I have the following AWS cross account use case where Account A belong
to another team and my team is the owner of account B.
AWS account A would like to copy/share snapshot of AWS RDS
Oracle to AWS account B
Process/curate data by restoring snapshot in RDS instance and
using AWS Step Functions workflow in account B
Share snapshot back to AWS account A from account B.
I am using boto3 APIs and have working step functions code and I am looking for advice on solving step 1) and 3). I am thinking of asking account A team to write a Lambda which share snapshot and trigger Cloudwatch event which account B listens to and another lambda to share snapshot back to account A programmatically. I am not sure if that is an optimal approach and if there is any better way.
For an "optimal approach" - Have you considered using AWS backup? If the accounts are under the same organization AWS backup can do this all for you.
See here: https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html
and here: https://aws.amazon.com/getting-started/hands-on/amazon-rds-backup-restore-using-aws-backup/
Related
We have two AWS roles/accounts, and I hosted our PostgreSQL in one account, and later I was notified this role would be disabled shortly, and I need to transfer our database to another AWS accounts. So I made a snapshot of the DB from one to another. I'm wondering if the original account is deleted in the future, does my snapshot also get impacted? Thanks for the clarification
I agree with #erik258. I am sharing this article that says you can't transfer resources between accounts. However, you can migrate Amazon RDS resources to another account.
To migrate Amazon RDS resources to another account, follow these instructions:
Create a DB snapshot.
Share the snapshot with the target account.
Create a new DB instance in the target account by restoring the DB snapshot.
I want to use an AWS RDS Proxy with RDS Postgres for which I have to create at least one secret using AWS Secrets manager. I understand that one secret would cost $0.40 per month. However, I was not able to understand about the pricing for the API calls made. How many API calls would be made for this minimal set up per month ? Is it according to each connections made ? And does it depend upon the RDS Plan - for me it is db.t3.micro
I want to copy(not share) EC2 AMI and RDS snapshot from one account to another account.
I also want to automate this process.
Help will appreciated.
The process would need to be:
Share the snapshot with the other AWS Account
From the other account, trigger a copy operation on the AMI / RDS Snapshot
The 'share' step is required to grant access to the other AWS Account.
You could automate this with code, but the code would need the ability to access both AWS Accounts since the 'share' step needs to be done in the source account and the 'copy' step needs to be done in the target account. This could be done by creating an IAM Role in the target account that can be assumed by your code.
You could potentially go one step further and have the code run in an AWS Lambda function that is automatically triggered by EventBridge whenever a new snapshot is generated. This can be done by triggering off an "RDS DB Snapshot Event", but I can't see an event that would trigger after an AMI is created.
Please how can get the list of all services I am using.
I have gone to Service Quotas at
https://ap-east-1.console.aws.amazon.com/servicequotas/home?region=ap-east-1
on the dashboard. I could see a list of Items e.g. EC2, VPC, RDS, Dynamo etc but I did not understand what is there.
As I did not request for some of the services I am seeing I even went into budget at
https://console.aws.amazon.com/billing/home?region=ap-east-1#/budgets
and also credits. Maybe I can get the services I have been given credits to use
https://console.aws.amazon.com/billing/home?region=ap-east-1#/budgets?
Also, how can I stop any service which I do not want?
The Billing service is not giving me tangible information also. I do not want the bill to pile up before I start taking needed steps.
Is there a location where I can see all services I am using or maybe there is a code I can enter somewhere which would produce such result?
You can use AWS Config Resource Inventory feature.
AWS Config will discover resources that exist in your account, record their current configuration, and capture any changes to these configurations. Config will also retain configuration details for resources that have been deleted. A comprehensive snapshot of all resources and their configuration attributes provides a complete inventory of resources in your account.
https://aws.amazon.com/config/
There is not an easy answer on this one, as there is not an AWS service that you can use to do this out of the box (yet).
There are some AWS services that you can use to get you close, like:
AWS Config (as suggested by #kepils)
Another option is to use Resource Groups and Tagging to list all resources within a region within account (as described in this answer).
In both cases however, the issue is that both Config and Resource Groups come with the same limitation - they can't see all AWS services on their own.
Another option would be to use a third party tool to do this, if your end goal is to find what do you currently have running in your account like aws-inventory or cloudmapper
On the second part of your question on how to stop any services which you don't want you can do the following:
Don't grant excessive permissions to your users. If someone needs to work on EC2 instances, then their IAM role and respective policy should allow only that instead of for example full access.
You can limit the scope and services permitted for use within account by creating Service Control Policies which are allowing only the specific resources you plan to use.
Set-up an AWS Budget Notifications and potentially AWS Budget Actions.
I have two different accounts in AWS and I need to move/copy the data from one DocumentDB in one account to the other account.
Some of you knows how to do this task? I am thinking about do it programmatically but I am not sure if this is a good idea.
Thank you in advance for your help.
DocumentDB allows you to share a cluster snapshot with different AWS account in the same region. You can find more information on it here:
https://docs.aws.amazon.com/documentdb/latest/developerguide/backup-restore.db-cluster-snapshot-share.html