Security Hub controls for EventBridge
These AWS Security Hub controls evaluate the Amazon EventBridge service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[EventBridge.2] EventBridge event buses should be tagged
Category: Identify > Inventory > Tagging
Severity: Low
Resource type:
AWS::Events::EventBus
AWS Config rule:tagged-events-eventbus (custom Security Hub rule)
Schedule type: Change triggered
Parameters:
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
requiredTagKeys
|
List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet AWS requirements | No default value |
This control checks whether an Amazon EventBridge event bus has tags with the specific keys defined in the parameter
requiredTagKeys. The control fails if the event bus doesn’t have any tag keys or if it doesn’t have all the keys specified in the
parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence
of a tag key and fails if the event bus isn't tagged with any key. System tags, which are automatically applied and begin with aws:,
are ignored.
A tag is a label that you assign to an AWS resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to AWS resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see What is ABAC for AWS? in the IAM User Guide.
Note
Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many AWS services, including AWS Billing. For more tagging best practices, see Tagging your AWS resources in the AWS General Reference.
Remediation
To add tags to an EventBridge event bus, see Amazon EventBridge tags in the Amazon EventBridge User Guide.
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
Related requirements: NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3)
Category: Protect > Secure access management > Resource not publicly accessible
Severity: Low
Resource type: AWS::Events::EventBus
AWS Config rule: custom-eventbus-policy-attached
Schedule type: Change triggered
Parameters: None
This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy.
By default, an EventBridge custom event bus doesn't have a resource-based policy attached. This allows principals in the account to access the event bus. By attaching a resource-based policy to the event bus, you can limit access to the event bus to specified accounts, as well as intentionally grant access to entities in another account.
Remediation
To attach a resource-based policy to an EventBridge custom event bus, see Using resource-based policies for Amazon EventBridge in the Amazon EventBridge User Guide.
[EventBridge.4] EventBridge global endpoints should have event replication enabled
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High availability
Severity: Medium
Resource type: AWS::Events::Endpoint
AWS Config rule:
global-endpoint-event-replication-enabled
Schedule type: Change triggered
Parameters: None
This control checks if event replication is enabled for an Amazon EventBridge global endpoint. The control fails if event replication isn't enabled for a global endpoint.
Global endpoints help make your application Regional-fault tolerant. To start, you assign an Amazon Route 53 health check to the endpoint. When failover is initiated, the health check reports an "unhealthy" state. Within minutes of failover initiation, all custom events are routed to an event bus in the secondary Region and are processed by that event bus. When you use global endpoints, you can enable event replication. Event replication sends all custom events to the event buses in the primary and secondary Regions using managed rules. We recommend enabling event replication when setting up global endpoints. Event replication helps you verify that your global endpoints are configured correctly. Event replication is required to automatically recover from a failover event. If you don’t have event replication enabled, you’ll have to manually reset the Route 53 health check to "healthy" before events are rerouted back to the primary Region.
Note
If you're using custom event buses, you'll need a custom even bus in each Region with the same name and in the same
account for failover to work properly. Enabling event replication can increase your monthly cost. For information about pricing,
see Amazon EventBridge pricing
Remediation
To enable event replication for EventBridge global endpoints, see Create a global endpoint in the Amazon EventBridge User Guide. For Event replication, select Event replication enabled.
