How can I troubleshoot issues with EventBridge rules?

Last updated: 2022-04-15

An event occurred that matched my Amazon EventBridge rule. However, my rule isn't functioning correctly. How can I troubleshoot this?

Short description

Determine if the problem is that the rule isn't triggering or if the target wasn't invoked. After you determine the source of the problem, you can validate the incoming event, or you can validate the target.

Resolution

Verify if the rule isn't being triggered or if the target isn't being invoked

To do this, use the corresponding EventBridge metrics to review on the rule performance.

The TriggeredRules metric illustrates the number of times a rule matched an event or was executed. This metric is useful in confirming whether a scheduled rule ran or if a rule matched a specific event. After the rule successfully triggered, EventBridge forwards the event to the target.

An Invocations datapoint is generated when a rule invokes a target. EventBridge makes multiple attempts if it encounters difficulty delivering the event to the target. A FailedInvocations datapoint is issued when EventBridge permanently fails to invoke the target. FailedInvocations indicate problems with the target configuration.

Review Amazon CloudWatch metrics for the EventBridge rule by doing the following:

  1. Open the CloudWatch console.
  2. Select All Metrics.
  3. Select the AWS/Events namespace.
  4. Select the TriggerRules, Invocations, and FailedInvocations (if available) metrics for the rule in question. These metrics can be viewed with the SUM statistic.

Validate the incoming event

  • For event-based rules, the event pattern must be configured to match the desired event. You can validate the event pattern using the EventBridge console during rule creation. EventBridge also provides the TestEventPattern API for event pattern validation.
  • If the event in question is captured by AWS CloudTrail, then you can retrieve the event from CloudTrail. Then confirm that the provided event pattern is correct.
  • Note that some AWS services are only available in the Region us-east-1. For example, IAM API calls are only published in us-east-1. This means that the corresponding EventBridge rule must be created in the same Region.

Validate the target

  • When rules are created using the EventBridge console, the console automatically adds the required permissions to the following:
    The IAM role associated with the EventBridge rule.
    The resource policy associated with the target.
    If the rule is deployed using AWS SDK, the AWS CLI, or AWS CloudFormation, then you must explicitly configure the permissions.
  • EventBridge must be given the appropriate access to invoke the target. Depending on the target, confirm that the appropriate IAM role or resource policy has the correct permissions. FailedInvocations datapoints generate due to inadequate target permissions.
  • If there are no FailedInvocations datapoints, then EventBridge delivered the event to the target successfully. However, the target might have encountered its own issues. For example, an AWS Lambda target might have encountered errors or throttling independent of EventBridge. For the timestamp when the target was invoked by the EventBridge rule, review the target's CloudWatch metrics and any relevant logs.
  • An Amazon Simple Queue Service (Amazon SQS) dead-letter queue (DLQ) can be associated with the target. Any events that failed to be delivered to the target are sent to the dead-letter queue. This is useful to see more details on failed events. For example, incorrectly structuring the event with Input Transformer can result in input validation errors on the target.