This chapter covers the AWS Health Dashboard—both the Service Health Dashboard (public) and the Personal Health Dashboard (account-specific)—and its deep integration with Amazon EventBridge. Understanding this integration is critical for the SOA-C02 exam, as it forms the backbone of automated incident response and proactive monitoring. Expect roughly 5-8% of exam questions to touch on health events, EventBridge rules, or the distinction between public and personal health data. By the end, you will be able to configure automated responses to AWS service events, troubleshoot misconfigurations, and answer exam questions with confidence.
Jump to a section
Imagine a large office building with a central public address system and a detailed security log. The building manager (AWS Health Dashboard) monitors all critical infrastructure—elevators, HVAC, fire alarms—and announces any issues over the PA system to everyone in the building. This is the public feed: anyone can hear it, but it's a one-way broadcast. However, the manager also keeps a private, detailed log of every event—exact time, sensor readings, affected zones—and can send targeted alerts to specific tenants (your account) based on their subscriptions. Now, the manager installs a new automated notification system (EventBridge) that can listen to the public PA announcements (via a partner event source) and also receive the detailed logs directly. When the PA announces 'Fire alarm on floor 3,' the notification system can trigger sprinklers, unlock doors, and page the fire warden automatically. But critically, the notification system can also filter: it only acts on events that affect its tenant's floor, ignoring unrelated announcements. Without this integration, the building manager would have to manually call each tenant, and the notification system would be blind to building-wide emergencies. The integration ensures that every public announcement can be turned into a precise, automated action, while the private log provides the detailed context needed for compliance and root cause analysis. The exam tests your understanding of which events are public vs. account-specific, how EventBridge routes them, and the exact configuration steps to set up cross-account or cross-region event flows.
What is the AWS Health Dashboard?
The AWS Health Dashboard is the authoritative source of information about AWS service health. It consists of two distinct components:
Service Health Dashboard (SHD): A public-facing page (health.aws.amazon.com) that shows the current status of all AWS services across all regions. This is a one-way broadcast—anyone can view it without authentication. It displays service-level status (e.g., "Service is operating normally") and any ongoing incidents (e.g., increased error rates, connectivity issues). The SHD is updated manually by AWS engineers and is not designed for programmatic consumption.
Personal Health Dashboard (PHD): An account-specific view that surfaces events relevant only to your AWS account and resources. It requires AWS credentials to access. PHD events are automatically generated by AWS when an event affects your specific resources (e.g., an EC2 instance scheduled for retirement, a pending maintenance event, a service disruption affecting your ALB). These events are much more granular and actionable than the SHD. PHD events are available via the AWS Health API and can be integrated with EventBridge.
How AWS Health Events Work Internally
When an AWS service experiences an issue that could impact customers, the AWS Health team creates an event. This event is classified into one of several categories:
issue: A service disruption or degradation (e.g., increased error rates for DynamoDB in us-east-1).
accountNotification: Account-specific notifications (e.g., EC2 instance scheduled for retirement, pending security patch).
scheduledChange: Planned maintenance or lifecycle events (e.g., RDS maintenance window, Lambda runtime deprecation).
Each event has a unique arn (Amazon Resource Name) and includes metadata such as service, region, startTime, endTime, statusCode, and eventTypeCategory. For accountNotification and scheduledChange, the event is automatically scoped to the affected account. For issue events, the PHD only shows the event if the affected resources overlap with your account (e.g., if the issue is in an Availability Zone where you have resources).
EventBridge Integration: The Mechanism
Amazon EventBridge (formerly CloudWatch Events) is a serverless event bus that ingests events from AWS services and routes them to targets (e.g., Lambda, SNS, SQS, Step Functions). The AWS Health service is a native event source for EventBridge. When a Health event is created or updated, it is automatically sent to the default event bus in the same account and region. However, there are critical nuances:
PHD events are automatically delivered to the default event bus in the account where the event occurs. You do not need to set up any cross-account permissions for this.
SHD events are NOT directly available via EventBridge. They are public and cannot be programmatically consumed. However, AWS provides a partner event source called "AWS Health" that can be configured to receive Health events from the PHD. This is a common exam trap: candidates assume SHD events can be used, but they cannot.
To integrate PHD events with EventBridge, you create a rule that matches the event pattern. The event pattern uses JSON structure to filter specific events. For example:
{
"source": ["aws.health"],
"detail-type": ["AWS Health Event"],
"detail": {
"service": ["EC2"],
"eventTypeCategory": ["scheduledChange"]
}
}This rule triggers only on scheduled changes for EC2. You can further filter by region, eventTypeCode, statusCode, etc. The rule then sends the event to a target such as a Lambda function that can automate remediation (e.g., snapshot an EBS volume before retirement).
Key Components, Values, and Defaults
- Event Structure: Each Health event in EventBridge has a detail-type of "AWS Health Event". The source is always "aws.health". The detail object contains:
- eventArn: Unique identifier.
- service: The AWS service (e.g., "EC2", "RDS").
- eventTypeCode: A specific code (e.g., "AWS_EC2_INSTANCE_RETIREMENT_SCHEDULED").
- eventTypeCategory: One of issue, accountNotification, scheduledChange.
- region: The affected region.
- startTime, endTime: ISO 8601 timestamps.
- statusCode: open, closed, upcoming.
- affectedEntities: An array of ARNs for the affected resources (only for account-specific events).
Event Delivery: Health events are delivered to EventBridge within minutes of creation. There is no SLA, but typically within 5 minutes.
Rule Limits: You can have up to 300 EventBridge rules per event bus (default limit). Each rule can have up to 5 targets. This is important for exam questions about scaling automated responses.
Configuration and Verification
To configure the integration:
Open the EventBridge console.
Create a rule and select the default event bus.
Define event pattern: Choose "AWS events" and then "AWS Health" as the source. You can then fine-tune the pattern using the JSON editor.
Select target(s). Common targets: SNS topic (for human notification), Lambda function (for automation), SQS queue (for buffering), or Step Functions state machine (for complex workflows).
Configure permissions: The target must have a resource-based policy allowing EventBridge to invoke it. For example, for Lambda, you need to add a resource-based policy statement:
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:us-east-1:123456789012:rule/my-rule"
}
}
}To verify the integration:
Use the EventBridge console to view the rule's metrics (e.g., Invocations, FailedInvocations, TriggeredRules).
Check the CloudWatch Logs for the target if it logs.
Simulate a Health event using the AWS Health API or the AWS CLI:
aws health describe-events --filter "{\"services\":[\"EC2\"],\"eventTypeCategories\":[\"scheduledChange\"]}"Note that you cannot manually create Health events; you must wait for actual events or use the AWS Health API to retrieve past events.
Interaction with Related Technologies
AWS Config: Health events can trigger Config rules to evaluate resource compliance. For example, a scheduled change for an EC2 instance can trigger a Config rule that checks if the instance is part of an Auto Scaling group.
AWS Systems Manager: Health events can invoke Automation documents to perform remediation steps (e.g., patch an instance before a maintenance window).
AWS Chatbot: You can route Health events to Slack or Chime channels via SNS and Chatbot.
AWS Organizations: In an organization, Health events from member accounts can be aggregated to the management account using the aws.health source with cross-account event buses. This is a more advanced configuration that the exam may test.
Cross-Account and Cross-Region Considerations
By default, Health events are delivered to the event bus in the same account and region as the event. To centralize health events from multiple accounts, you can use cross-account event buses in EventBridge. This requires:
Creating an event bus in the management account.
Setting up a rule in each member account that forwards Health events to the management account's event bus.
The management account must have a resource-based policy allowing member accounts to put events.
For cross-region, you can create a rule in one region that sends events to a target in another region (e.g., a Lambda function in us-west-2). However, the event itself is region-specific; you cannot have a single rule catch all regions unless you create separate rules per region.
Exam-Relevant Numbers and Defaults
The default limit for EventBridge rules per event bus is 300.
The maximum number of targets per rule is 5.
Health events are typically delivered within 5 minutes.
The eventTypeCategory has exactly three values: issue, accountNotification, scheduledChange.
The statusCode can be open, closed, or upcoming (only for scheduled changes).
The source for Health events is always "aws.health".
The detail-type is always "AWS Health Event".
Common Pitfalls
Confusing SHD and PHD: The exam will present scenarios where a candidate tries to use the Service Health Dashboard events in EventBridge. Remember: only Personal Health Dashboard events are available via EventBridge.
Assuming all Health events are account-specific: issue events are only shown in the PHD if they affect your resources. If you have no resources in the affected region/AZ, you won't see the event in your PHD.
Forgetting to add resource-based policy: The target (Lambda, SNS, etc.) must allow EventBridge to invoke it. Without this, the rule will fail silently.
Misunderstanding event pattern syntax: The event pattern must match exactly; using "source": "aws.health" instead of "source": ["aws.health"] will cause the rule to never match.
Identify the Health Event
An AWS Health event is created when a service issue, account notification, or scheduled change occurs. The event is generated by the AWS Health service and is stored in the Personal Health Dashboard. The event has a unique ARN, a type (issue, accountNotification, scheduledChange), a service, a region, and a status (open, closed, upcoming). For account-specific events, the event includes the ARNs of affected resources. This event is then published to the default event bus in the account and region where the event occurred. The event is available via the AWS Health API and the EventBridge console within minutes.
Create EventBridge Rule with Pattern
In the EventBridge console, you create a rule that matches the Health event pattern. The event pattern is a JSON object that filters events based on source, detail-type, and detail fields. For example, to match all EC2 scheduled changes, you use source: ["aws.health"], detail-type: ["AWS Health Event"], and detail.service: ["EC2"], detail.eventTypeCategory: ["scheduledChange"]. The rule is associated with the default event bus. You can also create rules in custom event buses, but Health events only go to the default bus automatically.
Configure Target and Permissions
After defining the rule, you select one or more targets. Common targets include Lambda functions, SNS topics, SQS queues, and Step Functions state machines. For each target, you must ensure that EventBridge has permission to invoke it. For Lambda, you add a resource-based policy that allows the events.amazonaws.com service principal to invoke the function, with a condition restricting the source ARN to the rule's ARN. For SNS, you add a policy that allows EventBridge to publish to the topic. Without proper permissions, the rule will fail silently and no invocations will occur.
Test the Integration
To verify the integration, you can either wait for a real Health event or use the AWS Health API to describe past events. You cannot manually generate a Health event. However, you can use the AWS CLI to list events and check if the rule's metrics in CloudWatch show invocations. For example, run `aws health describe-events` to see recent events. If a matching event occurs, the rule should trigger the target within minutes. Check the target's logs (e.g., CloudWatch Logs for Lambda) to confirm the event was received and processed correctly.
Automate Remediation or Notification
The final step is to define the action taken by the target. For example, a Lambda function can parse the event detail, identify the affected resource ARN, and perform an action such as creating a snapshot, moving an instance, or sending a notification to a Slack channel via SNS. The event detail includes the `affectedEntities` array, which contains the ARNs of resources impacted. For scheduled changes, the event includes `startTime` and `endTime`, allowing you to schedule actions accordingly. This automation reduces manual intervention and improves incident response time.
Enterprise Scenario 1: Automated EC2 Instance Retirement Response
A large SaaS company runs thousands of EC2 instances across multiple accounts. When AWS schedules an instance retirement (e.g., due to underlying hardware degradation), the company needs to automatically snapshot the root volume, launch a replacement instance, and update DNS. They configure an EventBridge rule in each account that matches eventTypeCategory: "scheduledChange" and service: "EC2". The target is a Lambda function that checks the affectedEntities list, identifies the instance, creates an AMI, and launches a new instance in the same Auto Scaling group. They also send a notification to an SNS topic that posts to their internal ticketing system. This automation reduces the manual effort from 30 minutes per instance to near-zero and eliminates the risk of missing retirement deadlines. A common misconfiguration is forgetting to add the resource-based policy to Lambda, causing the rule to never trigger. Additionally, they had to increase the Lambda timeout to 5 minutes to handle large instances.
Enterprise Scenario 2: Centralized Health Monitoring Across an Organization
A financial services company uses AWS Organizations with 50 member accounts. They want a single dashboard that shows all Health events across all accounts. They set up a central event bus in the management account and create EventBridge rules in each member account that forward Health events to the central bus. The central bus then has rules that send events to a central SNS topic and a Step Functions workflow for incident management. They also use AWS Health's integration with AWS Config to trigger Config rules when a Health event occurs. For example, when an RDS maintenance event is detected, a Config rule checks if the database is encrypted. This centralized approach required careful IAM permissions: each member account needed a policy allowing events:PutEvents to the central bus, and the central bus needed a resource-based policy allowing member accounts to send events. They also had to handle cross-region events by creating separate rules per region. The main challenge was managing the 300 rule limit per event bus; they had to aggregate rules by service to stay within limits.
Enterprise Scenario 3: Proactive Maintenance with AWS Systems Manager
A gaming company uses a mix of EC2 and RDS instances. They receive scheduled change events for OS patching and RDS maintenance windows. They integrate Health events with AWS Systems Manager Automation. An EventBridge rule triggers a Systems Manager Automation document that patches the instance during the maintenance window, then reboots if necessary. They also use the statusCode field to detect when an event transitions from upcoming to open, triggering immediate action. The automation document includes error handling: if patching fails, it sends a notification to an SNS topic. They found that some events had affectedEntities with multiple ARNs, requiring the automation to iterate over each. They also had to ensure the Automation role had sufficient permissions to perform the patching. A pitfall was assuming that all scheduled changes have a startTime; some events use endTime as the deadline, and they had to adjust their logic accordingly.
What SOA-C02 Tests on This Topic
The SOA-C02 exam (Objective 1.2: Implement monitoring and event management) tests your ability to:
Distinguish between the Service Health Dashboard (SHD) and Personal Health Dashboard (PHD).
Configure EventBridge rules to respond to Health events.
Understand the event structure (source, detail-type, detail fields).
Identify correct permissions for EventBridge to invoke targets.
Troubleshoot common misconfigurations (e.g., missing resource policy, wrong event pattern).
Common Wrong Answers and Why Candidates Choose Them
"Use the Service Health Dashboard events in EventBridge" – Candidates confuse SHD with PHD. The SHD is public and not available via EventBridge. Only PHD events are delivered to the default event bus.
"Set the event pattern source to 'aws.health' without brackets" – The correct syntax is "source": ["aws.health"] (an array). Using a string will cause the rule to never match. Candidates often omit the array brackets.
"Health events are delivered to custom event buses" – By default, Health events go only to the default event bus. To use a custom bus, you must create a rule that forwards events from the default bus to the custom bus. This is a common exam trap.
"You can create a single rule that matches all Health events across all regions" – Each rule is region-specific. You must create a rule in each region where you want to receive events. Candidates assume global rules exist.
Specific Numbers and Terms That Appear Verbatim
The eventTypeCategory values: issue, accountNotification, scheduledChange.
The statusCode values: open, closed, upcoming.
The detail-type string: "AWS Health Event".
The source string: "aws.health".
The default limit of 300 rules per event bus.
The maximum of 5 targets per rule.
Edge Cases and Exceptions
Events with no affectedEntities: Some issue events do not list specific resources. The rule still fires, but the affectedEntities array is empty. Your target must handle this gracefully.
Cross-account Health events: If you use AWS Organizations, Health events from member accounts are not automatically sent to the management account. You must set up cross-account event buses.
Event updates: When a Health event is updated (e.g., status changes from open to closed), a new event is sent. Your rule will fire again, which might cause duplicate actions if not idempotent.
Regions with no Health events: If you have no resources in a region, you will not receive any issue events for that region. accountNotification and scheduledChange events are always account-specific regardless of resources.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When faced with a multiple-choice question about Health Dashboard and EventBridge, ask yourself:
Is the event from the Service Health Dashboard? If so, it cannot be used with EventBridge. Eliminate any answer that suggests using SHD events.
Does the event pattern use correct JSON syntax? Look for arrays around source and detail-type. If it uses strings instead of arrays, it's wrong.
Does the target have permission? The target must have a resource-based policy allowing EventBridge to invoke it. If the answer skips this step, it's incomplete.
Is the rule in the correct region? Health events are regional; you need a rule per region. If the answer assumes a global rule, it's wrong.
Are you using the correct event bus? Only the default event bus receives Health events automatically. Custom buses require explicit forwarding.
Only Personal Health Dashboard events are available via EventBridge; Service Health Dashboard events are not.
EventBridge event pattern must use arrays for source and detail-type: ["aws.health"] and ["AWS Health Event"].
Health events are regional; create one rule per region to capture all events.
Targets (Lambda, SNS, SQS) must have resource-based policies allowing EventBridge to invoke them.
Default limit: 300 EventBridge rules per event bus, 5 targets per rule.
eventTypeCategory values: issue, accountNotification, scheduledChange.
statusCode values: open, closed, upcoming (only for scheduled changes).
Health events are delivered to the default event bus only; custom buses require forwarding rules.
These come up on the exam all the time. Here's how to tell them apart.
Service Health Dashboard (SHD)
Publicly accessible without authentication.
Shows service-level status across all regions.
Not available via EventBridge or API.
Updated manually by AWS engineers.
Cannot be filtered per account.
Personal Health Dashboard (PHD)
Requires AWS credentials to access.
Shows events affecting your specific account and resources.
Available via EventBridge and AWS Health API.
Automatically generated by AWS Health service.
Events can be filtered by service, region, and event type.
Mistake
The Service Health Dashboard events are available via EventBridge.
Correct
Only Personal Health Dashboard events are available via EventBridge. The Service Health Dashboard is a public, non-programmatic feed. You cannot create EventBridge rules that react to SHD events.
Mistake
You can set the event pattern source to 'aws.health' as a string.
Correct
The source field must be an array: ["aws.health"]. Using a string will cause the rule to never match any events. This is a common syntax error.
Mistake
Health events are automatically delivered to custom event buses.
Correct
Health events are only sent to the default event bus in the account and region. To use a custom event bus, you must create a rule on the default bus that forwards events to the custom bus.
Mistake
A single EventBridge rule can match Health events from all regions.
Correct
EventBridge rules are regional. A rule in us-east-1 only matches events from us-east-1. You must create separate rules for each region where you want to receive Health events.
Mistake
All Health events include a list of affected resources.
Correct
Only account-specific events (accountNotification, scheduledChange) include affectedEntities. Some issue events may not list specific resources, especially if they are broad regional issues.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. The Service Health Dashboard is a public, read-only web page. It is not a programmatic source and does not emit events to EventBridge. Only Personal Health Dashboard events are available via EventBridge. If you need to react to service-wide issues, you must use the Personal Health Dashboard, which will show the event if it affects your account's resources.
In the EventBridge console, create a new rule. Select the default event bus. For event pattern, choose 'AWS events' and then 'AWS Health' as the source. You can then refine the pattern using the JSON editor. For example, to match all EC2 scheduled changes, use: {"source": ["aws.health"], "detail-type": ["AWS Health Event"], "detail": {"service": ["EC2"], "eventTypeCategory": ["scheduledChange"]}}. Then add a target, such as a Lambda function, and ensure the target has a resource-based policy allowing EventBridge to invoke it.
You need to add a resource-based policy to the Lambda function that allows the events.amazonaws.com service principal to invoke the function. The policy should include a condition that restricts the source ARN to the specific EventBridge rule's ARN. Example: {"Effect": "Allow", "Principal": {"Service": "events.amazonaws.com"}, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function", "Condition": {"ArnLike": {"AWS:SourceArn": "arn:aws:events:us-east-1:123456789012:rule/my-rule"}}}
Yes, by using cross-account event buses. In each member account, create a rule that forwards Health events to a central event bus in the management account. The central bus must have a resource-based policy allowing member accounts to put events. Then create rules on the central bus to process the events. Note that each rule is regional, so you need to set this up per region.
Typically within 5 minutes of the event being created or updated. There is no formal SLA, but in practice, events appear in EventBridge quickly. You can monitor the rule's invocation metrics in CloudWatch to see if events are being received.
These are the three eventTypeCategory values. 'issue' indicates a service disruption or degradation (e.g., increased error rates). 'accountNotification' is an account-specific alert (e.g., EC2 instance retirement). 'scheduledChange' is planned maintenance (e.g., RDS maintenance window). Only 'accountNotification' and 'scheduledChange' are account-specific and always include affectedEntities. 'issue' events may or may not include affectedEntities.
You cannot manually generate Health events. However, you can use the AWS Health API to describe past events and verify that your rule's event pattern would match them. For example, use the AWS CLI: `aws health describe-events --filter "{\"services\":[\"EC2\"],\"eventTypeCategories\":[\"scheduledChange\"]}"` to see recent events. You can also simulate an event by sending a custom event to EventBridge, but that won't test the Health-specific integration.
You've just covered AWS Health Dashboard and EventBridge Integration — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?