determined to have one or more impacted resources.
In this post, we'll cover how one of our users, James Barney, used CloudQuery to respond to the AWS notification and change with a custom query built on top of CloudQuery's data.
Customer Testimonial
“CloudQuery helped us understand the exact impact that this AWS service change would have for our organization’s 100+ AWS accounts within 5 minutes of receiving the notification. CloudQuery saved us weeks of investigative work and gave us exactly the resource ARNs we needed to alter with this change.”
EventBridge Change
Beginning February 16, 2023, Amazon EventBridge will start requiring IAM roles for all new cross-account event bus targets.
Previously, Amazon EventBridge did not require usage of IAM roles when sending events to cross-account event buses. Other routing use cases including cross-region or within the same account already require IAM roles for event bus to event bus delivery use cases.
Sample Resource Policy:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AccountExternal",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123412341234:root"
},
"Action": "events:PutEvents",
"Resource": "arn:aws:events:us-east-1:111111111111:event-bus/wheels-on-the-bus"
}]
}
What this Means
With this notice, AWS provided 90 days for customers to update their infrastructure-as-code templates for any new event bus targets.
We recommend ensuring all legacy cross-account event bus targets are updated. To do so, we need to do the following:
- Find all impacted EventBridge Event Buses
- Update all impacted EventBridge Event Buses (Stepping through environments and testing to ensure no adverse impact)
- Validating that there are no legacy EventBridge Event Buses and they've all been updated to use IAM roles.
For cross-account access, scoping permissions and principals in resource policies helps with reducing access and improves security posture.
Customer Query
We would like to thank James Barney for sharing their use case and working with us on the below query. We're especially happy when our users bring innovation and layer advanced queries on top of CloudQuery data to provide value to their organizations.
SELECT *
FROM
(
SELECT account_id, name, policy, arn,
regexp_matches(policy, '[0-9]{12}:root', 'g') as ext_account
FROM aws_eventbridge_event_buses
) data
WHERE account_id != ext_account[1];
The above query will detect any usage the AWS account reference for cross-account access to Amazon EventBridge Event Buses and will return a table of each occurrence of a cross-account reference. If there are multiple accounts referenced in a policy, each account will be a separate row.
By filtering on the regex [0-9]{12}:root
, we look for any string that matches part of an AWS account resource identifier such as 1213412341234:root
. While we do look through the entire policy, AWS account ARNs should only exist in the Principal
block of statements.
Contact Us
If you have use cases or custom queries and examples from using CloudQuery, we would love to hear from you! Reach out to us on GitHub or Discord!
References and Useful Links
AWS: Service Control Policies (SCPs)
AWS: Sending and receiving Amazon EventBridge events between AWS Account