can anyone help with the format to create an scp policy in json format to restrict the creation of any unencrypted sns topics? Thank you
I don't think this is possible because Actions, resources, and condition keys for Amazon SNS - Service Authorization Reference only lists Tags as the available Conditions for the CreateTopic command.
Related
We have Mobile PlatformApplication arns in AWS account-1, and we can publish PNs to endpoint arns with our java-service in the same account.
But when trying to publish PNs with our java-service in different AWS accounts, we get com.amazonaws.services.sns.model.AuthorizationErrorException.
There seems no option to provide a resource-based policy for these SNS PlatformApplication. How can we solve this?
Thanks in Advance!
Today, you cannot do cross-account publishes directly to endpoints.
However, you can create an IAM role under the account with the endpoints that the other account is able to assume. Once the role has been assumed, the second account would be able to publish to the endpoint as usual.
I have created AWS Config for SNS topic not encrypted with AWS KMS. Both SNS and AWS config are in the same region.
I have created 2 sample SNS topics but I can see only one in AWS Config.
AWS config Image:
SNS topics created:
Can anyone explain why the 2nd topic is not showing in AWS Config even though neither is encrypted with KMS?
Regards,
I would recommend checking it with CLI, because sometimes AWS UI works wonders and it just does not show it in the UI, but it is actually there. Either use boto3 for that or CLoudShell. For CloudShell here is the documentation and for boto3 it is here.
I researched a lot but i'm not convinced or sure if it's possible or not, Your help would be really appreciated.
I want to learn if cross Region resource access is possible using resource based policy if yes then how in this case.
USE CASE:
Same Account Different Regions
AWS SES is in Account A and Region us-east-1
AWS Lambda Function is in Account A Region eu-central-1
I Want to accomplish AWS SES trigger AWS Lambda (Same Account Different Regions)
If this is not possible then your workaround would be appreciated, but understanding this is the main purpose here.
It doesn't look like you can trigger cross region lambda from SES
The Amazon SNS topic you choose must be in the same AWS region as the Amazon SES endpoint you use to receive email.
See
Lambda Action - Amazon Simple Email Service - AWS Documentation
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-action-lambda.html
As a workaround, consider using SQS based Subscribtions, to subscribe an Amazon SQS queue to an Amazon SNS topic in your target region.
See https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-subscribe-queue-sns-topic.html
What is the easiest way to get the user/role used to update/upload an object to S3?
I object is still in the bucket. Just want to know who did it.
tried CLI didn't find anything. CloudTrail could be an option as well I guess.
The easiest way would be to enable S3 server access logging:
AWS Console -> S3 -> Choose your bucket -> Properties -> Choose target bucket (where wou want your logs to be stored) -> Save
Each request is saved as one row in logs. It's not just for get requests, it's for all types of requests.
In logs, you would look for Requester:
The canonical user ID of the requester, or a - for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
You can see more details in official documentation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
From Logging Amazon S3 API Calls by Using AWS CloudTrail - Amazon Simple Storage Service:
Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3. CloudTrail captures a subset of API calls for Amazon S3 as events, including calls from the Amazon S3 console and from code calls to the Amazon S3 APIs.
On the AWS console, is there any history of users actions? I would like to see which of ours users has last modified a property of a S3 bucket for example
For this you can do few things.
Setup AWS CloudTrail to audit user actions to AWS S3
Enable logging for the S3 bucket and store the logs either in a bucket in the same account of in a different account (Better if you need more security).
Enable versioning on S3 buckets, so past versions remains and allows to revert the changes.
The best way to collect all user actions in AWS is using CloudTrail. Using CloudTrail you can also create trails that includes S3 object-level operation events.