I want to copy(not share) EC2 AMI and RDS snapshot from one account to another account.
I also want to automate this process.
Help will appreciated.
The process would need to be:
Share the snapshot with the other AWS Account
From the other account, trigger a copy operation on the AMI / RDS Snapshot
The 'share' step is required to grant access to the other AWS Account.
You could automate this with code, but the code would need the ability to access both AWS Accounts since the 'share' step needs to be done in the source account and the 'copy' step needs to be done in the target account. This could be done by creating an IAM Role in the target account that can be assumed by your code.
You could potentially go one step further and have the code run in an AWS Lambda function that is automatically triggered by EventBridge whenever a new snapshot is generated. This can be done by triggering off an "RDS DB Snapshot Event", but I can't see an event that would trigger after an AMI is created.
Related
We have two AWS roles/accounts, and I hosted our PostgreSQL in one account, and later I was notified this role would be disabled shortly, and I need to transfer our database to another AWS accounts. So I made a snapshot of the DB from one to another. I'm wondering if the original account is deleted in the future, does my snapshot also get impacted? Thanks for the clarification
I agree with #erik258. I am sharing this article that says you can't transfer resources between accounts. However, you can migrate Amazon RDS resources to another account.
To migrate Amazon RDS resources to another account, follow these instructions:
Create a DB snapshot.
Share the snapshot with the target account.
Create a new DB instance in the target account by restoring the DB snapshot.
I have the following AWS cross account use case where Account A belong
to another team and my team is the owner of account B.
AWS account A would like to copy/share snapshot of AWS RDS
Oracle to AWS account B
Process/curate data by restoring snapshot in RDS instance and
using AWS Step Functions workflow in account B
Share snapshot back to AWS account A from account B.
I am using boto3 APIs and have working step functions code and I am looking for advice on solving step 1) and 3). I am thinking of asking account A team to write a Lambda which share snapshot and trigger Cloudwatch event which account B listens to and another lambda to share snapshot back to account A programmatically. I am not sure if that is an optimal approach and if there is any better way.
For an "optimal approach" - Have you considered using AWS backup? If the accounts are under the same organization AWS backup can do this all for you.
See here: https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html
and here: https://aws.amazon.com/getting-started/hands-on/amazon-rds-backup-restore-using-aws-backup/
How to copy a redshift cluster snapshot from one account to another account through script.
To manually migrate an Amazon Redshift cluster to another AWS account, follow these steps:
Create a manual snapshot of the cluster you want to migrate.
Share the cluster snapshot with another AWS account to view and
restore the snapshot.
Before you copy a snapshot to another region, first enable
cross-region snapshots.
In the destination AWS account, restore the shared cluster snapshot.
Please see
https://aws.amazon.com/premiumsupport/knowledge-center/account-transfer-redshift/
If you want to do that in a "script" for some reason - then you need to read https://docs.aws.amazon.com/redshift/latest/mgmt/manage-snapshots-api-cli.html
I believe everything you need can be done using aws cli.
How to create an AWS policy which can restrict the users to create an instance unless they create tags while they try to launch the instance?
This is not possible using an IAM policy alone. The reason being that all EC2 instances are launched without EC2 tags. Tags are added to the EC2 instance after it has launched.
The AWS Management Console hides this from you, but it's a two-step process.
The best you can do is to stop and/or terminate your EC2 instances after-the-fact if they are missing the tags.
Thanks to recent AWS changes, you can launch an EC2 instance and apply tags, all in a single, atomic operation. You can therefore write IAM polices requiring tags at launch.
More details, and a sample IAM policy, can be found at the AWS blog post announcing the changes.
Is there a way to run ECS containers under certain IAM roles?
Basically if you have a code / server that depends on IAM roles to access AWS resources (like S3 buckets or Dynamo tables), when you run that code / server as a ECS container, what will happen? can you control the roles per container?
Update 2: Roles are now supported on the task level
Update: Lyft has an open source thing called 'metadataproxy' which claims to solve this problem, but its been received with some security issues.
When you launch a container host (the instance that connects to your cluster) this is called the container instance.
This instance will have an IAM role attached to it(in the guides it is ecsInstanceProfile I think is the name).
This instance runs the ecs agent (and subsequently docker). The way this works is when tasks are run, the actual containers make calls to/from AWS services, etc. This is swallowed up my the host (agent) since it is actually controlling the network in/out of the docker containers. This traffic in actuality now is coming from the agent.
So no, you cannot control on a per container basis the IAM role, you would need to do that via the instances (agents) that join the cluster.
Ie.
you join i-aaaaaaa and it has the ECS IAM policy + S3 read only to cluster.
you join i-bbbbbbb and it has the ECS IAM policy + S3 read/write to cluster.
You launch a task 'c' that needs r/w to S3. You'd want to make sure it runs on i-bbbbbb