Amazon EventBridge and Amazon Identity and Access Management - Amazon EventBridge
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EventBridge and Amazon Identity and Access Management

To access Amazon EventBridge, you need credentials that Amazon can use to authenticate your requests. Your credentials must have permissions to access Amazon resources, such as retrieving event data from other Amazon resources. The following sections provide details on how you can use Amazon Identity and Access Management (IAM) and EventBridge to help secure your resources by controlling who can access them.


You can access Amazon as any of the following types of identities:

  • Amazon account root user – When you sign up for Amazon, you provide an email address and password that is associated with your account. These are your root credentials, and they provide complete access to all of your Amazon resources.


    For security reasons, we recommend that you use the root credentials only to create an administrator, which is an IAM user with full permissions to your account. Then you can use this administrator to create other users and roles with limited permissions. For more information, see IAM Best Practices and Creating an Admin User and Group in the IAM User Guide.

  • IAM user – An IAM user is an identity within your account that has specific permissions, for example, permission to send event data to a target in EventBridge. You can use an IAM sign-in credentials to sign in to secure Amazon webpages such as the Amazon Web Services Management Console, Amazon Discussion Forums, or the Amazon Web Services Support Center.

    In addition to sign-in credentials, you can also generate access keys for each user. You can use these keys when you access Amazon services programmatically to cryptographically sign your request, either through one of the SDKs or by using the Amazon Command Line Interface (Amazon CLI). If you don’t use Amazon tools, you must sign the request yourself with Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.

  • IAM role – An IAM role is another IAM identity that you can create in your account that has specific permissions. It's similar to an IAM user, but it isn't associated with a specific person. Using an IAM role, you can obtain temporary access keys to access Amazon services and resources. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – Instead of creating a user, you can use identities from Amazon Directory Service, your enterprise user directory, or a web identity provider (IdP). These are known as federated users. Amazon assigns a role to a federated user when the user requests access through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide.

    • Cross-account access – You can use an IAM role in your account to grant another account permission to access your account’s resources. For an example, see Tutorial: Delegate Access Across Amazon Accounts Using IAM Roles in the IAM User Guide.

    • Amazon service access – You can use an IAM role in your account to grant an Amazon service permission to access your account’s resources. For example, you can create a role that allows Amazon Redshift to load data stored in an Amazon S3 bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an Amazon Service in the IAM User Guide.

    • Applications running on Amazon EC2 – For Amazon EC2 applications that need access to EventBridge, you can either store access keys in the EC2 instance or you can use an IAM role to manage temporary credentials. To assign an Amazon role to an EC2 instance, you create an instance profile that is attached to the instance. An instance profile contains the role, and it provides temporary credentials to applications running on the EC2 instance. For more information, see Using Roles for Applications on Amazon EC2 in the IAM User Guide.

Access control

To create or access EventBridge resources, you need both valid credentials and permissions. For example, to invoke Amazon Lambda, Amazon Simple Notification Service (Amazon SNS), and Amazon Simple Queue Service (Amazon SQS) targets, you must have permissions to those services.