How to Configure AWS Event Bus for Vended Log Delivery

Select Language:

If you’re trying to set up logging for your Amazon EventBridge event bus, and the instructions seem unclear, don’t worry—you’re not alone. The official documentation states that you need to give EventBridge permission to send logs from the bus by adding a specific policy, but the exact steps can be tricky.

First, understand that the permission action you need, called events:AllowVendedLogDeliveryForResource, is a special permission-only action that doesn’t work like typical permissions. When you try to add this permission using the PutPermission API, it often results in errors because this action isn’t generally supported for direct permission addition via standard API calls.

Here’s a simple way to get around this:

Instead of trying to add the permission directly with the PutPermission API and specifying the specific action, you should grant the necessary permissions through an IAM policy attached to the role or user responsible for managing the event bus. This approach aligns with AWS best practices and avoids the unsupported action errors.

Create or update an IAM policy with the necessary permissions to allow EventBridge to send logs. The policy should include the logs:CreateLogStream, logs:PutLogEvents, and similar permissions needed for logging.
Attach this policy to the IAM role or user that manages your EventBridge bus.
Configure your event bus to send logs by enabling the logging feature in the EventBridge console or CLI, specifying the log group, and making sure the IAM permissions are in place.

If you prefer to do this via the CLI, ensure that your permissions are properly set up on the IAM side—remember, you cannot directly add the events:AllowVendedLogDeliveryForResource action through PutPermission. Instead, focus on granting the broader permissions needed for EventBridge to write logs.

In summary, the best way to enable logging for your event bus is to pre-approve the required permissions through IAM policies rather than trying to add this specific action directly with PutPermission. This method avoids errors and aligns with AWS guidelines. Always double-check your IAM policies and the permissions attached to your roles or users involved in managing EventBridge resources.