# Event bus targets in Amazon EventBridge Targets A *target* is a resource or endpoint that EventBridge sends an [event](eb-events.md) to when the event matches the event pattern defined for a [rule](eb-rules.md). **The rule processes the [event](eb-events.md) data and sends the pertinent information to the target. To deliver event data to a target, EventBridge needs permission to access the target resource. You can define up to five targets for each rule. When you add targets to a rule and that rule runs soon after, any new or updated targets might not be immediately invoked. Allow a short period of time for changes to take effect. ## Event bus targets available in the EventBridge console Target types You can configure the following target types for rules in the EventBridge console: + API destinations API destinations are HTTPS endpoints that you can invoke as the target of an event bus rule. When you specify an API destination as a rule target, EventBridge invokes the HTTPS endpoint for any event that matches the event pattern specified in the rule, and then delivers the event information with the request. For more information, see [API destinations](eb-api-destinations.md). + Event buses You can specify other event buses as targets for rules. This includes event buses in the same or different AWS accounts. + [Cross-account event buses as targets](eb-cross-account.md) + [Same account event buses as targets](eb-bus-to-bus.md) + AWS services You can have EventBridge send events to a number of AWS service resources. These include: + [API Gateway](eb-api-gateway-target.md) + [AWS AppSync](target-appsync.md) + [Batch job queue](#targets-specifics-batch) + [CloudWatch log group](#targets-specifics-cwl) + [CodeBuild project](#targets-specifics-codebuild) + CodePipeline + Amazon EBS `CreateSnapshot` API call + EC2 Image Builder + EC2 `RebootInstances` API call + EC2 `StopInstances` API call + EC2 `TerminateInstances` API call + [ECS task](#targets-specifics-ecs-task) + Firehose delivery stream + Glue workflow + [Incident Manager response plan](https://docs.aws.amazon.com//incident-manager/latest/userguide/incident-creation.html#incident-tracking-auto-eventbridge) + Inspector assessment template + Kinesis stream + Lambda function (ASYNC) + [Amazon Redshift cluster data API queries](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api-calling-event-bridge.html) + [Amazon Redshift Serverless workgroup data API queries](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api-calling-event-bridge.html) + SageMaker AI Pipeline + Amazon SNS topic + [Amazon SQS standard, fair, and FIFO queues](#targets-specifics-sqs) + Step Functions state machine (ASYNC) + Systems Manager Automation + Systems Manager OpsItem + Systems Manager Run Command ## Target parameters Some targets don't send the information in the event payload to the target, instead, they treat the event as a trigger for invoking a specific API. EventBridge uses the [Target](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Target.html) parameters to determine what happens with that target. These include the following: + API destinations The data sent to an API destination must match the structure of the API. Use the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html) object to make sure the data is structured correctly. If you want to include the original event payload, reference it in the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html). + API Gateway The data sent to API Gateway must match the structure of the API. Use the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html) object to make sure the data is structured correctly. If you want to include the original event payload, reference it in the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html). + Amazon EC2 Image Builder + Amazon Redshift Data API clusters Use [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RedshiftDataParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RedshiftDataParameters.html). + Amazon SageMaker Runtime Model Building Pipelines Use [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SageMakerPipelineParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SageMakerPipelineParameters.html). + Amazon SQS fair and FIFO queues Use [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SqsParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SqsParameters.html) to specify the message group to use as the target. + Systems Manager Run Command Use [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RunCommandParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RunCommandParameters.html) to specify the SSM document and target instances. For more information, see [Systems Manager Run Command as a target](#targets-specifics-ssm-run-command). **Note** EventBridge does not support all JSON Path syntax and evaluate it at runtime. Supported syntax includes: dot notation (for example,`$.detail`) dashes underscores alphanumeric characters array indices wildcards (\$1) forward slashes ### Dynamic path parameters Dynamic path parameters let you use JSON path syntax to reference event data at runtime instead of static values. You can use dynamic JSON path syntax with target parameters to specify JSON paths instead of static values (for example, `$.detail.state`). #### Requirements The entire value must be a JSON path, not just part of it. For example: + ✓ Correct: `RedshiftParameters.Sql` can be `$.detail.state` + ✗ Incorrect: `RedshiftParameters.Sql` cannot be `"SELECT * FROM $.detail.state"` EventBridge replaces these paths at runtime with data from the event payload at the specified path. #### Limitations Dynamic path parameters cannot reference new or transformed values from input transformation. The JSON path syntax is the same as input transformation syntax. For more information, see [Amazon EventBridge input transformation](eb-transform-target-input.md). #### Supported parameters You can use dynamic syntax on all string, non-enum fields of these parameters: + [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_EcsParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_EcsParameters.html) + [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_HttpParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_HttpParameters.html) (except `HeaderParameters` keys) + [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RedshiftDataParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RedshiftDataParameters.html) + [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SageMakerPipelineParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SageMakerPipelineParameters.html) + [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SqsParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_SqsParameters.html) ## Permissions To make API calls on the resources that you own, EventBridge needs appropriate permissions. Specify an IAM execution role [using the EventBridge console](eb-create-rule-wizard.md#eb-create-rule-target), or by setting the `RoleARN` parameter in [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html). For example, the following policy defines permission to send messages to an Amazon SQS queue: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage" ], "Resource": [ "arn:aws:sqs:us-east-1:111122223333:sqs-queue-name" ] } ] } ``` ------ And the following trust policy enables EventBridge to assume the role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ You can invoke an API Gateway endpoint with configured IAM authorization, but the role is optional if you haven't configured authorization. For more information, see [Amazon EventBridge and AWS Identity and Access Management](eb-iam.md). If another account is in the same Region and has granted you permission, then you can send events to that account. For more information, see [Sending and receiving events between AWS accounts in Amazon EventBridge](eb-cross-account.md). If your target, such as an Amazon SQS queue, uses AWS Key Management Service (AWS KMS) encryption, you must include the following section in your KMS key policy: ``` { "Sid": "Allow EventBridge to use the key", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ``` ## AWS Batch job queues as targets AWS Batch job queues Certain parameters to AWS Batch `submitJob` can be configured via [BatchParameters](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_BatchParameters.html). Others can be specified in the event payload. If the event payload (passed through or via [InputTransformers](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html)) contains the following keys, they are mapped to `submitJob` [request parameters](https://docs.aws.amazon.com/batch/latest/APIReference/API_SubmitJob.html#API_SubmitJob_RequestSyntax): + `ContainerOverrides: containerOverrides` **Note** This includes only command, environment, memory, and vcpus + `DependsOn: dependsOn` **Note** This includes only jobId + `Parameters: parameters` ## CloudWatch Logs groups as targets CloudWatch Logs groups If you don’t use an [InputTransformer](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html) with a CloudWatch Logs target, the event payload is used as the log message, and the source of the event as the timestamp. If you do use an InputTransformer, the template must be: `{"timestamp":,"message":}` EventBridge batches the entries sent to a log stream; therefore, EventBridge may deliver a single or multiple events to a log stream, depending on traffic. ## CodeBuild projects as targets CodeBuild projects EventBridge supports both standard and batch builds as targets. If you use an [input transformer](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html) to shape the source event to match the [StartBuildRequest](https://docs.aws.amazon.com/codebuild/latest/APIReference/API_StartBuild.html#API_StartBuild_RequestSyntax) structure before it is delivered to a CodeBuild target, the parameters will be mapped 1-to-1 and passed through to `codeBuild.StartBuild` by default. To pass the parameters to `codeBuild.StartBuildBatch` instead, transform the source event to match the [StartBuildBatchRequest](https://docs.aws.amazon.com/codebuild/latest/APIReference/API_StartBuildBatch.html#API_StartBuildBatch_RequestSyntax) structure, and add the following key/value pair to the root of the transformed event: `"buildType": "BATCH"` ## Amazon ECS tasks as targets Amazon ECS tasks If you use [InputTransformers](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html) to shape the input event to a Target to match the Amazon ECS RunTask [TaskOverride](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskOverride.html) structure, the parameters will be mapped 1-to-1 and passed through to `ecs.RunTask`. ## Incident Manager response plans as targets Incident Manager Response Plans If the matched event came from CloudWatch Alarms, the alarm state change details are populated into the trigger details of the StartIncidentRequest call to Incident Manager. ## Systems Manager Run Command as a target Systems Manager Run Command When you specify Systems Manager Run Command as a target, EventBridge calls the [https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) API on your behalf. Configure the target using [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RunCommandParameters.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_RunCommandParameters.html), which specifies the SSM document to run and the target instances or tags. `RunCommandParameters` contains the following fields: + `RunCommandTargets` — (Required) A list of key-value pairs that specify the target instances. Use `Key` set to `InstanceIds` with a list of instance IDs, or `Key` set to `tag:tag-name` with tag values to target instances by tag. You can specify between 1 and 5 run command targets. To specify which SSM document to run and pass parameters to it, use the `Input` field on the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Target.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Target.html) object. The `Input` value must be a JSON object with the following structure: ``` { "DocumentName": "document-name", "DocumentVersion": "version", "Parameters": { "parameter-key": ["parameter-value"] } } ``` Where: + `DocumentName` — The name or ARN of the SSM document to run. + `DocumentVersion` — (Optional) The version of the document. If omitted, the default version is used. + `Parameters` — (Optional) A map of parameter names to value arrays, matching the parameters defined in the SSM document. For example, the following AWS CLI command creates a rule that runs the `AWS-RunShellScript` document on a specific instance when an EventBridge event matches: ``` aws events put-targets --rule "my-rule" --targets '[{ "Id": "ssm-target-1", "Arn": "arn:aws:ssm:region:account-id:document/AWS-RunShellScript", "RoleArn": "arn:aws:iam::account-id:role/EventBridgeSSMRole", "Input": "{\\"Parameters\\":{\\"commands\\":[\\"echo Hello from EventBridge\\"]}}", "RunCommandParameters": { "RunCommandTargets": [{ "Key": "InstanceIds", "Values": ["i-0123456789abcdef0"] }] } }]' ``` **Note** The `Input` field on the `Target` object is used to pass the document name and parameters to Systems Manager Run Command. This is different from the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_InputTransformer.html), which transforms the event payload. When using Systems Manager Run Command as a target, set the document parameters in `Input` and specify the target instances in `RunCommandParameters`. ## Amazon SQS queues as targets Amazon SQS queues EventBridge does not support using Amazon SQS queues that are encrypted with an AWS owned key. This includes targets, as well as Amazon SQS queues specified as dead-letter queues for targets. For more information on AWS owned keys, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*. # Amazon API Gateway targets for rules in Amazon EventBridge API Gateway targets You can use Amazon API Gateway to create, publish, maintain, and monitor APIs. Amazon EventBridge supports sending events to an API Gateway endpoint. When you specify an API Gateway endpoint as a [target](eb-targets.md), each [event](eb-events.md) sent to the target maps to a request sent to the endpoint. **Important** EventBridge supports using API Gateway *Edge-optimized* and *Regional* endpoints as targets. *Private* endpoints are not currently supported. To learn more about endpoints, see [https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html). You can use an API Gateway target for the following use cases: + To invoke a customer-specified API hosted in API Gateway based on AWS or third-party events. + To invoke an endpoint periodically on a schedule. The EventBridge JSON event information is sent as the body of the HTTP request to your endpoint. You can specify the other request attributes in the target’s `HttpParameters` field as follows: + `PathParameterValues` lists the values that correspond sequentially to any path variables in your endpoint ARN, for example `"arn:aws:execute-api:us-east-1:112233445566:myapi/dev/POST/pets/*/*"`. + `QueryStringParameters` represents the query string parameters that EventBridge appends to the invoked endpoint. + `HeaderParameters` defines HTTP headers to add to the request. **Note** For security considerations, the following HTTP header keys aren't permitted: Anything prefixed with `X-Amz` or `X-Amzn` `Authorization` `Connection` `Content-Encoding` `Content-Length` `Host` `Max-Forwards` `TE` `Transfer-Encoding` `Trailer` `Upgrade` `Via` `WWW-Authenticate` `X-Forwarded-For` ## Dynamic Parameters When invoking an API Gateway target, you can dynamically add data to events that are sent to the target. For more information, see [Target parameters](eb-targets.md#targets-specific-parms). ## Invocation Retries As with all targets, EventBridge retries some failed invocations. For API Gateway, EventBridge retries responses sent with a 5xx or 429 HTTP status code for up to 24 hours with [exponential back off and jitter](https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/). After that, EventBridge publishes a `FailedInvocations` metric in Amazon CloudWatch. EventBridge doesn't retry other 4xx HTTP errors. ## Timeout EventBridge rule API Gateway requests must have a maximum client execution timeout of 5 seconds. If API Gateway takes longer than 5 seconds to respond, EventBridge times out the request and then retries. EventBridge Pipes API Gateway requests have a maximum timeout of 29 seconds, the API Gateway maximum. # AWS AppSync targets for rules in Amazon EventBridge AWS AppSync targets AWS AppSync enables developers to connect their applications and services to data and events with secure, serverless and high-performing GraphQL and Pub/Sub APIs. With AWS AppSync, you can publish real-time data updates to your applications with GraphQL mutations. EventBridge supports calling a valid GraphQL mutation operation for matched events. When you specify an AWS AppSync API mutation as a target, AWS AppSync processes the event via a mutation operation, which can then trigger subscriptions linked to the mutation. **Note** EventBridge supports AWS AppSync public GraphQL APIs. EventBridge does not currently support AWS AppSync Private APIs. You can use an AWS AppSync GraphQL API target for the following use cases: + To push, transform, and store event data into your configured data sources. + To send real-time notifications to connected application clients. **Note** AWS AppSync targets only support calling AWS AppSync GraphQL APIs using the [`AWS_IAM` authorization type](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#aws-iam-authorization). For more information on AWS AppSync GraphQL APIs, see the [GraphQL and AWS AppSync architecture](https://docs.aws.amazon.com/appsync/latest/devguide/graphql-overview.html) in the *AWS AppSync Developer Guide*. **To specify an AWS AppSync target for an EventBridge rule using the console** 1. [Create or edit the rule.](eb-create-rule-visual.md) 1. Under **Target**, [specify the target](eb-create-rule-wizard.md#eb-create-rule-target) by choosing **AWS service** and then **AWS AppSync**. 1. Specify the mutation operation to be parsed and executed, along with the selection set. + Choose the AWS AppSync API, and then the GraphQL API mutation to invoke. + Under **Configure parameters and selection set**, choose to create a selection set using key-value mapping or an input transformer. ------ #### [ Key-value mapping ] To use key-value mapping to create your selection set: + Specify variables for the API parameters. Each variables can be either a static values or a dynamic JSON path expression to the event payload. + Under **Selection set**, choose the variables you want included in the response. ------ #### [ Input transformer ] To use an input transformer to create your selection set: + Specify an input path that defines the variables to use. + Specify an input template to define and format the information you want passed to the target. For more information, see [Configuring an input transformer when creating a rule in EventBridge](eb-transform-input-rule.md). ------ 1. For **Execution role**, choose whether to create a new role or use an existing role. 1. Complete creating or editing the rule. ## Example: AWS AppSync targets for Amazon EventBridge Example: AWS AppSync target In the following example, we'll walk through how to specifying an AWS AppSync target for an EventBridge rule, including defining an input transformation to format events for delivery. Suppose you have an AWS AppSync GraphQL API, `Ec2EventAPI`, defined by the following schema: ``` type Event { id: ID! statusCode: String instanceId: String } type Mutation { pushEvent(id: ID!, statusCode: String!, instanceId: String): Event } type Query { listEvents: [Event] } type Subscription { subscribeToEvent(id: ID, statusCode: String, instanceId: String): Event @aws_subscribe(mutations: ["pushEvent"]) } ``` Applications clients that use this API can subscribe to the `subscribeToEvent` subscription, which is triggered by the `pushEvent` mutation. You can create an EventBridge rule with a target that sends events to the AppSync API via the `pushEvent` mutation. When the mutation is invoked, any client that is subscribed will receive the event. To specifying this API as the target for an EventBridge rule, you would do the following: 1. Set the Amazon Resource Name (ARN) of the rule target to the GraphQL endpoint ARN of the `Ec2EventAPI` API. 1. Specify the mutation GraphQL Operation as a target parameter: ``` mutation CreatePushEvent($id: ID!, $statusCode: String, $instanceId: String) { pushEvent(id: $input, statusCode: $statusCode, instanceId: $instanceId) { id statusCode instanceId } } ``` Your mutation selection set must include all the fields you wish to subscribe to in your GraphQL subscription. 1. Configure an input transformer to specify how data from matched events is used in your operation. Suppose you selected the `“EC2 Instance Launch Successful”` sample event: ``` { "version": "0", "id": "3e3c153a-8339-4e30-8c35-687ebef853fe", "detail-type": "EC2 Instance Launch Successful", "source": "aws.autoscaling", "account": "123456789012", "time": "2015-11-11T21:31:47Z", "region": "us-east-1", "resources": ["arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:eb56d16b-bbf0-401d-b893-d5978ed4a025:autoScalingGroupName/sampleLuanchSucASG", "arn:aws:ec2:us-east-1:123456789012:instance/i-b188560f"], "detail": { "StatusCode": "InProgress", "AutoScalingGroupName": "sampleLuanchSucASG", "ActivityId": "9cabb81f-42de-417d-8aa7-ce16bf026590", "Details": { "Availability Zone": "us-east-1b", "Subnet ID": "subnet-95bfcebe" }, "RequestId": "9cabb81f-42de-417d-8aa7-ce16bf026590", "EndTime": "2015-11-11T21:31:47.208Z", "EC2InstanceId": "i-b188560f", "StartTime": "2015-11-11T21:31:13.671Z", "Cause": "At 2015-11-11T21:31:10Z a user request created an AutoScalingGroup changing the desired capacity from 0 to 1. At 2015-11-11T21:31:11Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1." } } ``` You can define the following variables for use in your template, using the target input transformer's input path: ``` { "id": "$.id", "statusCode": "$.detail.StatusCode", "EC2InstanceId": "$.detail.EC2InstanceId" } ``` Compose the input transformer template to define the variables that EventBridge passes to the AWS AppSync mutation operation. The template must evaluate to JSON. Given our input path, you can compose the following template: ``` { "id": , "statusCode": , "instanceId": } ``` # Sending events to an AWS service in another account in EventBridge Cross-account services as targets EventBridge can send events from an event bus in one AWS account to supported AWS services in another account, thereby simplifying the architecture of your event-driven solutions and reducing latency. For example, suppose you have a set of event buses, hosted in multiple accounts, that you require to send security-related events to an Amazon SQS queue in a centralized account for further asynchronous processing and analysis. EventBridge supports sending events to cross-account targets in the same Region. ## Supported services Supported services EventBridge supports sending events to the following targets in other AWS accounts: + Amazon API Gateway APIs + Amazon Kinesis Data Streams streams + Lambda functions + Amazon SNS topics + Amazon SQS queues For pricing, see [Amazon EventBridge pricing](https://aws.amazon.com/eventbridge/pricing/). ## Permissions Permissions Enabling access for cross-account event delivery to AWS services as targets involves the following steps: + Specify an execution role + Attach a resource policy to the target ### Specify an execution role Specify an execution role Specify an execution role for EventBridge to use when sending events to the target when the rule is triggered. This execution role must be in the same account as the event bus. EventBridge assumes this role when attempting to invoke the target, and any Service Control Policies (SCPs) affecting this account are applied. SCPs are a type of organization policy that you can use to manage permissions in your organization. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. For example, the following policy allows the EventBridge service to assume the execution role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ And the following policy allows the role to send messages to Amazon SQS queues: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:123456789012:queue-name" } ] } ``` ------ For accounts using AWS Organizations, you can apply an SCP to prevent invoking resources that do not belong to your organization, as shown in the following example: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "*" ], "Resource": "*", "Effect": "Deny", "Condition": { "StringNotEquals": { "aws:ResourceOrgID": "o-1234567890" } } } ] } ``` ------ **Note** For cross-account targets other than event buses, calling `PutTarget` from a different account than the event bus, even if supplying an execution role from the calling account, is not supported. ### Attach a resource access policy to the target Attach a resource access policy The AWS services that can receive cross-account events support IAM resource-based policies. This enables you to attach a resource access policy to the target, so you can specify which account has access to it. Building on our earlier example, the following policy allows the event bus account access to the Amazon SQS queue in the target account: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "SQS:SendMessage" ], "Effect": "Allow", "Resource": "arn:aws:sqs:us-east-1:123456789012:queue-name", "Principal": { "AWS": "123456789012" } } ] } ``` ------ For more information, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *AWS Identity and Access Management User Guide*. ## Creating rules that send events to AWS services in other accounts Creating rules that target other accounts Specifying an AWS service in another account as a target is part of creating the event bus rule. **To create a rule that sends events to an AWS service in a different AWS account using the console** 1. Follow the steps in the [Creating rules in Amazon EventBridge](eb-create-rule-visual.md) procedure. 1. In the [Select targets](eb-create-rule-wizard.md#eb-create-rule-target) step, when prompted to choose a target type: 1. Select **AWS service**. 1. Select an AWS service that supports cross-account targets. For more information, see [Supported services](#eb-service-cross-account-services). 1. For **Target location** choose **Target in another AWS account**. 1. Enter the ARN of the target resource to which you want to send events. 1. Select the name of the execution role to use from the dropdown list. 1. Provide any additional information requested for the service you select. The fields displayed vary depending on the service selected. 1. Complete creating the rule following the procedure steps. # Sending and receiving events between AWS accounts in Amazon EventBridge Cross-account event buses as targets You can configure EventBridge to send and receive [events](eb-events.md) between [event buses](eb-event-bus.md) in AWS accounts. When you configure EventBridge to send or receive events between accounts, you can specify which AWS accounts can send events to or receive events from the event bus in your account. You can also allow or deny events from specific [rules](eb-rules.md) associated with the event bus, or events from specific sources. For more information, see [Simplifying cross-account access with Amazon EventBridge resource policies](https://aws.amazon.com/blogs//compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/) **Note** If you use AWS Organizations, you can specify an organization and grant access to all accounts in that organization. In addition, the sending event bus must have IAM roles attached to them when sending events to another account. For more information, see [What is AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in the *AWS Organizations User Guide*. **Note** If you're using an Incident Manager response plan as a target, all the response plans that are shared with your account are available by default. You can send and receive events between event buses in AWS accounts within the same Region in all Regions and between accounts in different Regions as long as the destination Region is a supported [cross-Region](eb-cross-region.md) destination Region. The steps to configure EventBridge to send events to or receive events from an event bus in a different account include the following: + On the *receiver* account, edit the permissions on an event bus to allow specified AWS accounts, an organization, or all AWS accounts to send events to the receiver account. + On the *sender* account, set up one or more rules that have the receiver account's event bus as the target. If the sender account inherits permissions to send events from an AWS Organization, the sender account also must have an IAM role with policies that enable it to send events to the receiver account. If you use the AWS Management Console to create the rule that targets the event bus in the receiver account, the role is created automatically. If you use the AWS CLI, you must create the role manually. + On the *receiver* account, set up one or more rules that match events that come from the sender account. Events sent from one account to another are charged to the sending account as custom events. The receiving account is not charged. For more information, see [Amazon EventBridge Pricing](https://aws.amazon.com/eventbridge/pricing/). If a receiver account sets up a rule that sends events received from a sender account on to a third account, these events are not sent to the third account. If you have three event buses in the same account, and set up a rule on the first event bus to forward events from the second event bus to a third event bus, those events are not sent to the third event bus. The following video covers routing events between accounts: ## Grant permissions to allow events from other AWS accounts To receive events from other accounts or organizations, you must first edit the permissions on the event bus where you intend to receive events. The default event bus accepts events from AWS services, other authorized AWS accounts, and `PutEvents` calls. The permissions for an event bus are granted or denied using a resource-based policy attached to the event bus. In the policy, you can grant permissions to other AWS accounts using the account ID, or to an AWS organization using the organization ID. To learn more about event bus permissions, including example policies, see [Permissions for event buses in Amazon EventBridge](eb-event-bus-perms.md). **Note** EventBridge now requires all new cross account event bus targets to add IAM roles. This only applies to event bus targets created after March 2, 2023. Applications created without an IAM role before that date are not affected. However, we recommend adding IAM roles to grant users access to resources in another account, as this ensures organization boundaries using Service Control Policies (SCPs) are applied to determine who can send and receive events from accounts in your organization. **Important** If you choose to receive events from all AWS accounts, be careful to create rules that match only the events to receive from others. To create more secure rules, make sure that the event pattern for each rule contains an `Account` field with the account IDs of one or more accounts from which to receive events. Rules that have an event pattern containing an Account field do not match events sent from accounts that are not listed in the `Account` field. For more information, see [Events in Amazon EventBridge](eb-events.md). ## Rules for events between AWS accounts If your account is set up to receive events from event buses in other AWS accounts, you can write rules that match those events. Set the [event pattern](eb-event-patterns.md) of the rule to match the events you are receiving from event buses in the other account. Unless you specify `account` in the event pattern of a rule, any of your account's rules, both new and existing, that match events you receive from event buses in other accounts trigger based on those events. If you are receiving events from event buses in another account, and you want a rule to trigger only on that event pattern when it is generated from your own account, you must add `account` and specify your own account ID to the event pattern of the rule. If you set up your AWS account to accept events from event buses in all AWS accounts, we strongly recommend that you add `account` to every EventBridge rule in your account. This prevents rules in your account from triggering on events from unknown AWS accounts. When you specify the `account` field in the rule, you can specify the account IDs of more than one AWS account in the field. To have a rule trigger on a matching event from any event buses in AWS account that you have granted permissions to, do not specify \$1 in the `account` field of the rule. Doing so would not match any events, because \$1 never appears in the `account` field of an event. Instead, just omit the `account` field from the rule. ## Creating rules that send events between AWS accounts Specifying an event bus in another account as a target is part of creating the rule. **To create a rule that sends events to a different AWS account using the console** 1. Follow the steps in the [Creating rules in Amazon EventBridge](eb-create-rule-visual.md) procedure. 1. In the [Select targets](eb-create-rule-wizard.md#eb-create-rule-target) step, when prompted to choose a target type: 1. Select **EventBridge event bus**. 1. Select **Event bus in a different account or Region**. 1. For **Event bus as target**, enter the ARN of the event bus you want to use. 1. Complete creating the rule following the procedure steps. # Sending and receiving events between AWS Regions in Amazon EventBridge Cross-Region event buses as targets You can configure EventBridge to send and receive [events](eb-events.md) between AWS Regions. You can also allow or deny events from specific Regions, specific [rules](eb-rules.md) associated with the event bus, or events from specific sources. For more information, see [Introducing cross-Region event routing with Amazon EventBridge](https://aws.amazon.com/blogs//compute/introducing-cross-region-event-routing-with-amazon-eventbridge/) The following video covers routing events between Regions using the [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/), AWS CloudFormation, and AWS Serverless Application Model: ## Creating rules that send events to a different AWS Region Specifying an event bus in another AWS Region as a target is part of creating the rule. **To create a rule that sends events to a different AWS account using the console** 1. Follow the steps in the [Creating rules in Amazon EventBridge](eb-create-rule-visual.md) procedure. 1. In the [Select targets](eb-create-rule-wizard.md#eb-create-rule-target) step, when prompted to choose a target type: 1. Select **EventBridge event bus**. 1. Select **Event bus in a different account or Region**. 1. For **Event bus as target**, enter the ARN of the event bus you want to use. 1. Complete creating the rule following the procedure steps. # Sending events between event buses in the same account and Region in Amazon EventBridge Same account event buses as targets You can configure EventBridge to send and receive [events](eb-events.md) between [event buses](eb-event-bus.md) in the same AWS account and Region. When you configure EventBridge to send or receive events between event buses, you use IAM roles on the *sender* event bus to give the *sender* event bus permission to send events to the *receiver* event bus. You use [Resource-based](eb-use-resource-based.md) policies on the *receiver* event bus to give the *receiver* event bus permission to receive events from the *sender* event bus. You can also allow or deny events from certain event buses, specific [rules](eb-rules.md) associated with the event bus, or events from specific sources. For more information about event bus permissions, including example policies, see [Permissions for event buses in Amazon EventBridge](eb-event-bus-perms.md). The steps to configure EventBridge to send events to or receive events between event buses in your account include the following: + To use an existing IAM role, you need to give either the sender event bus permissions to the receiver event bus or the receiver event bus permissions to the sender event bus. + On the *sender* event bus, set up one or more rules that have the receiver event bus as the target and create an IAM role. For an example of the policy that should be attached to the role, see [Example policy: Send events to an event bus in the same account in Amazon EventBridge](eb-event-bus-example-policy-same-account.md). + On the *receiver* event bus, edit the permissions to allow events to be passed from the other event bus. + On the *receiver* event, set up one or more rules that match events that come from the sender event bus. **Note** EventBridge can't route events received from a sender event bus to a third event bus. Events sent from one event bus to another are charged as custom events. For more information, see [Amazon EventBridge Pricing](https://aws.amazon.com/eventbridge/pricing/). ## Creating rules that send events to a different event bus in the same AWS account and Region Creating rules that send events to another event bus To send events to another event bus, you create a rule with an event bus as a target. Specifying an event bus in the same AWS account and Region as a target is part of creating the rule. **To create a rule that sends events to a different event bus in the same AWS account and Region using the console** 1. Follow the steps in the [Creating rules in Amazon EventBridge](eb-create-rule-visual.md) procedure. 1. In the [Select targets](eb-create-rule-wizard.md#eb-create-rule-target) step, when prompted to choose a target type: 1. Select **EventBridge event bus**. 1. Select **Event bus in the same AWS account and Region**. 1. For **Event bus as a target**, select an event bus from the drop-down list. 1. Complete creating the rule following the procedure steps. # Amazon EventBridge input transformation Input transformation You can customize the text from an [event](eb-events.md) before EventBridge passes the information to the [target](eb-targets.md) of a [rule](eb-rules.md). Using the input transformer in the console or the API, you define variables that use JSON path to reference values in the original event source. The transformed event is sent to a target instead of the original event. However, [dynamic path parameters](eb-targets.md#dynamic-path-parameters) must reference the original event, not the transformed event. You can define up to 100 variables, assigning each a value from the input. Then you can use those variables in the *Input Template* as <*variable-name*>. For a tutorial on using input transformer, see [Tutorial: Use input transformers to transform events in EventBridge](eb-input-transformer-tutorial.md). **Note** EventBridge does not support all JSON Path syntax and evaluate it at runtime. Supported syntax includes: dot notation (for example,`$.detail`) dashes underscores alphanumeric characters array indices wildcards (\$1) forward slashes **Topics** + [ ## Predefined variables ](#eb-transform-input-predefined) + [ ## Input transform examples ](#eb-transform-input-examples) + [ ## Transforming input by using the EventBridge API ](#eb-transform-input-api) + [ ## Transforming input by using AWS CloudFormation ](#eb-transform-input-cfn) + [ ## Common Issues with transforming input ](#eb-transform-input-issues) + [ # Configuring an input transformer when creating a rule in EventBridge ](eb-transform-input-rule.md) + [ # Testing a target input transformer using the EventBridge Sandbox ](eb-sandbox-input-trans.md) ## Predefined variables There are pre-defined variables you can use without defining a JSON path. These variables are reserved, and you can't create variables with these names: + ****`aws.events.rule-arn` — The Amazon Resource Name (ARN) of the EventBridge rule. + ****`aws.events.rule-name` — The Name of the EventBridge rule. + ****`aws.events.event.ingestion-time` — The time at which the event was received by EventBridge. This is an ISO 8601 timestamp. This variable is generated by EventBridge and can't be overwritten. + ****`aws.events.event` — The original event payload as JSON (without the `detail` field). Can only be used as a value for a JSON field, as it's contents are not escaped. + ****`aws.events.event.json` — The full original event payload as JSON. (with the `detail` field). Can only be used as a value for a JSON field, as it's contents are not escaped. ## Input transform examples The following is an example Amazon EC2 event. ``` { "version": "0", "id": "7bf73129-1428-4cd3-a780-95db273d1602", "detail-type": "EC2 Instance State-change Notification", "source": "aws.ec2", "account": "123456789012", "time": "2015-11-11T21:29:54Z", "region": "us-east-1", "resources": [ "arn:aws:ec2:us-east-1:123456789012:instance/i-abcd1111" ], "detail": { "instance-id": "i-0123456789", "state": "RUNNING" } } ``` When defining a rule in the console, select the **Input Transformer** option under **Configure input**. This option displays two text boxes: one for the *Input Path* and one for the *Input Template*. ### Input path Input path *Input Path* is used to define variables. Use JSON path to reference items in your event and store those values in variables. For instance, you could create an *Input Path* to reference values in the example event by entering the following in the first text box. You can also use brackets and indices to get items from arrays. **Note** EventBridge replaces input transformers at runtime to ensure a valid JSON output. Because of this, put quotes around variables that refer to JSON path parameters, but do not put quotes around variables that refer to JSON objects or arrays. ``` { "timestamp" : "$.time", "instance" : "$.detail.instance-id", "state" : "$.detail.state", "resource" : "$.resources[0]" } ``` This defines four variables, ``, ``, ``, and ``. You can reference these variables as you create your *Input Template*. **Note** Amazon CloudWatch Logs and SSM targets do not support the use of `Input` and `InputPath` in their input transformers. ### Input template Input template The *Input Template* is a template for the information you want to pass to your target. You can create a template that passes either a string or JSON to the target. Using the previous event and *Input Path*, the following *Input Template* examples will transform the event to the example output before routing it to a target. | Description | Template | Output | | --- | --- | --- | | Simple string | 
"instance  is in "
| 
"instance i-0123456789 is in RUNNING"
| | **String with escaped quotes** | 
"instance \"\" is in "
| 
"instance \"i-0123456789\" is in RUNNING"
Note that this is the behavior in the EventBridge console. The AWS CLI escapes the slash characters and the result is `"instance "i-0123456789" is in RUNNING"`. | | **Simple JSON** | 
{
  "instance" : ,
  "state": 
}
| 
{
  "instance" : "i-0123456789",
  "state": "RUNNING"
}
| | **JSON with strings and variables** | 
{
 "instance" : ,
 "state": "",
 "instanceStatus": "instance \"\" is in "
}
| 
{
 "instance" : "i-0123456789",
 "state": "RUNNING",
 "instanceStatus": "instance \"i-0123456789\" is in RUNNING"
}
| | **JSON with a mix of variables and static information** | 
{
  "instance" : ,
  "state": [ 9, , true ],
  "Transformed" : "Yes"
}
| 
{
  "instance" : "i-0123456789",
  "state": [
    9,
    "RUNNING",
    true
  ],
  "Transformed" : "Yes"
}
| | **Including reserved variables in JSON** | 
{
  "instance" : ,
  "state": ,
  "ruleArn" : ,
  "ruleName" : ,
  "originalEvent" : 
}
| 
{
  "instance" : "i-0123456789",
  "state": "RUNNING",
  "ruleArn" : "arn:aws:events:us-east-2:123456789012:rule/example",
  "ruleName" : "example",
  "originalEvent" : {
    ... // commented for brevity
  }
}
| | **Including reserved variables in a string** | 
" triggered"
| 
"example triggered"
| | **Amazon CloudWatch log group** | 
{
  "timestamp" : ,
  "message": "instance \"\" is in "
}
| 
{
  "timestamp" : 2015-11-11T21:29:54Z,
  "message": "instance "i-0123456789" is in RUNNING
}
| ## Transforming input by using the EventBridge API For information about using the EventBridge API to transform input, see [Use Input Transformer to extract data from an event and input that data to the target](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html#API_PutTargets_Example_2). ## Transforming input by using AWS CloudFormation For information about using AWS CloudFormation to transform input, see [AWS::Events::Rule InputTransformer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-events-rule-inputtransformer.html). ## Common Issues with transforming input These are some common issues when transforming input in EventBridge: + For Strings, quotes are required. + There is no validation when creating JSON path for your template. + If you specify a variable to match a JSON path that doesn't exist in the event, that variable isn't created and won't appear in the output. + JSON properties like `aws.events.event.json` can only be used as the value of a JSON field, not inline in other strings. + EventBridge doesn't escape values extracted by *Input Path*, when populating the *Input Template* for a target. + If a JSON path references a JSON object or array, but the variable is referenced in a string, EventBridge removes any internal quotes to ensure a valid string. For example, for a variable `` pointed at `$.detail`, "Detail is " would result in EventBridge removing quotes from the object. Therefore, if you want to output a JSON object based on a single JSON path variable, you must place it as a key. In this example, `{"detail": }`. + Quotes are not required for variables that represent strings. They are permitted, but EventBridge automatically adds quotes to string variable values during transformation, to ensure the transformation output is valid JSON. EventBridge does not add quotes to variables that represent JSON objects or arrays. Do not add quotes for variables that represent JSON objects or arrays. For example, the following input template includes variables that represent both strings and JSON objects: ``` { "ruleArn" : , "ruleName" : , "originalEvent" : } ``` Resulting in valid JSON with proper quotation: ``` { "ruleArn" : "arn:aws:events:us-east-2:123456789012:rule/example", "ruleName" : "example", "originalEvent" : { ... // commented for brevity } } ``` + For (non-JSON) text output as multi-line strings, wrap each separate line in your input template in double quotes. For example, if you were matching [Amazon Inspector Finding](https://docs.aws.amazon.com/inspector/latest/user/eventbridge-integration.html#event-finding) events against the following event pattern: ``` { "detail": { "severity": ["HIGH"], "status": ["ACTIVE"] }, "detail-type": ["Inspector2 Finding"], "source": ["inspector2"] } ``` And using the following input path: ``` { "account": "$.detail.awsAccountId", "ami": "$.detail.resources[0].details.awsEc2Instance.imageId", "arn": "$.detail.findingArn", "description": "$.detail.description", "instance": "$.detail.resources[0].id", "platform": "$.detail.resources[0].details.awsEc2Instance.platform", "region": "$.detail.resources[0].region", "severity": "$.detail.severity", "time": "$.time", "title": "$.detail.title", "type": "$.detail.type" } ``` You could use the input template below to generate multi-line string output: ``` " severity finding " "Description: <description>" "ARN: \"<arn>\"" "Type: <type>" "AWS Account: <account>" "Region: <region>" "EC2 Instance: <instance>" "Platform: <platform>" "AMI: <ami>" ``` # Configuring an input transformer when creating a rule in EventBridge Configuring an input transformer As part of creating a rule, you can specify an input transformer for EventBridge to use to process matching events prior to sending those event to the specified target. You can configure input transformers for targets that are AWS services or API destinations. **To create a target input transformer as part of a rule** 1. Follow the steps for creating a rule as detailed in [Creating rules in Amazon EventBridge](eb-create-rule-visual.md). 1. In **Step 3 - Select target(s)**, expand **Additional settings**. 1. For **Configure target input**, choose **Input transformer** in the dropdown. Click **Configure input transformer**. EventBridge displays the **Configure input transformer** dialog box. 1. In the **Sample event** section, choose a **Sample event type** against which you want to test your event pattern. You can choose an AWS event, a partner event, or enter your own custom event. ------ #### [ AWS events ] Select from events emitted from supported AWS services. 1. Select **AWS events**. 1. Under **Sample events**, choose the desired AWS event. Events are organized by AWS service. When you select an event, EventBridge populates the sample event. For example, if you choose **S3 Object Created**, EventBridge displays a sample S3 Object Created event. 1. (Optional) You can also select **Copy** to copy the sample event to your device's clipboard. ------ #### [ Partner events ] Select from events emitted from third-party services that support EventBridge, such as Salesforce. 1. Select **EventBridge partner events**. 1. Under **Sample events**, choose the desired partner event. Events are organized by partner. When you select an event, EventBridge populates the sample event. 1. (Optional) You can also select **Copy** to copy the sample event to your device's clipboard. ------ #### [ Enter your own ] Enter your own event in JSON text. 1. Select **Enter your own**. 1. EventBridge populates the sample event with a template of required event attributes. 1. Edit and add to the sample event as desired. The sample event must be valid JSON. 1. (Optional) You can also choose any of the following options: + **Copy** – Copy the sample event to your device's clipboard. + **Prettify** – Makes the JSON text easier to read by adding line breaks, tabs, and spaces. ------ 1. (Optional) Expand the **Example input paths, Templates and Outputs** section to see examples of: + How JSON paths are used to define variables that represent event data + How those variables can be used in an input transformer template + The resulting output that EventBridge sends to the target For more detailed examples of input transformations, see [Input transform examples](eb-transform-target-input.md#eb-transform-input-examples). 1. In the **Target input transformer** section, define any variables you want to use in the input template. Variables use JSON path to reference values in the original event source. You can then reference those variables in the input template in order to include data from the original source event in the transformed event that EventBridge passes to the target. You can define up to 100 variables. The input transformer must be valid JSON. For example, suppose you had chosen AWS event **S3 Object Created** as your sample event for this input transformer. You could then define the following variables for use in your template: ``` { "requester": "$.detail.requester", "key": "$.detail.object.key", "bucket": "$.detail.bucket.name" } ``` (Optional) You can also choose **Copy** to copy the input transformer to your device's clipboard. 1. In the **Template** section, compose the template you want to use to determine what EventBridge passes to the target. You can use JSON, strings, static information, variables you've defined as well as reserved variables. For more detailed examples of input transformations, see [Input transform examples](eb-transform-target-input.md#eb-transform-input-examples). For example, suppose you had defined the variables in the previous example. You could then compose the following template, which references those variables, as well as reserved variables, and static information. ``` { "message": "<requester> has created the object \"<key>\" in the bucket \"<bucket>\"", "RuleName": <aws.events.rule-name>, "ruleArn" : <aws.events.rule-arn>, "Transformed": "Yes" } ``` (Optional) You can also choose **Copy** to copy the template to your device's clipboard. 1. To test your template, select **Generate output**. EventBridge processes the sample event based on the input template, and displays the transformed output generated under **Output**. This is the information that EventBridge will pass to the target in place of the original source event. The generated output for the example input template described above would be the following: ``` { "message": "123456789012 has created the object "example-key" in the bucket "amzn-s3-demo-bucket"", "RuleName": rule-name, "ruleArn" : arn:aws:events:us-east-1:123456789012:rule/rule-name, "Transformed": "Yes" } ``` (Optional) You can also choose **Copy** to copy the generated output to your device's clipboard. 1. Select **Confirm** 1. Follow the rest of the steps for creating a rule as detailed in [Creating rules in Amazon EventBridge](eb-create-rule-visual.md). # Testing a target input transformer using the EventBridge Sandbox Testing an input transformer You can use input transformers to customize the text from an [event](eb-events.md) before EventBridge passes the information to the [target](eb-targets.md) of a [rule](eb-rules.md). Configuring an input transformer is typically part of the larger process of specifying a target while [creating a new rule](eb-create-rule-visual.md) or editing an existing one. Using the Sandbox in EventBridge, however, you can quickly configure an input transformer and use a sample event to confirm you are getting the desired output, without having to create or edit a rule. For more information about input transformations, see [Amazon EventBridge input transformation](eb-transform-target-input.md). **To test a target input transformer** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. Under **Developer resources**, choose **Sandbox**, and on the **Sandbox** page choose the **Target input transformer** tab. 1. In the **Sample event** section, choose a **Sample event type** against which you want to test your event pattern. You can choose an AWS event, a partner event, or enter your own custom event. ------ #### [ AWS events ] Select from events emitted from supported AWS services. 1. Select **AWS events**. 1. Under **Sample events**, choose the desired AWS event. Events are organized by AWS service. When you select an event, EventBridge populates the sample event. For example, if you choose **S3 Object Created**, EventBridge displays a sample S3 Object Created event. 1. (Optional) You can also select **Copy** to copy the sample event to your device's clipboard. ------ #### [ Partner events ] Select from events emitted from third-party services that support EventBridge, such as Salesforce. 1. Select **EventBridge partner events**. 1. Under **Sample events**, choose the desired partner event. Events are organized by partner. When you select an event, EventBridge populates the sample event. 1. (Optional) You can also select **Copy** to copy the sample event to your device's clipboard. ------ #### [ Enter your own ] Enter your own event in JSON text. 1. Select **Enter your own**. 1. EventBridge populates the sample event with a template of required event attributes. 1. Edit and add to the sample event as desired. The sample event must be valid JSON. 1. (Optional) You can also choose any of the following options: + **Copy** – Copy the sample event to your device's clipboard. + **Prettify** – Makes the JSON text easier to read by adding line breaks, tabs, and spaces. ------ 1. (Optional) Expand the **Example input paths, Templates and Outputs** section to see examples of: + How JSON paths are used to define variables that represent event data + How those variables can be used in an input transformer template + The resulting output that EventBridge sends to the target For more detailed examples of input transformations, see [Input transform examples](eb-transform-target-input.md#eb-transform-input-examples). 1. In the **Target input transformer** section, define any variables you want to use in the input template. Variables use JSON path to reference values in the original event source. You can then reference those variables in the input template in order to include data from the original source event in the transformed event that EventBridge passes to the target. You can define up to 100 variables. The input transformer must be valid JSON. For example, suppose you had chosen AWS event **S3 Object Created** as your sample event for this input transformer. You could then define the following variables for use in your template: ``` { "requester": "$.detail.requester", "key": "$.detail.object.key", "bucket": "$.detail.bucket.name" } ``` (Optional) You can also choose **Copy** to copy the input transformer to your device's clipboard. 1. In the **Template** section, compose the template you want to use to determine what EventBridge passes to the target. You can use JSON, strings, static information, variables you've defined as well as reserved variables. For more detailed examples of input transformations, see [Input transform examples](eb-transform-target-input.md#eb-transform-input-examples). For example, suppose you had defined the variables in the previous example. You could then compose the following template, which references those variables, as well as reserved variables, and static information. ``` { "message": "<requester> has created the object \"<key>\" in the bucket \"<bucket>\"", "RuleName": <aws.events.rule-name>, "ruleArn" : <aws.events.rule-arn>, "Transformed": "Yes" } ``` (Optional) You can also choose **Copy** to copy the template to your device's clipboard. 1. To test your template, select **Generate output**. EventBridge processes the sample event based on the input template, and displays the transformed output generated under **Output**. This is the information that EventBridge will pass to the target in place of the original source event. The generated output for the example input template described above would be the following: ``` { "message": "123456789012 has created the object "example-key" in the bucket "amzn-s3-demo-bucket"", "RuleName": rule-name, "ruleArn" : arn:aws:events:us-east-1:123456789012:rule/rule-name, "Transformed": "Yes" } ``` (Optional) You can also choose **Copy** to copy the generated output to your device's clipboard.