Ensure that your Amazon CloudWatch event buses are configured to allow access only to friendly AWS accounts in order to prevent unauthorized users from sharing their CloudWatch events. An AWS CloudWatch event bus is a feature that facilitates AWS accounts to share events with each other. This can be useful to AWS accounts that belong to the same organization or belong to organizations that are associated or have a similar relationship. The event bus (currently one per account, also known as default event bus) has an access policy that specifies the set of AWS accounts that are allowed to send events to the bus. To allow only friendly users to send their events data, you need to manage the permissions defined for the default event bus. Prior to running this rule by the Cloud Conformity engine, you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012, 112233445566).
Using misconfigured and overly permissive access policies for your CloudWatch event buses can allow untrusted AWS users to send their CloudWatch events.
To determine if the Amazon CloudWatch default event bus created within your account allows unknown cross-account event delivery, perform the following actions:
Case A: To update the permissions defined for the default event bus in order authorize only trusted (friendly) AWS users to send CloudWatch event data to your AWS account, perform the following actions:
Case B: To revoke the permissions defined for the CloudWatch default event bus available within your AWS account, perform the following actions: