EventBridge Global Endpoint Event Replication
Overview
This check verifies that Amazon EventBridge global endpoints have event replication enabled. Global endpoints allow you to receive events in multiple AWS regions for high availability. Event replication ensures that when you send events to a global endpoint, they are automatically copied to both the primary and secondary regions.
Risk
Without event replication enabled:
- Events may be lost during regional failures - If the primary region experiences an outage, events sent during that time might not reach the secondary region
- Failover may not work as expected - Automatic recovery to the primary region could be delayed or incomplete
- Data inconsistencies - Your applications in different regions may process different sets of events, leading to state mismatches
This is a medium severity finding because it affects availability and disaster recovery capabilities.
Remediation Steps
Prerequisites
- AWS account access with permissions to modify EventBridge endpoints
- The endpoint must already exist (this check applies to existing global endpoints)
Required IAM permissions
You need the following IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:UpdateEndpoint",
"events:DescribeEndpoint",
"events:ListEndpoints",
"iam:PassRole"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the Amazon EventBridge console
- In the left navigation, click Global endpoints
- Select the endpoint you want to update
- Click Edit
- In the Event replication section, check the box for Event replication enabled
- If prompted, select or create an IAM role that allows EventBridge to replicate events between your event buses
- Click Save
AWS CLI (optional)
List existing global endpoints
First, identify which endpoints need updating:
aws events list-endpoints \
--region us-east-1 \
--query 'Endpoints[*].{Name:Name,State:State,ReplicationState:ReplicationConfig.State}'
Check a specific endpoint
aws events describe-endpoint \
--name <your-endpoint-name> \
--region us-east-1
Enable event replication
To enable replication on an existing endpoint:
aws events update-endpoint \
--name <your-endpoint-name> \
--replication-config State=ENABLED \
--role-arn arn:aws:iam::<account-id>:role/<replication-role-name> \
--region us-east-1
Replace:
<your-endpoint-name>- The name of your global endpoint<account-id>- Your AWS account ID<replication-role-name>- An IAM role that grants EventBridge permission to put events on both event buses
Example with all parameters
aws events update-endpoint \
--name my-global-endpoint \
--replication-config State=ENABLED \
--role-arn arn:aws:iam::123456789012:role/eventbridge-replication-role \
--region us-east-1
CloudFormation (optional)
This template creates an EventBridge global endpoint with event replication enabled, along with the required IAM role:
AWSTemplateFormatVersion: '2010-09-09'
Description: EventBridge Global Endpoint with Event Replication Enabled
Parameters:
EndpointName:
Type: String
Description: Name of the EventBridge global endpoint
Default: my-global-endpoint
PrimaryEventBusArn:
Type: String
Description: ARN of the primary region event bus
SecondaryEventBusArn:
Type: String
Description: ARN of the secondary region event bus
HealthCheckArn:
Type: String
Description: ARN of the Route 53 health check for failover
SecondaryRegion:
Type: String
Description: Secondary region for failover
Default: us-west-2
Resources:
EventBridgeReplicationRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${EndpointName}-replication-role'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: EventBridgeReplicationPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- events:PutEvents
Resource:
- !Ref PrimaryEventBusArn
- !Ref SecondaryEventBusArn
GlobalEndpoint:
Type: AWS::Events::Endpoint
Properties:
Name: !Ref EndpointName
Description: Global endpoint with event replication enabled
EventBuses:
- EventBusArn: !Ref PrimaryEventBusArn
- EventBusArn: !Ref SecondaryEventBusArn
ReplicationConfig:
State: ENABLED
RoleArn: !GetAtt EventBridgeReplicationRole.Arn
RoutingConfig:
FailoverConfig:
Primary:
HealthCheck: !Ref HealthCheckArn
Secondary:
Route: !Ref SecondaryRegion
Outputs:
EndpointUrl:
Description: URL of the global endpoint
Value: !GetAtt GlobalEndpoint.EndpointUrl
EndpointArn:
Description: ARN of the global endpoint
Value: !GetAtt GlobalEndpoint.Arn
Deploy with:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name eventbridge-global-endpoint \
--parameter-overrides \
PrimaryEventBusArn=arn:aws:events:us-east-1:123456789012:event-bus/my-bus \
SecondaryEventBusArn=arn:aws:events:us-west-2:123456789012:event-bus/my-bus \
HealthCheckArn=arn:aws:route53:::healthcheck/abc123 \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
Terraform (optional)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
variable "endpoint_name" {
description = "Name of the EventBridge global endpoint"
type = string
default = "my-global-endpoint"
}
variable "primary_event_bus_arn" {
description = "ARN of the primary region event bus"
type = string
}
variable "secondary_event_bus_arn" {
description = "ARN of the secondary region event bus"
type = string
}
variable "health_check_arn" {
description = "ARN of the Route 53 health check for failover"
type = string
}
variable "secondary_region" {
description = "Secondary region for failover"
type = string
default = "us-west-2"
}
# IAM role for event replication
resource "aws_iam_role" "eventbridge_replication" {
name = "${var.endpoint_name}-replication-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "events.amazonaws.com"
}
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy" "eventbridge_replication" {
name = "EventBridgeReplicationPolicy"
role = aws_iam_role.eventbridge_replication.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"events:PutEvents"
]
Resource = [
var.primary_event_bus_arn,
var.secondary_event_bus_arn
]
}
]
})
}
# EventBridge global endpoint with replication enabled
resource "aws_cloudwatch_event_endpoint" "global" {
name = var.endpoint_name
description = "Global endpoint with event replication enabled"
role_arn = aws_iam_role.eventbridge_replication.arn
event_bus {
event_bus_arn = var.primary_event_bus_arn
}
event_bus {
event_bus_arn = var.secondary_event_bus_arn
}
replication_config {
state = "ENABLED"
}
routing_config {
failover_config {
primary {
health_check = var.health_check_arn
}
secondary {
route = var.secondary_region
}
}
}
}
output "endpoint_url" {
description = "URL of the global endpoint"
value = aws_cloudwatch_event_endpoint.global.endpoint_url
}
output "endpoint_arn" {
description = "ARN of the global endpoint"
value = aws_cloudwatch_event_endpoint.global.arn
}
Apply with:
terraform apply \
-var="primary_event_bus_arn=arn:aws:events:us-east-1:123456789012:event-bus/my-bus" \
-var="secondary_event_bus_arn=arn:aws:events:us-west-2:123456789012:event-bus/my-bus" \
-var="health_check_arn=arn:aws:route53:::healthcheck/abc123"
Verification
After enabling event replication, verify the change was applied:
- In the EventBridge console, go to Global endpoints
- Select your endpoint and confirm Event replication shows as Enabled
CLI verification
aws events describe-endpoint \
--name <your-endpoint-name> \
--region us-east-1 \
--query 'ReplicationConfig.State'
Expected output:
"ENABLED"
Additional Resources
- Making applications Regional-fault tolerant with global endpoints and event replication
- AWS::Events::Endpoint CloudFormation Reference
- EventBridge API Reference - UpdateEndpoint
- Prowler Check Documentation
Notes
-
IAM role required: Event replication requires an IAM role that grants EventBridge permission to put events on both the primary and secondary event buses. Without this role, replication will fail.
-
Event bus synchronization: For proper failover, ensure your event buses in both regions have matching rules and targets. Events replicated to the secondary region will only be processed if corresponding rules exist there.
-
Idempotency: When event replication is enabled, your event consumers may receive duplicate events (one from each region). Design your consumers to handle duplicates gracefully using unique event IDs.
-
Cost considerations: Enabling event replication incurs additional costs for cross-region data transfer and additional PutEvents calls. Review the EventBridge pricing page for details.
-
Route 53 health check: Global endpoints require a Route 53 health check to determine when to fail over. Make sure your health check is properly configured and monitoring the right resources.