amazon-web-servicesaws-event-bridge

AWS Event Bridge NotAuthorizedForSourceException

I just set up AWS Guard Duty to notify alerts via slack and am trying to test the setup. I try to send this event on my event bus

  "version": "0",
  "detail-type": "GuardDuty Finding",
  "source": "aws.guardduty",
  "account": "187760472520",
  "time": "2024-02-28T16:46:43Z",
  "region": "us-west-2",
  "resources": [],
  "detail": {
    "severity": 3.5,
    "description": "Example GuardDuty finding"
  }
}

And the error message is: Error. NotAuthorizedForSourceException. Not authorized for the source.

Per the docs the error is: You do not have permissions to publish events with this source onto this event bus.

I am using the template resource base policy on my event bus.

  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowAccountToPutEvents",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<Account ID>:root"
    },
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:us-west-2:<Account ID>:event-bus/default"
  }, {
    "Sid": "AllowAllAccountsFromOrganizationToPutEvents",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:us-west-2:<Account ID>:event-bus/default",
    "Condition": {
      "StringEquals": {
        "aws:PrincipalOrgID": "<Org ID>"
      }
    }
  }, {
    "Sid": "AllowAccountToManageRulesTheyCreated",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<Account ID>:root"
    },
    "Action": ["events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets", "events:DisableRule", "events:EnableRule", "events:TagResource", "events:UntagResource", "events:DescribeRule", "events:ListTargetsByRule", "events:ListTagsForResource"],
    "Resource": "arn:aws:events:us-west-2:<Account ID>:rule/default",
    "Condition": {
      "StringEqualsIfExists": {
        "events:creatorAccount": "<Account ID>"
      }
    }
  }]
}

I know that my user in the console has permissions to do this.

Does anyone know how to fix this error?

Solution

  • It seems like I cannot manually create and send an eventbus event with "source": "aws.guardduty", but a work around to testing guard duty events is to generate sample findings. This will trigger your cloudwatch rule many times if it is configured correctly, thus sending events on the eventbus to trigger SNS.