Skip to main content
This step is optional during pilot / initial deployment.KaireonAI ships with manual-only automation out of the box. Alert rules, notification destinations, report templates, and report schedules can all be created in the UI and fire end-to-end via Run Now buttons, Export buttons, and on-demand /api/cron/tick invocations — no AWS EventBridge wiring required.Enable this page only when you’re ready to move alerts and scheduled reports from on-demand to automated background evaluation. Wiring EventBridge turns the CRON_TOKEN env var into a live tap that fans out LLM narration and notification delivery every minute, so we recommend delaying this step until pilot guardrails (per-tenant schedule caps, minimum cadence, LLM spend caps) are in place. See the roadmap for the guardrail work-stream.

What this wires up

The platform’s cron endpoint — POST /api/cron/tick — drives two subsystems when called:
  • Alert rule evaluation — metric threshold checks with notification fan-out (see Alert Rules).
  • Report schedule execution — render PDF/CSV, narrate via LLM, deliver to configured destinations (see Report Schedules).
A single EventBridge Scheduler rule to this endpoint is enough for both — the tick response reports counts for each subsystem.

What still works without EventBridge

  • Alert rules — defined in /settings/alerts, stored in the database, and invokable manually by hitting /api/cron/tick with a valid x-cron-token. Rules simply stay dormant until evaluated.
  • Notification destinations — created and tested via the Test button in /settings/integrations → Notifications; fire on demand via POST /api/v1/notifications/send.
  • Report templates — built in /settings/reports, previewed live, and executed immediately via the Run Now button or POST /api/v1/reports/templates/[id]/run-now.
  • Report schedules — can be created and will show a nextRunAt value, but will not fire automatically until this page is wired. Use Run Now in the meantime.
  • Dashboard Export — every dashboard’s Export dropdown (PDF / CSV / Markdown / HTML) works unconditionally; no cron required.
  • Save as Report — creates the ReportTemplate + ReportSchedule rows immediately; scheduled firing waits on this page.

When to enable

Turn EventBridge on when:
  • You want alerts to fire without a human triggering the tick.
  • You need scheduled reports to arrive on cadence (daily digests, weekly executive summaries).
  • Pilot guardrails for LLM / notification spend are in place.

Setup (when you’re ready)

The rest of this page documents the AWS Console setup. Terraform/CDK codification is not part of the initial release — we recommend wiring this manually first so you can verify token rotation and observability before automating.

Prerequisites

  1. KaireonAI deployed with a reachable HTTPS URL (e.g., App Runner URL or custom domain).
  2. At least one notification destination configured.
  3. At least one alert rule enabled and referencing that destination, or at least one report schedule.
  4. CRON_TOKEN environment variable set on the API service to a strong random value (32+ chars). Example: 
    openssl rand -hex 32

Step 1 — Store the token in AWS Systems Manager Parameter Store

Keeping the token in Parameter Store lets you rotate without redeploying and lets EventBridge Scheduler reference it via an IAM role.
  1. AWS Console → Systems Manager → Parameter Store → Create parameter.
  2. Name: /kaireonai/prod/cron-token (pick a path that matches your env conventions).
  3. Type: SecureString.
  4. KMS key: default AWS-managed key is fine for most deployments; use a customer-managed KMS key if your security policy requires it.
  5. Value: paste the 32+ character token.
  6. Create.
Make sure the API service’s environment (CRON_TOKEN) reads from the same parameter — either via App Runner’s secret reference or at deploy time.

Step 2 — Create an EventBridge Scheduler IAM role

The schedule needs permission to invoke HTTPS endpoints and read the token from Parameter Store.
  1. IAM → Roles → Create role.
  2. Trusted entity type: Custom trust policy. Paste: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "scheduler.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}
  3. Attach an inline policy with the minimum permissions: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ssm:GetParameter",
      "Resource": "arn:aws:ssm:us-east-1:ACCOUNT_ID:parameter/kaireonai/prod/cron-token"
    }
  ]
}
    Replace ACCOUNT_ID, region, and the parameter path as needed.
  4. Role name: e.g., kaireonai-scheduler-role.
  5. Create.

Step 3 — Create the EventBridge Scheduler

  1. EventBridge → Scheduler → Schedules → Create schedule.
  2. Name: kaireonai-alert-tick.
  3. Schedule pattern: Recurring schedule. For a once-per-minute cadence: 
    rate(1 minute)
    Or use a cron expression like cron(*/5 * * * ? *) for every 5 minutes.
  4. Flexible time window: Off (keep ticks punctual).
  5. Click Next.
  6. Target API: API destinations is the cleanest option, but HTTPSInvoke API Destination requires a separate connection + destination setup. The simplest path is to use HTTP target:
    • Target type: Universal targetsAPI Gateway / HTTP.
    • URL: https://your-deployment/api/cron/tick
    • Method: POST
    • HTTP headers:
      • x-cron-token: <resolve:ssm:/kaireonai/prod/cron-token>
      • Content-Type: application/json
    • Request body: empty.
  7. Execution role: select kaireonai-scheduler-role from Step 2.
  8. Retry policy: up to 3 attempts, 60s retention is reasonable — the /api/cron/tick endpoint is idempotent (each tick reads current state) so retries do not cause duplicate fires beyond what cooldownMinutes already suppresses.
  9. Dead-letter queue: optional. Useful for spotting systemic failures.
  10. Create schedule.

Step 4 — Verify

  1. Wait one minute.
  2. Check App Runner / CloudWatch logs for the service — you should see an entry like: 
    cron.tick Tick complete { ok: true, tenantsProcessed: N, ... }
  3. In the platform UI, open Settings → Alert Rules — the Last fired column should update when a rule triggers.

Rotating the token

  1. Generate a new token (openssl rand -hex 32).
  2. Update the Parameter Store value.
  3. Update the API service’s CRON_TOKEN env (App Runner deploy or equivalent).
  4. The next EventBridge invocation after both updates are live uses the new token.
Update the service env FIRST, then the Parameter Store value, to avoid a window where EventBridge sends a new token the service rejects. Alternatively, bump both in a single deployment.

Cadence guidance

Match the tick cadence to the smallest windowMinutes of your alert rules. A rule with windowMinutes: 5 can only fire when the tick runs at least once every 5 minutes; running it every 1 minute gives sub-window responsiveness without meaningfully changing compute cost (the evaluator bails quickly when no rule triggers).
Rule windowMinutesRecommended tick cadence
1–5rate(1 minute)
5–15cron(0/5 * * * ? *) (every 5 minutes)
15–60cron(0/15 * * * ? *) (every 15 minutes)
60+cron(0 * * * ? *) (hourly)

Troubleshooting

EventBridge shows success but rules never fire — Check CloudWatch logs for 401 responses on /api/cron/tick. The most common cause is the x-cron-token header not being resolved from Parameter Store (the <resolve:ssm:...> syntax requires the IAM role in Step 2). Rules fire once then silently stopcooldownMinutes is preventing re-fire. Expected behavior. Look for status: cooldown in the tick response. Some tenants fail, others succeed — Per-tenant errors are isolated. The tick response lists failures in the errors array. Debug using the requestId that appears in the service logs.