1. Login to the AWS Management Console.
2. Navigate to the Amazon EventBridge service.
3. Select the Event Bus that is allowing cross-account access.
4. Click on the “Permissions” tab.
5. In the “Event bus policies” section, click on the “Edit” button.
6. Remove any statements that grant cross-account access to the Event Bus.
7. Add a new statement that only allows access from the AWS account(s) that require access to the Event Bus.
8. Click on the “Save” button to apply the changes.

​

1. Open your terminal or command prompt and ensure that you have the AWS CLI installed and configured with the appropriate credentials.
2. Run the following command to list all the Amazon EventBridge event buses in your AWS account:
   Copy

   Ask AI

   aws events list-event-buses
   

3. Identify the event bus that is allowing cross-account access.
4. Run the following command to modify the event bus policy and restrict cross-account access:
   Copy

   Ask AI

   aws events put-policy --event-bus-name <event-bus-name> --policy '{"Statement":[{"Sid":"RestrictCrossAccountAccess","Effect":"Deny","Principal":"*","Action":"events:PutEvents","Resource":"arn:aws:events:<region>:<account-id>:event-bus/<event-bus-name>"}]}'
   

   Replace <event-bus-name> with the name of the event bus that is allowing cross-account access, <region> with the AWS region where the event bus is located, and <account-id> with your AWS account ID.
5. Verify that the policy has been updated by running the following command:
   Copy

   Ask AI

   aws events describe-event-bus --name <event-bus-name>
   

   The output should show the updated policy with the Deny statement.
6. Repeat steps 3-5 for any other event buses that are allowing cross-account access.

1. Create a new EventBridge event bus policy that allows access only to the specific AWS account that should have access to the event bus.

import boto3
import json

eventbridge = boto3.client('events')

account_id = boto3.client('sts').get_caller_identity().get('Account')

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccountAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": f"arn:aws:iam::{account_id}:root"
            },
            "Action": "events:*",
            "Resource": "arn:aws:events:us-east-1:<account_id>:event-bus/default"
        }
    ]
}

policy_json = json.dumps(policy)

eventbridge.put_permission(
    Action='events:PutEvents',
    Principal='*',
    StatementId='AllowAccountAccess',
    Condition={
        'ArnEquals': {
            'aws:SourceArn': f'arn:aws:events:us-east-1:<account_id>:event-bus/default'
        }
    }
)

eventbridge.put_event_bus_policy(
    EventBusName='default',
    Policy=policy_json
)

2. Remove any existing event bus policies that allow cross-account access.

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyCrossAccountAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "events:*",
            "Resource": "arn:aws:events:us-east-1:<account_id>:event-bus/default",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalAccount": "<account_id>"
                }
            }
        }
    ]
}

policy_json = json.dumps(policy)

eventbridge.put_event_bus_policy(
    EventBusName='default',
    Policy=policy_json
)

3. Verify that the event bus policy now only allows access to the specific AWS account that should have access to the event bus.

policy = eventbridge.describe_event_bus(
    Name='default'
)['Policy']

print(policy)