BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Amazon CloudWatch Events Gains Cross-Account Event Delivery

Amazon CloudWatch Events Gains Cross-Account Event Delivery

Amazon Web Services (AWS) recently added cross-account event delivery to Amazon CloudWatch Events to support use cases such as the tracking of events across an entire organization and the handling of events in separate accounts to implement advanced security schemes.

Amazon CloudWatch Events is part of Amazon CloudWatch (previous coverage) and delivers a "near real-time stream of events" that allows you to "track and respond to changes in your AWS resources" by using rules that route matching events to one or more targets. In his introductory blog post, Jeff Barr (Chief Evangelist AWS) qualified CloudWatch Events as "the central nervous system for your AWS environment". Accordingly, in addition to supporting read/write API call events for most services, the list of service specific event types and targets is frequently growing, with recent new entries such as AWS Step Functions, Amazon ECS, Amazon Kinesis Firehose, AWS CodeBuild, and AWS CodePipeline.

CloudWatch Events can now also send and receive events between AWS accounts to support advanced uses cases and topologies such as fan-in to handle events from multiple accounts in one place, or fan-out to route different types of events to separate accounts (events that originated in another account will not be sent to a third one to avoid infinite loops), for example:

  • Organizational rollup - tracking of events across several accounts or an entire organization managed via AWS Organizations (previous coverage)
  • Bounded security contexts - responding to security related events in dedicated and isolated accounts for separation of concerns

Amazon CloudWatch Events Event Buses Overview

Currently AWS supports a single event bus per account, with "plans to allow more in the future". An associated access policy specifies the set of additional AWS accounts that are allowed to send events to the receiving account's event bus. By default, rules in the receiving account will also match events that originated in other accounts. This can be prevented by specifying one or more AWS account IDs in the "account" field of a rules' event pattern, resulting in the following typical steps for cross-account event processing:

  • On the receiver account, authorize one or more (or all) AWS accounts to send events to its default event bus.
  • On the sender account, set up one or more rules that target the receiver account's default event bus.
  • On the receiver account, set up one or more rules that match events coming from one or more (or all) AWS accounts

In related news, Amazon CloudWatch Events meanwhile supports input transformations of events before sending them to targets so that "you can extract multiple key-value pairs from their event JSONs and transform the data to fit your needs". AWS has also just significantly increased the default CloudWatch Events limits. As with many other AWS service limits, users can request a limit increase beyond these new defaults via the AWS support center

The Amazon CloudWatch Events documentation features a user guide, including a getting started section, the AWS CLI reference, and the API reference. Support is provided via the Amazon CloudWatch forum. Usage of CloudWatch Events is free, except for the ingestion of custom events and events forwarded to another account, which are charged to the sending account as custom events and priced accordingly.

BT