EventBridge managed policies AmazonEventBridgeFullAccess AmazonEventBridgeReadOnlyAccess AmazonEventBridgeApiDestinationsServiceRolePolicy Schema policies Scheduler policies Pipes policies Policy updates

Using identity-based policies (IAM policies) for Amazon EventBridge

Identity-based policies are permissions policies that you can attach to IAM identities.

Amazon managed policies for EventBridge

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. Managed, or predefined, policies grant the necessary permissions for common use cases, so you don't need to investigate what permissions are needed. For more information, see Amazon managed policies in the IAM User Guide.

The following Amazon managed policies that you can attach to users in your account are specific to EventBridge:

AmazonEventBridgeFullAccess – Grants full access to EventBridge, including EventBridge Pipes, EventBridge Schemas and EventBridge Scheduler.
AmazonEventBridgeReadOnlyAccess – Grants read-only access to EventBridge, including EventBridge Pipes, EventBridge Schemas and EventBridge Scheduler.

Amazon managed policy: AmazonEventBridgeFullAccess

The AmazonEventBridgeFullAccess policy grants permissions to use all EventBridge actions, as well as the following permissions:

iam:CreateServiceLinkedRole – EventBridge requires this permission to create the service role in your account for API destinations. This permission grants only the IAM service permissions to create a role in your account specifically for API destinations.
iam:PassRole – EventBridge requires this permission to pass an invocation role to EventBridge to invoke the target of a rule.
Secrets Manager permissions – EventBridge requires these permissions to manage secrets in your account when you provide credentials through the connection resource to authorize API Destinations.

To view the permissions for this policy, see AmazonEventBridgeFullAccess in the Amazon Managed Policy Reference.

Amazon managed policy: AmazonEventBridgeReadOnlyAccess

The AmazonEventBridgeReadOnlyAccess policy grants permissions to use all read EventBridge actions.

To view the permissions for this policy, see AmazonEventBridgeReadOnlyAccess in the Amazon Managed Policy Reference.

Amazon managed policy: AmazonEventBridgeApiDestinationsServiceRolePolicy

You can't attach AmazonEventBridgeApiDestinationsServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows EventBridge permissions to access Amazon Secrets Manager resources on your behalf.

To view the permissions for this policy, see AmazonEventBridgeApiDestinationsServiceRolePolicy in the Amazon Managed Policy Reference.

Amazon managed policies: EventBridge Schemas

A schema defines the structure of events that are sent to EventBridge. EventBridge provides schemas for all events that are generated by Amazon services. The following Amazon managed policies specific to EventBridge Schemas are available:

AmazonEventBridgeSchemasFullAccess

You can attach the AmazonEventBridgeSchemasFullAccess policy to your IAM identities.

Provides full access to EventBridge schemas.
AmazonEventBridgeSchemasReadOnlyAccess

You can attach the AmazonEventBridgeSchemasReadOnlyAccess policy to your IAM identities.

Provides read only access to EventBridge Schemas.
AmazonEventBridgeSchemasServiceRolePolicy

You can't attach AmazonEventBridgeSchemasServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows EventBridge permissions to managed rules created by EventBridge schemas.

Amazon managed policies: EventBridge Scheduler

Amazon EventBridge Scheduler is a serverless scheduler that allows you to create, run, and manage tasks from one central, managed service. For Amazon managed policies that are specific to EventBridge Scheduler, see Amazon managed policies for EventBridge Scheduler in the EventBridge Scheduler User Guide.

Amazon managed policies: EventBridge Pipes

EventBridge Pipes connects event sources to targets. Pipes reduces the need for specialized knowledge and integration code when developing event driven architectures. This helps ensures consistency across your company’s applications. The following Amazon managed policies specific to EventBridge Pipes are available:

AmazonEventBridgePipesFullAccess

You can attach the AmazonEventBridgePipesFullAccess policy to your IAM identities.

Provides full access to EventBridge Pipes.

Note
This policy provides iam:PassRole – EventBridge Pipes requires this permission to pass an invocation role to EventBridge to create, and start pipes.
AmazonEventBridgePipesReadOnlyAccess

You can attach the AmazonEventBridgePipesReadOnlyAccess policy to your IAM identities.

Provides read-only access to EventBridge Pipes.
AmazonEventBridgePipesOperatorAccess

You can attach the AmazonEventBridgePipesOperatorAccess policy to your IAM identities.

Provides read-only and operator (that is, the ability to stop and start running Pipes) access to EventBridge Pipes.

Amazon EventBridge updates to Amazon managed policies

View details about updates to Amazon managed policies for EventBridge since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the EventBridge Document history page.

Change	Description	Date
AmazonEventBridgeApiDestinationsServiceRolePolicy – Updated policy	EventBridge updated policy to restrict the scope of permissions for Secrets Manager operations to the same account.	May 29, 2025
AmazonEventBridgeApiDestinationsServiceRolePolicy – Updated policy	EventBridge updated policy to grant Amazon KMS encrypt and decrypt permissions via Secrets Manager. This enables EventBridge to update connection secret resources with new OAuth token value when access token refresh is required.	March 28, 2025
AmazonEventBridgeFullAccess – Updated policy	Amazon GovCloud (US) Regions only The following permission is not included, as it is not used: `iam:CreateServiceLinkedRole` permission for EventBridge Schema Registry	May 9, 2024
AmazonEventBridgeSchemasFullAccess – Updated policy	Amazon GovCloud (US) Regions only The following permission is not included, as it is not used: `iam:CreateServiceLinkedRole` permission for EventBridge Schema Registry	May 9, 2024
AmazonEventBridgePipesFullAccess – New policy added	EventBridge added managed policy for full permissions for using EventBridge Pipes.	December 1, 2022
AmazonEventBridgePipesReadOnlyAccess – New policy added	EventBridge added managed policy for permissions to view EventBridge Pipes information resources.	December 1, 2022
AmazonEventBridgePipesOperatorAccess – New policy added	EventBridge added managed policy for permissions to view EventBridge Pipes information, as well as start and stop running pipes.	December 1, 2022
AmazonEventBridgeFullAccess – Update to an existing policy	EventBridge updated the policy to include permissions necessary for using EventBridge Pipes features.	December 1, 2022
AmazonEventBridgeReadOnlyAccess – Update to an existing policy	EventBridge added permissions necessary for view EventBridge Pipes information resources. The following actions were added: `pipes:DescribePipe` `pipes:ListPipes` `pipes:ListTagsForResource`	December 1, 2022
CloudWatchEventsReadOnlyAccess – Update to an existing policy	Updated to match AmazonEventBridgeReadOnlyAccess.	December 1, 2022
CloudWatchEventsFullAccess – Update to an existing policy	Updated to match AmazonEventBridgeFullAccess.	December 1, 2022
AmazonEventBridgeFullAccess – Update to an existing policy	EventBridge updated the policy to include permissions necessary for using schemas and scheduler features. The following permissions were added: EventBridge Schema Registry actions EventBridge Scheduler actions `iam:CreateServiceLinkedRole` permission for EventBridge Schema Registry `iam:PassRole` permission for EventBridge Scheduler	November 10, 2022
AmazonEventBridgeReadOnlyAccess – Update to an existing policy	EventBridge added permissions necessary for view schema and scheduler information resources. The following actions were added: `schemas:DescribeCodeBinding` `schemas:DescribeDiscoverer` `schemas:DescribeRegistry` `schemas:DescribeSchema` `schemas:ExportSchema` `schemas:GetCodeBindingSource` `schemas:GetDiscoveredSchema` `schemas:GetResourcePolicy` `schemas:ListDiscoverers` `schemas:ListRegistries` `schemas:ListSchemas` `schemas:ListSchemaVersions` `schemas:ListTagsForResource` `schemas:SearchSchemas` `scheduler:GetSchedule` `scheduler:GetScheduleGroup` `scheduler:ListSchedules` `scheduler:ListScheduleGroups` `scheduler:ListTagsForResource`	November 10, 2022
AmazonEventBridgeReadOnlyAccess – Update to an existing policy	EventBridge added permissions necessary for view endpoint information. The following actions were added: `events:ListEndpoints` `events:DescribeEndpoint`	April 7, 2022
AmazonEventBridgeReadOnlyAccess – Update to an existing policy	EventBridge added permissions necessary for view connection and API destination information. The following actions were added: `events:DescribeConnection` `events:ListConnections` `events:DescribeApiDestination` `events:ListApiDestinations`	March 4, 2021
AmazonEventBridgeFullAccess – Update to an existing policy	EventBridge updated the policy to include `iam:CreateServiceLinkedRole` and Amazon Secrets Manager permissions necessary for using API destinations. The following actions were added: `secretsmanager:CreateSecret` `secretsmanager:UpdateSecret` `secretsmanager:DeleteSecret` `secretsmanager:GetSecretValue` `secretsmanager:PutSecretValue`	March 4, 2021
EventBridge started tracking changes	EventBridge started tracking changes for its Amazon managed policies.	March 4, 2021

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Managing access

Roles for sending events