Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · EventBridge

EventBridge.3: Custom event buses should have a resource policy

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EventBridge.3 check?

EventBridge.3 fails when a custom EventBridge event bus has no resource-based policy attached. Custom buses ship without one, so the absence of a scoped policy is the failure condition.

Why does EventBridge.3 matter?

A resource-based policy is what controls who outside the bus's own account can publish to it. Without one (or with an over-broad one) the cross-account event flow you rely on either does not work or is wide open. The policy is the load-bearing piece for any cross-account or partner integration — it should scope events:PutEvents to the specific accounts, Organization or partner you intend, and no further.

How do I fix EventBridge.3?

  1. List custom buses with list-event-buses and read any attached policy with describe-event-bus.
  2. Write a least-privilege resource policy granting events:PutEvents only to the principals, Organization (aws:PrincipalOrgID) or partner that genuinely need it.
  3. Attach it with put-permission or put-resource-policy and add Condition keys to keep the grant tight.
  4. Manage the policy in your IaC so new buses are never left without one.

Remediation script · bash

# Replace a full-admin policy with a scoped version (keep the old one as rollback, then delete).
aws iam create-policy-version \
  --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy \
  --policy-document file://ci-deploy-scoped.json --set-as-default
# ... verify a staging and a prod run, then ...
aws iam delete-policy-version \
  --policy-arn arn:aws:iam::111122223333:policy/ci-deploy-policy --version-id v3

# Attach a scoped service role to a CloudFormation stack with no resource churn.
aws cloudformation update-stack --stack-name payments-iam-prod \
  --use-previous-template \
  --role-arn arn:aws:iam::111122223333:role/cfn-payments-iam-deployer \
  --capabilities CAPABILITY_NAMED_IAM

# Attach a least-privilege resource policy to a custom event bus (one named account).
aws events put-permission --event-bus-name orders-bus \
  --statement-id AllowPartner444455556666 --action events:PutEvents --principal 444455556666

Full walkthrough (console steps, edge cases and verification) in the lesson Harden resource and service-role policies.

Full lesson Harden resource and service-role policies Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EventBridge controls ↗ Check your own account for EventBridge.3 →
Part of the learning path Lock down access

More EventBridge controls