Question 9 - AWS SOA-C03 Real Exam Questions [Jan 2026 Update]

Q: 9

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs to send specific events from all the accounts in the organization to a new receiver account, where an AWS Lambda function will process the events. A CloudOps engineer configures Amazon EventBridge to route events to a target event bus in the us- west-2 Region in the receiver account. The CloudOps engineer creates rules in both the sender and receiver accounts that match the specified events. The rules do not specify an account parameter in the event pattern. IAM roles are created in the sender accounts to allow PutEvents actions on the target event bus. However, the first test events from the us-east-1 Region are not processed by the Lambda function in the receiving account. What is the likely reason the events are not processed?

Options

Correct Answer:

Explanation

For Amazon EventBridge to send events from one AWS account to an event bus in another, a two-part permission model is required. First, the sender account needs an IAM role with a policy allowing the events:PutEvents action on the target event bus ARN. Second, and critically, the target event bus in the receiver account must have a resource-based policy attached. This policy explicitly grants permission to the sender account's principal (or the entire AWS Organization) to perform the events:PutEvents action. Without this resource-based policy, the receiver account's event bus will deny all incoming event requests from other accounts, which is the most likely reason the events are not being processed.

Why Incorrect

A. Interface VPC endpoints are only necessary for resources within a VPC to communicate with EventBridge privately, not a general requirement for cross-account event delivery.

B. EventBridge fully supports routing events to a target event bus in a different AWS Region. The scenario describes a valid cross-region architecture.

D. The rule's event pattern in the receiving account filters events after they have successfully arrived on the bus. The core issue is the event failing to arrive due to a permissions denial.

References

1. AWS Documentation

Amazon EventBridge User Guide

"Sending and receiving Amazon EventBridge events between AWS accounts": This section explicitly states the requirement for a resource-based policy on the receiving event bus. It clarifies: "To receive events from another account

you must edit the permissions for the event bus in your account... The policy grants permission to the other account to send events to the event bus in your account." It also provides example policies.

2. AWS Documentation

Amazon EventBridge User Guide

"Resource-based policies for Amazon EventBridge": This page details the structure and use of resource-based policies. It states

"To send events to an event bus in another account

you need to configure a resource-based policy that is attached to that event bus."

3. AWS Documentation

Amazon EventBridge User Guide

"Routing events to a different Region": This section confirms that cross-region event routing is a supported feature. It states

"You can create a rule that sends events to an event bus in a different Region. To do this

specify the event bus ARN in the other Region as the target of the rule." This directly refutes the claim in option B.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE