Refer AWS Documentation here When a rule runs in EventBridge, all of the targets associated with the rule are invoked. Rules can invoke AWS Lambda functions, publish to Amazon SNS topics or relay the event to Kinesis streams. To make API calls against the resources you own, EventBridge needs appropriate permissions. EventBridge uses Resource-based policies for: 1. Lambda 2. Amazon SNS 3. Amazon SQS 4. Amazon CloudWatch Logs EventBridge uses Identity-based policies for: Kinesis streams AWS Lambda Permissions will look something like below: { "Effect": " Allow ", "Action": " lambda:InvokeFunction ", "Resource": "arn:aws:lambda:region:account-id:function:function-name", "Principal": { "Service": " events.amazonaws.com " }, "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name" } }, ...