AWS
Security
Tutorials

Finding Cross-Account AWS EventBridge Usage

Jason Kao

Jason Kao

Overview #

Recently, AWS sent out customer notification emails regarding upcoming changes for EventBridge cross-account event bus targets. This email was titled Security posture recommendations for your cross-account invocations. This notification email went to customers who were determined to have one or more impacted resources.
In this post, we'll cover how one of our users, James Barney, used CloudQuery to respond to the AWS notification and change with a custom query built on top of CloudQuery's data.

Customer Testimonial #

“CloudQuery helped us understand the exact impact that this AWS service change would have for our organization’s 100+ AWS accounts within 5 minutes of receiving the notification. CloudQuery saved us weeks of investigative work and gave us exactly the resource ARNs we needed to alter with this change.”

EventBridge Change #

Beginning February 16, 2023, Amazon EventBridge will start requiring IAM roles for all new cross-account event bus targets.
Previously, Amazon EventBridge did not require usage of IAM roles when sending events to cross-account event buses. Other routing use cases including cross-region or within the same account already require IAM roles for event bus to event bus delivery use cases.
Sample Resource Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AccountExternal",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123412341234:root"
      },
      "Action": "events:PutEvents",
      "Resource": "arn:aws:events:us-east-1:111111111111:event-bus/wheels-on-the-bus"
    }
  ]
}

What this Means #

With this notice, AWS provided 90 days for customers to update their infrastructure-as-code templates for any new event bus targets.
We recommend ensuring all legacy cross-account event bus targets are updated. To do so, we need to do the following:
  • Find all impacted EventBridge Event Buses
  • Update all impacted EventBridge Event Buses (Stepping through environments and testing to ensure no adverse impact)
  • Validating that there are no legacy EventBridge Event Buses and they've all been updated to use IAM roles.
For cross-account access, scoping permissions and principals in resource policies helps with reducing access and improves security posture.

Customer Query #

We would like to thank James Barney for sharing their use case and working with us on the below query. We're especially happy when our users bring innovation and layer advanced queries on top of CloudQuery data to provide value to their organizations.
SELECT *
FROM
(
 SELECT account_id, name, policy, arn,
   regexp_matches(policy, '[0-9]{12}:root', 'g') as ext_account
 FROM aws_eventbridge_event_buses
) data
WHERE account_id != ext_account[1];
The above query will detect any usage the AWS account reference for cross-account access to Amazon EventBridge Event Buses and will return a table of each occurrence of a cross-account reference. If there are multiple accounts referenced in a policy, each account will be a separate row.
By filtering on the regex [0-9]{12}:root, we look for any string that matches part of an AWS account resource identifier such as 1213412341234:root. While we do look through the entire policy, AWS account ARNs should only exist in the Principal block of statements.

Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
If you have use cases or custom queries and examples from using CloudQuery, we would love to hear from you! Reach out to us on GitHub or our Community!
Jason Kao

Written by Jason Kao

Jason worked as Head of Security Research and Solutions at CloudQuery and was a Senior Data Engineer prior to taking on that role. He focused on multi-cloud environments and has particular expertise on AWS.

Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.