Amazon S3 Event Notifications with EventBridge | Overview.

Amazon S3 Event Notifications with EventBridge - Overview.

Scope:

• Intro,
• Comparison of S3 → Event Notifications Vs S3 → EventBridge,
• Step-by-Step to Enables S3 EventBridge Integration (UI / CLI Options),
• Sample EventBridge Event policy from S3,
•  IAM Permissions.

Intro:

• Amazon S3 Event Notifications with Amazon EventBridge allow twtech to capture nearly all S3 events as EventBridge events and route them to various AWS services (e.g., Lambda, Step Functions, SQS, SNS, Kinesis, or even external APIs via EventBridge API destinations).
• This is different from traditional S3 Event Notifications, which only support s3:ObjectCreated, s3:ObjectRemoved, etc. to Lambda, SQS, or SNS.

Comparison of S3 → Event Notifications vs S3 → EventBridge

Feature	S3 Event Notifications	S3 → EventBridge
Destinations	Lambda, SQS, SNS	Any EventBridge-supported service
Event types	Limited (object create/delete)	Full range (ACL changes, bucket policy changes, etc.)
Filtering	By prefix/suffix	Advanced rules (content-based)
Reliability	Best-effort	More durable/reliable, retry logic
Multiple targets	Manual config	Easily attach multiple rules/targets

Steps to Enables S3 EventBridge Integration

Step 1: Enable EventBridge on your S3 bucket

twtech must enable EventBridge event delivery for the bucket.

Option 1: Via AWS Console

•         Go to your S3 bucket
•         Select Properties
•         Scroll to Event notifications
•         Click Enable EventBridge

Option 2: Via AWS CLI

# bash

 aws s3control put-bucket-notification-configuration \

  --account-id 123456789xxxx \

  --bucket twtech-s3bucket \

  --notification-configuration '{}'

NB:

Empty configuration allows S3 to send events to EventBridge.

Step 2: Create an EventBridge Rule

Create a rule that matches S3 events you're interested in.

Sample: Trigger on any object upload

# json

{

  "source": ["aws.s3"],

  "detail-type": ["Object Created"],

  "detail": {

    "bucket": {

      "name": ["twtech-s3bucket"]

    }

  }

}

NB:

• twtech can use this rule (police) in the console or via the CLI:

#  bash

aws events put-rule \

  --name "S3ObjectCreatedRule" \

  --event-pattern file://event-pattern.json \

  --state ENABLED

# Then attach a target (e.g., Lambda function)

# bash

aws events put-targets \

  --rule "S3ObjectCreatedRule" \

  --targets "Id"="1","Arn"="arn:aws:lambda:us-east-2:accountID:function:twtechFunction"

 #Sample EventBridge Event policy from S3

#  json 

{

  "version": "0",

  "id": "abcd-1234-5678",

  "detail-type": "Object Created",

  "source": "aws.s3",

  "account": "12345678xxxx",

  "time": "2025-06-22T01:23:45Z",

  "region": "us-east-2",

  "resources": ["arn:aws:s3:::twtech-s3bucket"],

  "detail": {

    "bucket": {

      "name": "twtech-s3bucket"

    },

    "object": {

      "key": "images/photo.jpg",

      "size": 2048

    },

    "request-id": "ABCDEF1234567890",

    "requester": "arn:aws:iam::accountID:user/UploadUser",

    "source-ip-address": "192.0.2.0",

    "reason": "PutObject"

  }

}

 IAM Permissions

To use EventBridge with S3:

    1.     S3 automatically emits events to EventBridge – no special permissions required on twtech part.
2.     twtech IAM principal (user/role) must have:

# json

{

  "Effect": "Allow",

  "Action": [

    "events:PutRule",

    "events:PutTargets",

    "events:DescribeRule"

  ],

  "Resource": "*"

}