Setting Up AWS EventBridge for Cross-Region IAM Event Notifications

The Architecture

The solution involves two EventBridge rules working together:

Rule in us-east-1: Captures the CreateUser event from CloudTrail. Its target is the default event bus in our destination region (ap-northeast-1).
Rule in ap-northeast-1: Is triggered by the incoming event from us-east-1. Its target is a local SNS topic that sends the email notification.

An AWS account with permissions to manage IAM, EventBridge, and SNS.
An active AWS CloudTrail trail in the us-east-1 region (this is enabled by default in modern AWS accounts).

First, we'll set up the resources that will receive the final event and send the notification.

Create an SNS Topic:
- Navigate to the Amazon SNS service in the ap-northeast-1 (Tokyo) region.
- Create a Standard topic. Name it something descriptive, like IAM-User-Creation-Notifications.
- Once created, go to the Subscriptions tab and create a new subscription.
- For the Protocol, select Email.
- For the Endpoint, enter the email address where you want to receive notifications.
- After creating the subscription, you will receive a confirmation email. You must click the link in this email to confirm the subscription.
Create an EventBridge Rule:
- Navigate to the Amazon EventBridge service in the ap-northeast-1 region.
- Click Create rule.
- Give the rule a name, such as IAM-CreateUser-Notification-Rule.
- In the Event pattern section, use the following pattern to match the CreateUser event forwarded from us-east-1:
```
{

  "source": ["aws.iam"],

  "detail-type": ["AWS API Call via CloudTrail"],

  "detail": {

    "eventSource": ["iam.amazonaws.com"],

    "eventName": ["CreateUser"]

  }

}
```
- In the Target section, select SNS topic and choose the IAM-User-Creation-Notifications topic you created earlier.
- Click Create rule.

Now, we'll set up the rule that captures the original IAM event and forwards it to our destination region.

Switch your AWS Console region to US East (N. Virginia) (us-east-1).
Create an EventBridge Rule:
- Navigate to the Amazon EventBridge service.
- Click Create rule.
- Give the rule a name, such as Forward-IAM-CreateUser-Event-to-Tokyo.
- In the Event pattern section, use the exact same event pattern as in the destination rule:
```
{

  "source": ["aws.iam"],

  "detail-type": ["AWS API Call via CloudTrail"],

  "detail": {

    "eventSource": ["iam.amazonaws.com"],

    "eventName": ["CreateUser"]

  }

}
```
- In the Target section, select EventBridge event bus.
- Choose the option "Event bus in a different account or region".
- In the Event bus as a target text box, paste the ARN of the default event bus in your destination region. It will have this format: arn:aws:events:ap-northeast-1:ACCOUNT_ID:event-bus/default. Replace ACCOUNT_ID with your AWS Account ID.
- EventBridge will automatically create a new IAM role to grant itself permission to send events to another region.
- Click Create rule.

Navigate to the IAM service in the AWS Management Console.
Create a new IAM user. Give it any name (e.g., TestUser).
Within a minute or two, you should receive an email notification at the address you subscribed to the SNS topic. The email will contain the full JSON of the CloudTrail event for the CreateUser API call.

You have now successfully configured a cross-region eventing pipeline using AWS EventBridge to monitor global IAM events from your local region.