Rule: events:source condition for events:PutEvents actions in IAM policies

[nmoutschen]

Key information

• Rule PR: (leave this empty)
• Related issue(s), if known:
• Meets the need of 80% of users: yes
• Do you need help implementing this rule: no
• Approved by:
• Reviewed by:

Summary

As EventBridge now support fine-grained permissions on the events:PutEvents action, this new rule would check if there is at least an events:source condition on that rule. In EventBridge events, source should correspond to a service/domain, and detail-type to a type of event emitted by that source. The two together correspond to a unique event type identifier.

By enforcing an events:source, we could ensure that a given service/domain does not spoof another one.

See here for a list of supported conditions.

Rule level

I'd recommend to use Warning for this rule. If you abstract the payload away and use EventBridge as pure envelope, then you'd use another property within the detail as source identifier. E.g. (based on this blog post):

{
  "version": "0",
  "id": "abc",
  "detail-type": "event",
  "source": "event",
  "account": "123456789012",
  "time": "2021-50-27T10:00:00Z",
  "region": "eu-west-1",
  "resources": [],
  "detail": {
    "metadata": {
      "domain": "ecommerce",
      "service": "orders",
      "type": "ORDER",
      "status": "SUBMITTED"
    },
    "data": {
      "orderNumber": "T123123123",
      "customerId": "23hdfjdf-34ff-34ghj",
      "totalValue": 29.99,
      "items": 5
    }
  }
}

Because you don't use the source type for routing, it doesn't act as a guard against spoofing events from other services, and thus doesn't bring the same value for these use-cases.