AWS CloudWatch Events

AWS CloudWatch Events / Amazon EventBridge

CloudWatch Events delivers a near-real-time stream of system events describing changes to AWS resources, plus scheduled events on a cron. As of 2026 it has been rebranded and extended as Amazon EventBridge — the same underlying service with added features like custom event buses, schema registry, SaaS integrations, and pipes. The CloudWatch Events APIs and rules continue to work and are managed alongside EventBridge.

Key Features:

Event-Driven Automation: Match AWS service events (EC2 state change, S3 object created, CodePipeline stage transition) and route to up to 5 targets per rule.
Scheduled Rules: Cron and rate expressions trigger targets on a schedule. EventBridge Scheduler is the newer, more capable alternative — millions of one-time and recurring schedules with per-invocation IAM roles.
Custom Event Buses: Beyond the default bus, create per-domain or per-tenant buses; cross-account event sharing via bus resource policies.
SaaS Partner Buses: Native ingestion from Datadog, PagerDuty, Auth0, Stripe, and others without polling.
Schema Registry & Code Bindings: Discover event schemas, generate typed code bindings (Python/TypeScript/Java).
Event Filtering: Content-based JSON pattern matching narrows targets to only relevant events.
EventBridge Pipes: Point-to-point integration from a source (SQS, Kinesis, DynamoDB Streams) to a target with optional filter and enrichment Lambda.
Archive & Replay: Persist events to an archive and replay them into rules for testing or recovery.

Common Use Cases:

Auto-Remediation: Trigger Lambda when a non-compliant config change is recorded by AWS Config.
Scheduled Jobs: Nightly RDS snapshot cleanup, hourly cache warmers, periodic data exports.
Event-Driven Microservices: Domain events on a custom bus consumed by independent services.
CI/CD Notifications: Route CodePipeline state changes to Slack via Lambda.
SaaS to AWS Glue: Stripe payment events landing in S3/Snowflake via EventBridge -> Firehose.
Cross-Account Workflows: Producer account publishes events; consumer accounts subscribe via cross-account targets.

Service Limits & Quotas:

Rules per bus: default soft limit 300.
Targets per rule: 5 (hard).
Event size: 256 KB max (hard).
PutEvents throughput: default 10,000 requests/sec per account per region (raisable).
Schedule frequency: minimum 1 minute for rules; EventBridge Scheduler supports per-second granularity.
Archive retention: indefinite (subject to per-GB storage cost).

Pricing Model:

AWS service events on the default bus: free.
Custom and partner events: $1.00 per million events published.
Cross-account events: $1.00 per million events delivered.
Schema discovery: $0.10 per million ingested.
Archive: $0.10 per GB stored per month, plus replay cost matching publish cost.
EventBridge Pipes: $0.40 per million requests (filtering); enrichment Lambda billed separately.
EventBridge Scheduler: $1.00 per million invocations after the free tier of 14 million/month.
Common cost surprise: firehose-style logging into a custom bus (millions of events/min). EventBridge is not a Kinesis-replacement at high volumes — for multi-MB/sec firehoses use Kinesis Data Streams or MSK.

Code Example — Scheduled Rule + EC2 Auto-Stop:


# Stop tagged dev EC2s every weekday at 7pm PT
aws events put-rule \
  --name stop-dev-ec2-nightly \
  --schedule-expression "cron(0 2 ? * MON-FRI *)" \
  --state ENABLED

aws events put-targets --rule stop-dev-ec2-nightly --targets '[{
  "Id": "1",
  "Arn": "arn:aws:lambda:us-west-2:111122223333:function:StopDevInstances",
  "Input": "{\"tagKey\":\"Environment\",\"tagValue\":\"dev\"}"
}]'

aws lambda add-permission \
  --function-name StopDevInstances \
  --statement-id AllowEventBridge \
  --action lambda:InvokeFunction \
  --principal events.amazonaws.com \
  --source-arn arn:aws:events:us-west-2:111122223333:rule/stop-dev-ec2-nightly

Event Pattern (S3 PUT into a specific prefix):


{
  "source": ["aws.s3"],
  "detail-type": ["Object Created"],
  "detail": {
    "bucket": {"name": ["prod-uploads"]},
    "object": {"key": [{"prefix": "incoming/"}]}
  }
}

Common Interview Questions:

EventBridge vs. SNS — which to use?

SNS is a pub/sub notification service optimized for fan-out to many subscribers (HTTPS, email, SQS, Lambda) at very high throughput and low latency. EventBridge adds content-based filtering, schema, multiple buses, archive/replay, and SaaS integrations — at the cost of slightly higher latency and per-event price. Use EventBridge when you need filtering or schema; use SNS when you need pure broadcast.

EventBridge Rules vs. EventBridge Scheduler — which for scheduled jobs?

Scheduler is newer and recommended for new schedules: per-schedule IAM, one-time schedules, time zones, flexible windows, dead-letter queues, and millions of schedules per account. Rule-based schedules are limited to ~300 per bus and lack timezone/one-time support.

What's an EventBridge Pipe and when would you use it?

A managed point-to-point connection from one source (SQS, Kinesis, DynamoDB Streams, Kafka) to one target, with optional filter and enrichment. Replaces Lambda glue functions whose only job is to read from a stream, transform, and forward.

How do you handle event delivery failures?

Configure a dead-letter queue (SQS) on the rule target. EventBridge retries with exponential backoff for up to 24 hours; failed deliveries land in the DLQ for manual or automated reprocessing. Archive + Replay can also re-emit historical events.

How do you share events across AWS accounts?

Add a resource policy to the destination bus that allows the producer account's events:PutEvents action. The producer puts events on its own bus with a target that is the destination bus ARN in the consumer account.

What's the maximum event size and how do you handle larger payloads?

256 KB. For larger payloads, store the data in S3 and put only the S3 reference (bucket + key) into the event, then have consumers fetch from S3 — the standard claim-check pattern.