How visualize the count of AWS IAM users in AWS Managed Grafana? Is it some Cloudwatch metrics (f.e. AWS/Usage)?
AWS cli can show this info aws iam get-account-summary with the response:
{
"SummaryMap": {
"Users": 27,
......
}
}
After thorough googling I found no Cloudwatch metrics for the IAM or other ways.
Related
How to use Cloudtrail to get who created IAM user , how to get this from logs
If the IAM user was created inside the last 90 days, you can find who created the user using CloudTrail Event history.
Using the AWS CLI:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser --region us-east-1
Using the Console: Go to Event History in CloudTrail Service, choose the EventName filter with a value of CreateUser. You have to use the region us-east-1 to view the events.
If the IAM user was created outside the 90 days time window, you can still find out who created the user if you have a trail enabled in CloudTrail. You can use Amazon Athena or some other method to search the log files created by CloudTrail in S3.
References:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html (Note the disclaimer for global services post November 22, 2021)
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
I am trying to sync two S3 buckets in different accounts. I have successfully configured the locations and created a task. However, when I run the task I get a Unable to connect to S3 endpoint error. Can anyone help?
This could have been related to the datasync's IAM role's policy (datasync IAM role) not having permission to the target S3 bucket
verify your policy and trust relationship using the below documentation
https://docs.aws.amazon.com/datasync/latest/userguide/using-identity-based-policies.html
Also turn on cloudwatch logs (like shown in the image) and view detailed log in cloudwatch. If it is permission related, add the missing policy in the Datasync role.
I get this error in CloudWatch logs of kinesis firehose
{
"deliveryStreamARN": "arn:aws:firehose:us-west-2:917877325894:deliverystream/test_dynamodb",
"destination": "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb2",
"deliveryStreamVersionId": 1,
"message": "Error received from Elasticsearch cluster. {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role2, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role2], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role2, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role2], requestedTenant=null]\"},\"status\":403}",
"errorCode": "ES.ServiceException"
}
I have added all different policies to the role attached to Firehose but still getting the same error.(btw the role was made by firehose itself but I tried also adding more policies with no different result)
I also have open access policy for the elasticsearch domain
Did anyone face the same thing before?
I had the same problem, instructions for troubleshooting are here
https://aws.amazon.com/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/
Go to Kibana and add your all_access mapping. Voila.
I am running some spot instances in my AWS account. Now I would like to subscribe to the spot instance data feed. how do I send the ec2 instance usage and pricing to the s3 bucket for every one hour?
aws ec2 create-spot-datafeed-subscription --bucket myawsbucket [--prefix myprefix]
How to create a prefix in the above command.
Please provide some examples to send the ec2 data to s3 bucket.
Using CLI you could run something like
aws ec2 create-spot-datafeed-subscription --bucket <s3-bucket-name> --prefix myspotdata
Ref: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-spot-datafeed-subscription.html
if you are using Terraform to manage your AWS resources then below code could be helpful to create Spot feed subscription with prefix
resource "aws_s3_bucket" "spotfeedbucket" {
bucket = "my-spot-feed-bucket-name"
acl = "private"
versioning {
enabled = true
}
}
resource "aws_spot_datafeed_subscription" "my-spot-feed-bucket-subscription" {
bucket = "${aws_s3_bucket.spotfeedbucket.bucket}"
prefix = "my-aws-spot-datafeed-prefix"
}
Hope this helps.
I am trying to follow this job aid to create an API gateway rest endpiont with an s3 integration.
https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html
However, when I try to create my execution role in IAM, there is only one use case at the bottom for API gateway. "Allows API Gateway to push logs to CloudWatch Logs." I am unable to attach an s3 policy the the API gateway role. Is this documentation out of date? How do I add the execution role for s3?
enter image description here
First you create the role with the cloudwatch policy,
then you go in your role list in IAM and find the role you just created ,
inside the role you can click on "attach policy" button and add any policies.
cheers