using cross account eventbridge

[SteveL1]

Ask your question

I am currently deploying dozens of policies to dozens of accounts. The accounts are managed and paid for by individual teams but I responsible for ensuring that all the accounts follow company guidelines and this is causing a couple of concerns.

Firstly the costs (low as they are) are born by the account holders and not by my team. We have had a case where a policy was incorrect and was being launched recursively, meaning that it had millions of invocations when only one was needed! It was my fault, but the team affected was billed. We have tagged the functions with a cost centre to cross-charge the fees but it creates an unnecessary overhead on someone's time to process this.

Secondly, and more importantly, as we don't manage the accounts there is a possibility that someone can remove or update the lambda functions. I redeploy the functions daily but it someone could easily schedule the removal of the functions.

Also, I have found that mugc.py isn't perfect and will sometimes leave old policies behind and reviewing all of the accounts when there is a policy name change can be quite time consuming.

Is there a way to either send eventbridge messages to a central account where the lambda's exist or for custodian to assume a role in a different account and they can be processed there while still remediating in the source account?

Policy

No response

Relevant log/traceback output

No response

[kapilt]

yes, you can use member-role in lambda execution modes to cross account role assume. member-role is interpolated with the account id as a template. the setup of the event bridge forwarding is done out of band as a one time activity.

[SteveL1]

Hi,

Thanks so much for replying to me.

I wonder if you could expand on how to implement this, i'm not sure what you mean by "member-role is interpolated with the account id as a template"

Setting up eventbridge shouldn't be an issue, but I just need to get Custodian to remediate in the correct account

Thanks