Event bus targets in Amazon EventBridge
A target is a resource or endpoint that EventBridge sends an event to when the event matches the event pattern defined for a rule. The rule processes the event data and sends the pertinent information to the target. To deliver event data to a target, EventBridge needs permission to access the target resource. You can define up to five targets for each rule.
When you add targets to a rule and that rule runs soon after, any new or updated targets might not be immediately invoked. Allow a short period of time for changes to take effect.
Event bus targets available in the EventBridge console
You can configure the following target types for rules in the EventBridge console:
API destinations
API destinations are HTTPS endpoints that you can invoke as the target of an event bus rule. When you specify an API destination as a rule target, EventBridge invokes the HTTPS endpoint for any event that matches the event pattern specified in the rule, and then delivers the event information with the request. For more information, see API destinations.
Event buses
You can specify other event buses as targets for rules. This includes event buses in the same or different Amazon accounts.
Amazon services
You can have EventBridge send events to a number of Amazon service resources. These include:
-
CodePipeline
-
Amazon EBS
CreateSnapshotAPI call -
EC2 Image Builder
-
EC2
RebootInstancesAPI call -
EC2
StopInstancesAPI call -
EC2
TerminateInstancesAPI call -
Firehose delivery stream
-
Glue workflow
-
Inspector assessment template
-
Kinesis stream
-
Lambda function (ASYNC)
-
SageMaker AI Pipeline
-
Amazon SNS topic
-
Amazon SQS queue and FIFO queue
-
Step Functions state machine (ASYNC)
-
Systems Manager Automation
-
Systems Manager OpsItem
-
Systems Manager Run Command
Target parameters
Some targets don't send the information in the event payload to the target, instead, they treat the event as a trigger for invoking a specific API. EventBridge uses the Target parameters to determine what happens with that target. These include the following:
-
API destinations (The data sent to an API destination must match the structure of the API. You must use the
InputTransformerobject to make sure the data is structured correctly. If you want to include the original event payload, reference it in theInputTransformer.) -
API Gateway (The data sent to API Gateway must match the structure of the API. You must use the
InputTransformerobject to make sure the data is structured correctly. If you want to include the original event payload, reference it in theInputTransformer.) -
Amazon EC2 Image Builder
-
RedshiftDataParameters(Amazon Redshift Data API clusters) -
SageMakerPipelineParameters(Amazon SageMaker Runtime Model Building Pipelines)
Note
EventBridge does not support all JSON Path syntax and evaluate it at runtime. Supported syntax includes:
dot notation (for example,
$.detail)dashes
underscores
alphanumeric characters
array indices
wildcards (*)
Dynamic path parameters
Some target parameters support optional dynamic JSON path syntax. This syntax allows you to specify JSON paths instead of static values (for example $.detail.state).
The entire value has to be a JSON path, not just part of it. For example, RedshiftParameters.Sql can be $.detail.state but it can't be
"SELECT * FROM $.detail.state". These paths are replaced dynamically at runtime with data from the event payload itself at the specified path. Dynamic path parameters
can't reference new or transformed values resulting from input transformation. The supported syntax for
dynamic parameter JSON paths is the same as
when transforming input. For more information, see Amazon EventBridge input transformation
Dynamic syntax can be used on all the string, non-enum fields of these parameters:
-
HttpParameters(exceptHeaderParameterskeys)
Permissions
To make API calls on the resources that you own, EventBridge needs appropriate permissions.
Specify an IAM execution role using the EventBridge
console, or by setting the RoleARN parameter in PutTargets.
For example, the following policy defines permission to send messages to an Amazon SQS queue:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage" ], "Resource": [ "arn:aws:sqs:us-east-1:0123456789012:sqs-queue-name" ] } ] }
And the following trust policy enables EventBridge to assume the role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
You can invoke an API Gateway endpoint with configured IAM authorization, but the role is optional if you haven't configured authorization. For more information, see Amazon EventBridge and Amazon Identity and Access Management.
If another account is in the same Region and has granted you permission, then you can send events to that account.
For more information, see Sending and receiving events between Amazon accounts in Amazon EventBridge.
If your target, such as an Amazon SQS queue, uses Amazon Key Management Service (Amazon KMS) encryption, you must include the following section in your KMS key policy:
{ "Sid": "Allow EventBridge to use the key", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }
Amazon Batch job queues as targets
Certain parameters to Amazon Batch submitJob can be configured via BatchParameters.
Others can be specified in the event payload. If the event payload (passed through or via InputTransformers) contains the following keys, they are mapped to submitJob request parameters:
ContainerOverrides: containerOverridesNote
This includes only command, environment, memory, and vcpus
DependsOn: dependsOnNote
This includes only jobId
Parameters: parameters
CloudWatch Logs groups as targets
If you don’t use an InputTransformer with a CloudWatch Logs target, the event payload is used as the log message, and the source of the event as the timestamp. If you do use an InputTransformer, the template must be:
{"timestamp":<timestamp>,"message":<message>}
EventBridge batches the entries sent to a log stream; therefore, EventBridge may deliver a single or multiple events to a log stream, depending on traffic.
CodeBuild projects as targets
If you use InputTransformers to shape the input event to a Target to match the CodeBuild StartBuildRequest structure, the parameters will be mapped 1-to-1 and passed through to codeBuild.StartBuild.
Amazon ECS tasks as targets
If you use InputTransformers to shape the input event to a Target to match the Amazon ECS RunTask TaskOverride structure, the parameters will be mapped 1-to-1 and passed through to ecs.RunTask.
Incident Manager response plans as targets
If the matched event came from CloudWatch Alarms, the alarm state change details are populated into the trigger details of the StartIncidentRequest call to Incident Manager.
Amazon SQS queues as targets
EventBridge does not support using Amazon SQS queues that are encrypted with an Amazon owned key. This includes targets, as well as Amazon SQS queues specified as dead-letter queues for targets. For more information on Amazon owned keys, see Amazon owned keys in the Amazon Key Management Service Developer Guide.