Turning on group lifecycle events in Resource Groups - Amazon Resource Groups
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Turning on group lifecycle events in Resource Groups

To receive notifications about lifecycle changes to your resource groups, you can on group lifecycle events. Resource Groups then provides information about your groups' changes to Amazon EventBridge. In EventBridge, you can evaluate and act on the changes using rules you define in the EventBridge service.

Minimum permissions

To turn on group lifecycle events in your Amazon Web Services account, you must sign in as an Amazon Identity and Access Management (IAM) principal with the following permissions:

  • resource-groups:UpdateAccountSettings

  • iam:CreateServiceLinkedRole

  • events:PutRule

  • events:PutTargets

  • events:DescribeRule

  • events:ListTargetsByRule

  • cloudformation:DescribeStacks

  • cloudformation:ListStackResources

  • tag:GetResources

When you initially turn on group lifecycle events in an Amazon Web Services account, Resource Groups creates a service-linked role named AWSServiceRoleForResourceGroups. This managed role has permission to use a Resource Groups managed EventBridge rule. The rule monitors the tags attached to your resources and the Amazon CloudFormation stacks in your account for any changes. Resource Groups then publishes those changes to the default event bus in Amazon EventBridge. The service also creates an EventBridge managed rule named Managed.ResourceGroups.TagChangeEvents. This rule captures the details of tag changes of your resources. This lets Resource Groups generate membership events to send to EventBridge for your custom rules to process. Your EventBridge rules can then respond to events by sending notifications to the rules' configured targets.

After you complete these steps, rules that look for these events should start receiving them in a few minutes.

You can turn on group lifecycle events by using either the Amazon Web Services Management Console or by using a command from the Amazon CLI or one of the SDK APIs.

Note

You can't turn on group lifecycle events if your resource groups quota is too high. For more information, review Viewing service quotas.

Amazon Web Services Management Console
To turn on group lifecycle events in the Resource Groups console

  1. Open the Settings page in the Resource Groups console.

  2. In the Group lifecycle events section, choose the switch next to Notifications are turned off.

  3. On the confirmation dialog, choose Turn on notifications.

    The feature switch displays Notifications are turned on.

That completes the first part of the process. After you turn on event notifications, you can create rules in Amazon EventBridge that capture the events and send them to specific Amazon Web Services for processing.

Amazon CLI
To turn on group lifecycle events by using the Amazon CLI or the Amazon SDKs

The following example show how to use the Amazon CLI to turn on group lifecycle events in Resource Groups. Enter the command with the service principal parameter exactly as shown. The output shows both the current status and the desired status of the feature.

$ aws resource-groups update-account-settings \
    --group-lifecycle-events-desired-status ACTIVE
{
    "AccountSettings": {
        "GroupLifecycleEventsDesiredStatus": "ACTIVE",
        "GroupLifecycleEventsStatus": "IN_PROGRESS"
    }
}

You can confirm that the feature is turned on by running the following example command. When both status fields show the same value, then the operation is complete.

$ aws resource-groups get-account-settings
{
    "AccountSettings": {
        "GroupLifecycleEventsDesiredStatus": "ACTIVE",
        "GroupLifecycleEventsStatus": "ACTIVE"
    }
}

For more information, see the following resources: