# Connections for API targets in Amazon EventBridge Connections To enable event buses and pipes to target custom resources, such as HTTPS APIs, you create connections. A *connection* defines the authorization method and credentials for EventBridge to use in connecting to a given resource. If you are connecting to a private API, such as a private API in an Amazon Virtual Private Cloud (Amazon VPC), you can also use the connection to define secure point-to-point network connectivity. You can create connections to target: + Public APIs, such as third-party SaaS applications. + Private APIs, such as custom resources that reside in an Amazon VPC or on-premise. EventBridge creates connections to private HTTPS endpoints by utilizing *resource configurations* created in Amazon VPC Lattice. A resource configuration is a logical object that identifies a resource, and specifies who can access it and how. Use connections with: + API destinations in EventBridge When you create an API destination, you specify a connection to use for it. You can choose an existing connection from your account, or create a connection when you create an API destination. For more information, see [API destinations](eb-api-destinations.md). + HTTP Endpoint tasks in AWS Step Functions An HTTP Endpoint task is a type of Task workflow state that lets you call HTTPS APIs in your workflows. These APIs can be public, such as Salesforce and Stripe, or private APIs that reside in an Amazon VPC or on-premise. The task uses a connection to specify the authorization type and credentials to use for authorizing the API. For private APIs, the connection also defines the network path to the API. For more information, see [Call HTTPS APIs in Step Functions workflows](https://docs.aws.amazon.com/step-functions/latest/dg/connect-third-party-apis.html) in the *Step Functions User Guide*. ![\[EventBridge and Step Functions use connections as authorization and network connectivity configurations for HTTPS endpoints.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/connections-overview_eventbridge_conceptual.svg) Connections are reusable. You can use the same connection to the same API for multiple EventBridge API destinations or Step Functions tasks, as long as the authentication method is the same. If API destinations or tasks require different authentication, then you must create separate connections. ## Storing connection authorization parameters in AWS Secrets Manager Storing connection authorization When you configure the authorization settings and create a connection, it creates a secret in AWS Secrets Manager to securely store the authorization information. You can also add additional parameters to include in the connection as appropriate for your HTTPS endpoint target. EventBridge connections support the following authentication methods: basic, OAuth, and API Key. For more information, see [Connection authorization methods](eb-target-connection-auth.md). While by default EventBridge uses an AWS owned key to encrypt and decrypt the connection secret, you can specify a customer managed key for EventBridge to use instead. For more information, see [Encrypting connections](encryption-connections.md). # Connecting to private APIs in EventBridge Connecting to private APIs You can create connections to private HTTPS endpoints, to provide secure point-to-point network access to resources in VPCs or on-premises without having to traverse the public internet. For example, you can create a connection to access an HTTPS-based application behind an Amazon Elastic Load Balancer. EventBridge creates connections to private HTTPS endpoints by utilizing *resource configurations* created in VPC Lattice. A resource configuration is a logical object that identifies the resource and specifies how and who can access it. To create a connection to a private API in EventBridge, you specify the resource configuration for the private API. For more information, see [ Resource configuration in VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html) in the *Amazon VPC Lattice User Guide*. EventBridge then creates a *resource association* that enables EventBridge to access the private API. For more information, see [ Manage resource associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-config-associations) in the *Amazon VPC Lattice User Guide*. While EventBridge manages the resource association, it creates the association using your credentials, so you retain visibility into the resource association operation. ![\[EventBridge and Step Functions use connections as authorization configurations for HTTPS endpoints.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/connections-private-destination_eventbridge_conceptual.svg) You can create connections that access private APIs in other AWS accounts. For more information, see [Cross-account private APIs](connection-private-cross-region.md). # Connecting to private APIs in other AWS accounts Cross-account private APIs EventBridge supports connections to private APIs across accounts in the same Region. For you to create a connection to a private API in another AWS account, the owner of that account must first share a VPC Lattice resource configuration for that private API with you. To do this, they share the resource with you in AWS Resource Access Manager. AWS RAM enables secure sharing of resources across AWS accounts, within organizational units (OUs), and integrates with AWS Identity and Access Management roles and users. Once you've accepted the resource share in AWS RAM you can specify the shared VPC Lattice resource configuration when creating a connection. For more information on AWS RAM, see the following topics in the *AWS Resource Access Manager User Guide*: + [Benefits of AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html#what-is-features) + [How resource sharing works](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html#what-is-how) + [Access AWS resources shared with you](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared-invitations.html) EventBridge does not support connections to private APIs across Regions. However, to target a private API in a different Region from your event bus:, you can: 1. Define an event bus rule that targets a second event bus that does reside in the same Region as the desired private API. 1. Create a connection for the second event bus to target the private API. For more information, see [Sending and receiving events between AWS Regions in Amazon EventBridge](eb-cross-region.md). ## Permissions for connecting to private APIs Permissions The following policy example includes the minimal necessary permissions for creating a connection to a private API. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "vpc-lattice:CreateServiceNetworkResourceAssociation", "vpc-lattice:GetResourceConfiguration", "vpc-lattice:AssociateViaAWSService-EventsAndStates", "events:CreateConnection" ], "Resource": [ "*" ], "Effect": "Allow" } ] } ``` ------ The following policy example includes the minimal necessary permissions for updating a connection to a private API. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "vpc-lattice:CreateServiceNetworkResourceAssociation", "vpc-lattice:GetResourceConfiguration", "vpc-lattice:AssociateViaAWSService-EventsAndStates", "events:UpdateConnection" ], "Resource": [ "*" ], "Effect": "Allow" } ] } ``` ------ ## Monitoring creation of connections to private APIs Monitoring connection creation When you create a connection to a private API, the following logs are generated: In the account in which the connection was created, AWS CloudTrail logs a `CreateServiceNetworkResourceAssociation` event. In this log, `sourceIPAddress`, `userAgent`, and `serviceNetworkIdentifier` are set to the EventBridge service principal, `events.amazonaws.com`. ``` { "eventTime": "2024-11-21T00:00:00Z", "eventSource": "vpc-lattice.amazonaws.com", "eventName": "CreateServiceNetworkResourceAssociation", "awsRegion": "region", "sourceIPAddress": "events.amazonaws.com", "userAgent": "events.amazonaws.com", "requestParameters": { "x-amzn-vpc-lattice-association-source-arn": "***", "x-amzn-vpc-lattice-service-network-identifier": "***", "clientToken": "token", "serviceNetworkIdentifier": "events.amazonaws.com", "resourceConfigurationIdentifier": "arn:partition:vpc-lattice:region:account-id:resourceconfiguration/resource-configuration-id", "tags": { "ManagedByServiceAWSEventBridge": "account-id:connection-name" } } ``` In the account which contains the private API , AWS CloudTrail logs a `CreateServiceNetworkResourceAssociationBySharee` event. This log includes: + `callerAccountId`: The AWS account in which the connection was created + `accountId`: The AWS account that contains the private API. + `resource-configuration-arn`: The VPC Lattice resource configuration for the private API. ``` { "eventTime": "2024-11-21T06:31:42Z", "eventSource": "vpc-lattice.amazonaws.com", "eventName": "CreateServiceNetworkResourceAssociationBySharee", "awsRegion": "region", "sourceIPAddress": "vpc-lattice.amazonaws.com", "userAgent": "user-agent", "additionalEventData": { "callerAccountId": "consumer-account-id" }, "resources": [ { "accountId": "provider-account-id", "type": "AWS::VpcLattice::ServiceNetworkResourceAssociation", "ARN": "resource-configuration-arn" } ] } ``` In the case of cross-account connections to private APIs, the account containing the connection will not receive AWS CloudTrail or VPC Lattice logs for the invocation of the private API. ## Managing service network resource associations for connections Managing resource associations When you specify the VPC Lattice resource configuration for the private API to which you want to connect, EventBridge enables the connection by creating a resource association between the VPC Lattice resource configuration and a VPC Lattice service network owned by the EventBridge service. While EventBridge manages the resource association, it creates the association using your credentials, so you retain visibility into the resource association. This means you can list and describe the resource associations. Use [describe-connection](https://docs.aws.amazon.com/cli/latest/reference/events/describe-connection.html) to return a connection description that includes the Amazon Resource Names (ARNs) of the resource configuration and resource association. You cannot delete resource associations created by EventBridge. If you delete a connection, EventBridge deletes any corresponding resource associations. For more information, see [ Manage resource associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-config-associations) in the *Amazon VPC Lattice User Guide*. ## Connecting to on-premise private APIs On-premise private APIs Using access to VPC resources through AWS PrivateLink and VPC Lattice, you can connect to on-premise private APIs. To do so, you must configure a network route between your VPC and your on-premise environment. For example, you can use [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) or [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) to establish such a route. # Provider considerations for cross-account connections in EventBridge Provider considerations To create a connection to a private API in another AWS account, the owner of that account must share a VPC Lattice resource configuration for the private API with you. A resource configuration is a logical object that identifies the API and specifies how and who can access it. The *provider* account--that is, the account sharing the VPC Lattice resource configuration for the private API with another account--shares the VPC Lattice resource configuration using AWS RAM. If your account is the provider of a VPC Lattice resource configuration, keep the following considerations in mind: ## Resource policy for resource configurations for cross-account private APIs Resource configuration policy By default, creating a AWS RAM resource share includes the necessary share policy, `AWSRAMPermissionVpcLatticeResourceConfiguration`. If you create a customer managed permission policy, you must include the necessary permissions. The following policy example provides the minimum necessary permissions for EventBridge to create the resource association necessary for a connection to a private API. + `vpc-lattice:GetResourceConfiguration` allows EventBridge to retrieve the Amazon VPC Lattice resource configuration you specify. + `vpc-lattice:CreateServiceNetworkResourceAssociation` allows EventBridge to create the resource association from the VPC Lattice resource configuration you specify. + `vpc-lattice:AssociateViaAWSService-EventsAndStates` allows EventBridge to create a resource association to a VPC Lattice service network owned by the service. ``` { "Effect": "Allow", "Action": [ "vpc-lattice:CreateServiceNetworkResourceAssociation", "vpc-lattice:GetResourceConfiguration", "vpc-lattice:AssociateViaAWSService-EventsAndStates" ] } ``` For more information, see [Managing permissions in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/security-ram-permissions.html) in the *AWS Resource Access Manager User Guide*. ## Provider monitoring of connection creation Connection creation When another account creates an EventBridge connection using a VPC Lattice resource configuration you have shared, AWS CloudTrail logs a `CreateServiceNetworkResourceAssociationBySharee` event. For more information, see [Monitoring connection creation](connection-private.md#connection-private-monitoring-create). ## Configuring security groups for access to private APIs Configuring security groups With VPC Lattice, you can create and assign security groups to enforce additional network-level security protections for your target API and resource gateway. In order for EventBridge and Step Functions to access your private API successfully, the security groups on the target API and resource gateway must to be configured correctly. If not configured correctly, the services will return "Connection Timed Out" errors when attempting to call your API. For your target API, your security group must be configured to allow all inbound TCP traffic on port 443 from the security group for your resource gateway. For your resource gateway, your security group must be configured to allow the following: + All inbound IPv6 TCP traffic across all ports from the ::/0 IPv6 CIDR range. + All inbound IPv4 TCP traffic across all ports from the 0.0.0.0/0 IPv6 CIDR range. + All outbound TCP traffic on port 443 to the security group used by your target resource, for the IP protocol your target API accepts (IPv4 or IPv6). For more information, see the following topics in the *Amazon VPC Lattice User Guide*: + [Control traffic in VPC Lattice using security groups](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) + [Resource gateway in VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateway.html) # Creating connections to private APIs Creating connections to private APIs The following steps walk you through how to create a connection to a private API. For detailed instructions that include all configuration options for connections, including creating connections to public APIs, see [Creating connections](eb-target-connection-create.md). ## Define the connection Define the connection The following steps walk you through how to create a connection to a private API endpoint. For instructions on creating connections to public APIs, see [Creating connections](eb-target-connection-create.md). 1. Open the [EventBridge console](https://console.aws.amazon.com/events). 1. In the left navigation pane, under **Integration**, choose **Connections**. 1. Choose **Create connection**. 1. On the **Create connection** page, enter a **Connection name** and **Description**. ## Configure the invocation endpoint Configure invocation Next, use the **Configure invocation** section to specify the HTTPS endpoint you want the connection to invoke. 1. For **API type**, choose **Private**. 1. Specify the Amazon VPC Lattice resource configuration to use to connect to it. Under **Private API**: + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu. + To create a new VPC Lattice resource configuration, choose **New resource configuration**. You are taken to the Amazon VPC Lattice; service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*. ## Configure the endpoint authorization Configure authorization Lastly, specify the authorization settings to use to access the endpoint. EventBridge supports basic, OAuth client credentials, and API key authentication methods. 1. Under **Configure authorization**, choose **Custom configuration**. 1. For **Authorization type**, select the authorization method for the connection to use. 1. Specify the authorization configuration details for the authorization method you chose: + **Basic** Enter the **Username** and **Password** to use to authorize with the HTTPS endpoint. + **OAuth Client Credentials** 1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private (VPC) endpoint. If you choose **Private**, specify the **Private OAuth endpoint resource configuration**: + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu. + To create a new VPC Lattice resource configuration, choose **New resource configuration**. You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*. 1. Specify the following authorization information: + Authorization endpoint + HTTPS method + Client ID + Client secret 1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint. To do so: + Select a **Parameter** from the drop-down list. + Enter a **Key** and **Value**. To include an additional parameter, choose **Add parameter**. + **API Key** Enter the **API key name** and associated **Value** to use for API Key authorization. 1. Under **Invocation Http Parameters**, add any additional parameters to include in the authorization request. To add a parameter: 1. Select a **Parameter** from the drop-down list 1. Enter a **Key** and **Value** To include an additional parameter, choose **Add parameter**. 1. Choose **Create Connection**. **Note** For connections for private endpoints, EventBridge creates the necessary resource association when it create the connection. This can take up to 90 seconds. # Authorization methods for connections in EventBridge Connection authorization methods EventBridge connections support the following authorization methods: + Basic + API Key For Basic and API Key authorization, EventBridge populates the required authorization headers for you. + OAuth For OAuth authorization, EventBridge also exchanges your client ID and secret for an access token and then manages it securely. When you create a connection that uses OAuth authorization, you have the option of specifying a public or private authorization endpoint. ## Considerations when using OAuth OAuth considerations Keep in mind the following when using OAuth as an authorization method for connections: + EventBridge refreshes OAuth tokens: + When a `401` or `407` response is returned. + Proactively during an HTTPS invocation, if the token expires within 60 seconds. This refresh only occurs when EventBridge processes an event for the API destination — it is not a background process. If no events arrive during this window, the next event triggers a synchronous token refresh, which may increase invocation latency or result in a failed invocation while the connection is reauthorizing. + You can use [Connection events](event-reference.md#event-reference-connections) to be notified when a connection changes state, such as becoming deauthorized. + We recommend you set the retry policy to greater than 0 for rules using connections that require OAuth. That way, if an OAuth token has expired, EventBridge will refresh the token when retrying the invocation. For more information on setting a retry policy for a rule, see [Select targets](eb-create-rule-wizard.md#eb-create-rule-target). ## Considerations for connection authorization Other considerations When you create a connection, you can also include the header, body, and query parameters that are required for authorization with an endpoint. You can use the same connection for more than one HTTPS endpoint if the authorization for the endpoint is the same. When you create a connection and add authorization parameters, EventBridge creates a secret in AWS Secrets Manager. The cost of both storing and accessing the Secrets Manager secret is included with the charge for using an API destination. For information on how to have EventBridge re-authorize the connection once you have updated it to address authorization or connectivity issues, see [Updating connections](eb-target-connection-edit.md). **Note** To successfully create or update a connection, you must use an account that has permission to use Secrets Manager. The required permission is included in the [AWS managed policy: AmazonEventBridgeFullAccess](eb-use-identity-based.md#eb-full-access-policy). The same permission is granted to the [service-linked role](eb-api-destinations.md#eb-api-destination-slr) that's created in your account for the connection. For examples of how to create a CloudFormation template that provisions an EventBridge connection with authentication, see [AWS::Events::Connection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html) in the *CloudFormation User Guide*. # Connection states in EventBridge Connection states Below are the connection statuses returned by EventBridge when creating or re-authorizing a connection. For successful connections to public APIs, EventBridge returns a status of `AUTHORIZED`. For successful connections to private APIs, EventBridge returns a status of `ACTIVE`. *Connectivity failures* refer to errors involving the network connectivity of the connection. Connectivity errors result in a connection status of `FAILED_CONNECTIVITY`. *Authorization failures* refer to errors involving the permissions specified for the connection. Authorization failures result in a status of `DEAUTHORIZED`. For information on how to have EventBridge re-authorize the connection once you have updated it to address authorization or connectivity issues, see [Updating connections](eb-target-connection-edit.md). EventBridge emits events when the state of a connection changes. For more information, see [Connection events](event-reference.md#event-reference-connections). **Public APIs** | Authorization method | Success | Connectivity failure | Authorization failure | | --- | --- | --- | --- | | Basic or API Key | `AUTHORIZED` | n/a | `DEAUTHORIZED` | | OAuth (public endpoint) | `AUTHORIZED` | n/a | `DEAUTHORIZED` | | OAuth (private endpoint) | `AUTHORIZED` | `FAILED_CONNECTIVITY` | `DEAUTHORIZED` | **Private APIs** | Authorization method | Success | Connectivity failure | Authorization failure | | --- | --- | --- | --- | | Basic or API Key | `ACTIVE` | `FAILED_CONNECTIVITY` | `DEAUTHORIZED` | | OAuth (public endpoint) | `ACTIVE` | `FAILED_CONNECTIVITY` | `DEAUTHORIZED` | | OAuth (private endpoint) | `ACTIVE` | `FAILED_CONNECTIVITY` | `DEAUTHORIZED` | When you create a connection to a private API, there can be a delay of up to several minutes from when the connection is successfully created to when you can successfully make HTTPS calls to the private API. During this period: + Private OAuth connection will be in `AUTHORIZING` state, and will transition to `AUTHORIZED` when OAuth token exchange is successfully completed. + The connection will update to `ACTIVE` status, and EventBridge will retry any invocations from event buses or pipes. If you are using the connection in an HTTP task within a Step Functions workflow, you can configure retries on `httpTimeoutExceptions` to retry any calls to the private API that happen during this period. # Creating connections for API targets in EventBridge Creating connections The following steps walk you through how to create a connection to an HTTPS endpoint. **Topics** + [ ## Define the connection ](#eb-target-connection-create-define) + [ ## Configure the invocation endpoint ](#eb-target-connection-create-invocation) + [ ## Configure the endpoint authorization ](#eb-target-connection-create-auth) + [ ## Configure encryption ](#eb-target-connection-create-cmkms) ## Define the connection Define the connection 1. Open the [EventBridge console](https://console.aws.amazon.com/events). 1. In the left navigation pane, under **Integration**, choose **Connections**. 1. Choose **Create connection**. 1. On the **Create connection** page, enter a **Connection name** and **Description**. ## Configure the invocation endpoint Configure invocation Next, use the **Configure invocation** section to specify the API type you want the connection to invoke. EventBridge connections support public and private APIs. + For **API type**, choose whether the endpoint is a public or private API. If you choose a private API, specify the VPC Lattice resource configuration to use to connect to it. Under **Private API**: + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu. + To create a new VPC Lattice resource configuration, choose **New Resource configuration**. You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*. ## Configure the endpoint authorization Configure authorization Next, specify the authorization settings to use to access the endpoint. EventBridge supports basic, OAuth client credentials, and API key authentication methods. 1. For **Configure authorization**, choose the type of endpoint to which you want to connect. ------ #### [ Custom endpoint ] If the connection is to an endpoint other than a partner endpoint, choose **Custom configuration**. 1. For **Authorization type**, select the authorization method for the connection to use. 1. Specify the authorization configuration details for the authorization method you chose: + **Basic** Enter the **Username** and **Password** to use to authorize with the HTTPS endpoint. + **OAuth Client Credentials** 1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private endpoint. If you choose **Private**, specify the **Private OAuth endpoint resource configuration**: + To use an existing resource configuration, choose a resource configuration from the drop-down menu. + To create a new resource configuration, choose **New resource configuration**. You are taken to the Amazon VPC Lattice; service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*. 1. Specify the following authorization information: + Authorization endpoint + HTTP method + Client ID + Client secret 1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint. To do so: + Select a **Parameter** from the drop-down list. + Enter a **Key** and **Value**. To include an additional parameter, choose **Add parameter**. + **API Key** Enter the **API key name** and associated **Value** to use for API Key authorization. ------ #### [ Partner endpoint ] If the connection is to a partner endpoint, choose **Use partner template**. For a list of available partner endpoints, see [API destination partners](eb-api-destination-partners.md). 1. From **Partner destination**, select the partner to which to connect. Under **Authorization type**, EventBridge enables the authorization methods available for the partner. 1. For **Authorization type**, select the authorization method for the connection to use. 1. Specify the authorization configuration details for the authorization method you chose: + **Basic** Enter the **Username** and **Password** to use to authorize with the HTTP endpoint. + **OAuth Client Credentials** 1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private (VPC) endpoint. If you choose **Private**, specify the **Private OAuth endpoint resource configuration**: + To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu. + To create a new VPC Lattice resource configuration, choose **New resource configuration**. You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*. 1. Specify the following authorization information: + Authorization endpoint + HTTPS method + Client ID + Client secret 1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint. To do so: + Select a **Parameter** from the drop-down list. + Enter a **Key** and **Value**. To include an additional parameter, choose **Add parameter**. + **API Key** Enter the **API key name** and associated **Value** to use for API Key authorization. ------ 1. Under **Invocation Http Parameters**, add any additional parameters to include in the authorization request. To add a parameter: 1. Select a **Parameter** from the drop-down list 1. Enter a **Key** and **Value** To include an additional parameter, choose **Add parameter**. ## Configure encryption Configure encryption Lastly, specify the type of KMS key you want EventBridge to use when encrypting and decrypting the authorization parameters that it stores as a secret in AWS Secrets Manager.. By default, EventBridge uses an AWS owned key. For more information, see [Encrypting connections](encryption-connections.md). 1. Choose the KMS key for EventBridge to use when encrypting the connection secret. + Choose **Use AWS owned key** for EventBridge to encrypt the secret using an AWS owned key. This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. This is the default. + Choose **Use customer managed key** for EventBridge to encrypt the secret using the customer managed key that you specify or create. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. 1. Specify an existing customer managed key, or choose **Create a new KMS key**. EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. 1. Choose **Create Connection**. **Note** For connections for private endpoints, EventBridge creates the necessary resource association when it create the connection. This can take up to 90 seconds. # Updating connections in EventBridge Updating connections You can update existing connections. ## Updating authentication of connections Updating authentication When you update certain authentication parameters, EventBridge re-authorizes and verifies network connectivity of the connection accordingly. Updating the connection with authorization parameters of a different authorization type, without updating the authorization type itself, has no effect. **When EventBridge re-authenticates connections to public APIs** For connections to public APIs, EventBridge re-authorizes the connection if you: + Update the connection to invoke a private API instead. + Update the connection authorization method *and* authorization parameters. **When EventBridge re-authenticates connections to private APIs** For connections to private APIs, if you do any of the following: + Update the connection to invoke a different private API, or a public API. + Update the connection authorization method. + Update the connection authorization parameters for the specified authorization method. EventBridge does the following: + Re-authorizes the connection. + Verifies the network connectivity of the connection. If you have updated the connection to use a different private API, or a public API, EventBridge also removes or updates existing network connectivity artifacts as appropriate. **To update a connection using the EventBridge console** 1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events). 1. In the left navigation pane, under **Integration**, choose **Connections**. 1. In the **Connections** table, choose the connection to edit. 1. On the **Connection details** page, choose **Edit**. 1. Update the values for the connection, and then choose **Update**. For information on updating the KMS key for EventBridge to use when encrypting a connection, see [Updating AWS KMS keys](encryption-connections-configure.md#encryption-connections-update). **To update a connection using the AWS CLI** + Use the `[update-connection](https://docs.aws.amazon.com/cli/latest/reference/events/update-connection.html)` command. To update a connection's invocation or authorization endpoint from a private API to a public API, you must specify an empty string (`""`) for the `ResourceConfigurationArn` parameter. Specifying `null` for this parameter has no effect. The following example updates the connection to use a public API, by setting the `ResourceConfigurationArn` that represents a private API resource configuration to an empty string. ``` aws events update-connection \ --name myConnection \ --authorization-type BASIC \ --auth-parameters '{"BasicAuthParameters": {"Username": "username", "Password": "***"}}' \ --region us-east-1 \ --invocation-connectivity-parameters ResourceParameters={ResourceConfigurationArn=\"\"} ``` # De-authorizing connections in EventBridge De-authorizing connections You can de-authorize a connection. De-authorizing a connection removes all authorization parameters. Removing authorization parameters removes the secret from the connection, so you can reuse it without having to create a new connection. **Note** You must update any API destinations or Step Functions workflow tasks that use the de-authorized connection to use a different connection to successfully send requests to the HTTPS endpoint. In addition to manual de-authorization, EventBridge de-authorizes a connection if the following occurs: + EventBridge cannot retrieve the secret because it has been deleted. + For connections using OAuth authentication, EventBridge cannot refresh the necessary OAuth token. + For connections using Basic or API Key authentication, EventBridge receives a `401 (UnAuthorize)` or `407 (Proxy_Authentication_required)` error code. In this case, update the connection with appropriate credentials to resolve the error. + If you have specified a customer managed key for EventBridge to use for secret encryption, and EventBridge receives a KMS key error when encrypting or decrypting the connection's secret. For more information, see [Customer managed key errors](encryption-connections.md#encryption-connections-deauth). **Note** EventBridge emits events when the state of a connection changes. You can use these events to track changes in a connection. For more information, see [Connection events](event-reference.md#event-reference-connections). **To de-authorize a connection using the EventBridge console** 1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events). 1. In the left navigation pane, under **Integration**, choose **Connections**. 1. In the **Connections** table, choose the connection. 1. On the **Connection details** page, choose **De-authorize**. 1. In the **Deauthorize connection?** dialog box, enter the name of the connection, and then choose **De-authorize**. The status of the connection changes to **De-authorizing** until the process is complete. Then the status changes to **De-authorized**. Now you can edit the connection to add new authorization parameters. **To de-authorize a connection using the AWS CLI** + Use the `[deauthorize-connection](https://docs.aws.amazon.com/cli/latest/reference/events/deauthorize-connection.html)` command. # Deleting connections in EventBridge Deleting connections You can delete a connection if you are no longer using it. **To delete a connection using the EventBridge console** 1. Log in to AWS using an account that has permissions to manage EventBridge and open the [EventBridge console](https://console.aws.amazon.com/events). 1. In the left navigation pane, under **Integration**, choose **Connections**. 1. In the **Connections** table, choose the connection. 1. On the **Connection details** page, choose **Delete**. **To delete a connection using the AWS CLI** + Use the `[delete-connection](https://docs.aws.amazon.com/cli/latest/reference/events/delete-connection.html)` command.