EventBridge.4: Global endpoints should have event replication

What does AWS Security Hub EventBridge.4 check?

EventBridge.4 fails when an EventBridge global endpoint does not have event replication enabled. A global endpoint uses a Route 53 health check to fail traffic over to a secondary Region automatically.

Why does EventBridge.4 matter?

When a global endpoint fails over without replication, events published during the switch are stranded in the primary Region until it recovers — and recovery needs a manual health-check reset. With replication on, events are mirrored to the secondary bus, so failover is self-healing and no events are lost in the gap. It is the difference between a system that recovers on its own and one that needs an operator at 3am.

How do I fix EventBridge.4?

1. List global endpoints and check the ReplicationConfig state with describe-endpoint.
2. Enable replication with update-endpoint (ReplicationConfig State ENABLED) and the IAM role that allows cross-Region PutEvents.
3. Ensure the custom event bus shares the same name in both Regions, which the global endpoint requires.
4. Enforce replication on new endpoints via IaC, accepting the small per-event cross-Region cost.

# Enable event replication on an existing global endpoint.
# (Re-supply the existing routing config so it isn't cleared on update.)
aws events update-endpoint \
  --name orders-global \
  --replication-config State=ENABLED \
  --routing-config '{"FailoverConfig":{"Primary":{"HealthCheck":"arn:aws:route53:::healthcheck/abc123"},"Secondary":{"Route":"us-west-2"}}}' \
  --event-buses '[{"EventBusArn":"arn:aws:events:us-east-1:111122223333:event-bus/orders-bus"},{"EventBusArn":"arn:aws:events:us-west-2:111122223333:event-bus/orders-bus"}]'

# Verify replication is now enabled.
aws events describe-endpoint --name orders-global \
  --query 'ReplicationConfig.State'