Check provider logo

EventBridge global endpoint has event replication enabled

eventbridge_global_endpoint_event_replication_enabled

Severitymedium
Serviceeventbridge
by Prowler
resilience

EventBridge global endpoints are configured with event replication ENABLED (not DISABLED) so custom events are replicated to both the primary and secondary Regions.

Risk

No event replication degrades availability and increases RPO during Regional outages.

  • Events can be lost or delayed if the primary Region fails
  • Automatic recovery to the primary may not occur, prolonging failover
  • Cross-Region inconsistency can affect data integrity
Run this check with Prowler CLI

prowler aws --checks eventbridge_global_endpoint_event_replication_enabled

Run in Prowler Cloud

Recommendation

Turn on event replication for global endpoints to ensure Regional resilience. Keep event buses, rules, and targets aligned across Regions. Use a dedicated IAM role with least privilege for replication. Design consumers for idempotency with unique IDs. Regularly test failover and monitor health as part of defense in depth.

Remediation

CLI

aws events update-endpoint --name <endpoint-name> --replication-config State=ENABLED --role-arn <role-arn>

Native IaC
Terraform
Other
  1. In the AWS Console, open Amazon EventBridge and go to Global endpoints
  2. Select the endpoint and choose Edit
  3. Under Event replication, check Event replication enabled
  4. For Execution role, select an existing role or create a new one
  5. Save changes

Source Code

Resource Type

AwsEventsEndpoint

References