AWS AppConfig flags with SNS Topics - amazon-web-services

I've set up an AWS SNS Service that sends an email to a specific address and calls a webhook to notify an external application that a job is completed.
I've been asked to enable/disable one of the two subscriptions based on a flag that I've set inside AWS AppConfig. I've googled around but have found no way of conditioning the execution of such subscription based on the value of the flag, is this possible?
Should I use a lambda as a subscription endpoint then send the webhook/mail based on AWS config flag value?

You cannot directly tie a SNS subscription status to a flag in AppConfig.
What you can do is either to read the flag before publishing the message to SNS or, as you said, replace the subscription with a Lambda that checks the flag after receiving a message from the SNS topic.

Related

How to send SSM (Agent) status notification to SNS within AWS

My question is
Is there any other way to monitor the SSM status and send the event notification to SNS instead of configuring the SNS Topic from the executor by providing NotificationConfig ?
I encounter a scenario where within our staging environment, there is an SNS top with a subscription that can always receive the SSM(systems manager) status notification, and it will trigger a lambda function to send notifications to our Slack App. Was done by our previous colleague.
However, within our production environment, I can't set up such a topic that can always receive the SSM status notification.
Within the staging, the SSM agent is triggered through a python lambda function. It sends commands with the PowerShell script without configuring the NotificationConfig argument. I wonder how this event is sent to the SNS topic.
I follow AWS' documentation which assigns the SNS Topic to the executor of the command. I know this way. (https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-sns-rc-send.html)
Many Thanks.
You can capture any AWS event using EventBridge.

Set the recipient of a PagerDuty alerts programmatically

I am looking for ideas on how to set the recipient of PagerDuty alerts.
To give some context, I have an aws config rule that publishes a new event into an SNS topic, via EventBridge, each time the config rule is non-compliant then I have PagerDuty subscribed to the sns topic; PagerDuty successfully receives the alerts and forward them to the alert recipients, no issue is here.
My question is this: is it possible to set the recipient of the PagerDuty Alert based on the event that triggers the alert?
I am thinking about using lambda to query CloudTrail to extract the email address of the user initiating the event that causes the aws config to become non-compliant, but not sure how to set that email address as the recipient of the PagerDuty notification.
Is this even possible? or is there a better way to approach it?
Thanks in advance
Some options for thought:
Depending on the size of your instance you could build a specific service for each of the possible recipients. Either using the lambda you mentioned to control which service the alert is routed to. Or, alternatively, using a PagerDuty global Ruleset (or event orchestration) to route the alert based on its contents.
This doesn't need a much setup initially but the tradeoff is that it quickly becomes unwieldly at scale.
https://support.pagerduty.com/docs/event-orchestration#global-orchestrations
I've also seen solutions that assign an escalation policy without a specific target to a service such as user account with no contact info. When an alert and incident are opened a webhook is sent to, for example, RunDeck and that tool takes action in PagerDuty. The correct recipient is assigned to the incident and requested to acknowledge.
The tradeoffs here are losing visual sight of who is on-call for a service and the lift to stand up RunDeck, a lambda, or some other listener to process the webhook event.
https://support.pagerduty.com/docs/event-orchestration#webhooks
https://www.pagerduty.com/integrations/rundeck-runbook-automation/

aws calling lambda on cloudwatch alarm - Only email lists for this account are available

On AWS I'm trying to create a cloudwatch alarm that sends a notification to a sns topic that in turn triggers a lambda function that is subscribed to the topic, but have run into a bit of a snag in which my lambda is never triggered. I've followed several tutorials on how to do this, I've manually tested the sns -lambda connection and this is working as is attaching the notification trigger onto cloudwatch.
I've done this all through cloudformation.
I have also tried to configure it manually from the cloudwatch console and then noticed something strange. Underneath the Send a notification to select box as shown in the image below, there is a message which says Only email lists for this account are available. So I'm guessing from that, that somewhere in this account, there is a weird setting that needs to be changed?
Updated answer:
Is the CloudWatch alarm actually in the "Alarm" state? Can you add 2 more notifications to be triggered by the "OK" and "Insufficient data" state respectively?
by reading the original post, SNS should have the right permission to invoke the Lambda function.
previous answer:
That is a general message, it has nothing to do with your SNS topic settings. I reckon it's meant to say only emails opt-in to that SNS topic will get emails.
Q: How does Amazon SNS validate a subscription request to ensure that notifications will not be sent to users as spam?
As part of the subscription registration, Amazon SNS will ensure that notifications are only sent to valid, registered subscribers/end-points. To prevent spam and ensure that a subscriber end-point is really interested in receiving notifications from a particular topic, Amazon SNS requires an explicit opt-in from subscribers using a 2-part handshake:
i. When a user first calls the Subscribe API and subscribes an end-point, Amazon SNS will send a confirmation message to the specified end-point.
ii. On receiving the confirmation message at the end-point, the subscriber should confirm the subscription request by sending a valid response. Only then will Amazon SNS consider the subscription request to be valid. If there is no response to the challenge, Amazon SNS will not send any notifications to that end-point. The exact mechanism of confirming the subscription varies by the transport protocol selected:
For HTTP/HTTPS notifications, Amazon SNS will first POST the confirmation message (containing a token) to the specified URL. The application monitoring the URL will have to call the ConfirmSubscription API with the token included token.
For Email and Email-JSON notifications, Amazon SNS will send an email to the specified address containing an embedded link. The user will need to click on the embedded link to confirm the subscription request.
For SQS notifications, Amazon SNS will enqueue a challenge message containing a token to the specified queue. The application monitoring the queue will have to call the ConfirmSubscription API with the token.
Note: The explicit “opt-in” steps described above are not required for the specific case where you subscribe your Amazon SQS queue to your Amazon SNS topic – and both are “owned” by the same AWS account.

AWS RDS event subscription with lambda in another account

I am trying to get lambda in another account to get it invoked by RDS instance event notifications.
RDS event subscription is set to invoke SNS topic which triggers lambda in other account.
I have setup an entire stack using cloudformation. Things I achieved so far are
RDS events are able to invoke SNS topic, I have tested it using creating email subscription to SNS topic
SNS topic is able to trigger lambda in another account. I have tested it using publish messages in SNS topic. I can see that is flowing through in cloudwatch logs.
Part I am not able to get working is, RDS events triggering SNS and then Lamba in other account. Its very strage as individual bits are working fine but not end to end. Other observation is status of the SNS subscription in RDS events is shown as Active and I can see subscription log in lambda but nothing happens after I reboot RDS instance to test.
Also, I see this bizzare behaviour that subscription status is set to Null.
I followed below links for reference
https://jimmythompson.co.uk/blog/sns-and-lambda/
https://medium.com/pablo-perez/infrastructure-as-a-code-should-not-be-imperative-43d9a64e3998
Is there something I am missing? Any help is much appreciated.

How to confirm a slack subscription to an aws SNS topic?

I have a lambda function that notifies an SNS topic.
It currently sends an email each time I invoke the function so the lambda, the SNS piece and the email subscription are all working ok.
Now I want a Slack Integration.
I've created a channel called aws_int but I can't get it to receive the notification.
I am stuck on the need to 'verify the subscription'. I don't see how I would do this in the https connection to slack.
I don't understand how to do it manually using the console in aws because all the documentation keeps referring to using the 'Subscription Confirmation URL'
I can't find what that is.
but I cannot find what that is.
I found a post talking about the JSON being invalid: Confirming AWS SNS Topic Subscription for Slack Webhook but I don't understand how I would use that, maybe I could use Postman but I am not sure exactly how to format that POST.
So how can I integrate Slack and aws for an SNS topic, specifically how can I do the confirmation (which is required in order to activate it). This has to be a common need!
If I use the hook URL I get
Everything I am trying is just stacking up more Pending Confirmations, which btw I cannot delete...
Here's my postman attempt...
You really DON'T need Lambda. Just SNS and SLACK are enough.
I found a way to integrate AWS SNS with slack WITHOUT AWS Lambda or AWS chatbot. With this approach you can confirm the subscription easily.
Follow the video which show all the step clearly.
https://www.youtube.com/watch?v=CszzQcPAqNM
Steps to follow:
Create slack channel or use existing channel
Create a work flow with selecting Webhook
Create a variable name as "SubscribeURL". The name
is very important
Add the above variable in the message body of the
workflow Publish the workflow and get the url
Add the above Url as subscription of the SNS You will see the subscription URL in the
slack channel
Follow the URl and complete the subscription
Come back to the work flow and change the "SubscribeURL" variable to "Message"
The publish the
message in SNS. you will see the message in the slack channel.
It doesn't look like there is a way to confirm an SNS subscription to a Slack endpoint (email, webhook, whatever). If you want to use SNS as a decoupling layer, you'll need to add a lambda into the system, which can handle the confirmation process.
Lambda -> webhook -> SNS -> Lambda -> webhook -> Slack
Confirming AWS SNS Topic Subscription for Slack Webhook has some more information about this.
I would recommend just using the Lambda to send a message to slack, either calling another dedicated lambda, or just internally to the original one. There's a good tutorial here. If you really want to use SNS, then you could use your original lambda to trigger SNS, then have a new slack-dedicated lambda subscribe to the SNS topic.