Event bus targets in Amazon EventBridge
A target is a resource or endpoint that EventBridge sends an event to when the event matches the event pattern defined for a rule. The rule processes the event data and sends the pertinent information to the target. To deliver event data to a target, EventBridge needs permission to access the target resource. You can define up to five targets for each rule.
When you add targets to a rule and that rule runs soon after, any new or updated targets might not be immediately invoked. Allow a short period of time for changes to take effect.
The following video covers the basics of targets:
Event bus targets available in the EventBridge console
You can configure the following targets for events in the EventBridge console:
-
CodePipeline
-
Amazon EBS
CreateSnapshotAPI call -
EC2 Image Builder
-
EC2
RebootInstancesAPI call -
EC2
StopInstancesAPI call -
EC2
TerminateInstancesAPI call -
Firehose delivery stream
-
Glue workflow
-
Inspector assessment template
-
Kinesis stream
-
Lambda function (ASYNC)
-
SageMaker AI Pipeline
-
Amazon SNS topic
EventBridge does not support Amazon SNS FIFO (first in, first out) topics.
-
Amazon SQS queue
-
Step Functions state machine (ASYNC)
-
Systems Manager Automation
-
Systems Manager OpsItem
-
Systems Manager Run Command
Target parameters
Some targets don't send the information in the event payload to the target, instead, they treat the event as a trigger for invoking a specific API. EventBridge uses the Target parameters to determine what happens with that target. These include the following:
-
API destinations (The data sent to an API destination must match the structure of the API. You must use the
InputTransformerobject to make sure the data is structured correctly. If you want to include the original event payload, reference it in theInputTransformer.) -
API Gateway (The data sent to API Gateway must match the structure of the API. You must use the
InputTransformerobject to make sure the data is structured correctly. If you want to include the original event payload, reference it in theInputTransformer.) -
Amazon EC2 Image Builder
-
RedshiftDataParameters(Amazon Redshift Data API clusters) -
SageMakerPipelineParameters(Amazon SageMaker Runtime Model Building Pipelines)
Note
EventBridge does not support all JSON Path syntax and evaluate it at runtime. Supported syntax includes:
dot notation (for example,
$.detail)dashes
underscores
alphanumeric characters
array indices
wildcards (*)
Dynamic path parameters
Some target parameters support optional dynamic JSON path syntax. This syntax allows you to specify JSON paths instead of static values (for example $.detail.state).
The entire value has to be a JSON path, not just part of it. For example, RedshiftParameters.Sql can be $.detail.state but it can't be
"SELECT * FROM $.detail.state". These paths are replaced dynamically at runtime with data from the event payload itself at the specified path. Dynamic path parameters
can't reference new or transformed values resulting from input transformation. The supported syntax for
dynamic parameter JSON paths is the same as
when transforming input. For more information, see Amazon EventBridge input transformation
Dynamic syntax can be used on all the string, non-enum fields of these parameters:
-
HttpParameters(exceptHeaderParameterskeys)
Permissions
To make API calls on the resources that you own, EventBridge needs appropriate permission.
For AWS Lambda and Amazon SNS resources, EventBridge uses resource-based policies. For EC2 instances,
Kinesis data streams, and Step Functions state machines, EventBridge uses IAM roles that you specify in
the RoleARN parameter in PutTargets. You can invoke an API Gateway
endpoint with configured IAM authorization, but the role is optional if you
haven't configured authorization. For more information, see Amazon EventBridge and AWS Identity and Access Management.
If another account is in the same Region and has granted you permission, then you can send events to that account. For more information, see Sending and receiving events between AWS accounts in Amazon EventBridge.
If your target is encrypted, you must include the following section in your KMS key policy.
{ "Sid": "Allow EventBridge to use the key", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }
AWS Batch job queues as targets
Certain parameters to AWS Batch submitJob can be configured via BatchParameters.
Others can be specified in the event payload. If the event payload (passed through or via InputTransformers) contains the following keys, they are mapped to submitJob request parameters:
ContainerOverrides: containerOverridesNote
This includes only command, environment, memory, and vcpus
DependsOn: dependsOnNote
This includes only jobId
Parameters: parameters
CloudWatch Logs groups as targets
If you don’t use an InputTransformer with a CloudWatch Logs target, the event payload is used as the log message, and the source of the event as the timestamp. If you do use an InputTransformer, the template must be:
{"timestamp":<timestamp>,"message":<message>}
EventBridge batches the entries sent to a log stream; therefore, EventBridge may deliver a single or multiple events to a log stream, depending on traffic.
CodeBuild projects as targets
If you use InputTransformers to shape the input event to a Target to match the CodeBuild StartBuildRequest structure, the parameters will be mapped 1-to-1 and passed through to codeBuild.StartBuild.
Amazon ECS tasks as targets
If you use InputTransformers to shape the input event to a Target to match the Amazon ECS RunTask TaskOverride structure, the parameters will be mapped 1-to-1 and passed through to ecs.RunTask.
Incident Manager response plans as targets
If the matched event came from CloudWatch Alarms, the alarm state change details are populated into the trigger details of the StartIncidentRequest call to Incident Manager.
