From AWS Management Console, I have created AWS services like S3 bucket and Cloudwatch event. I have set triggers of it to AWS Lambda function from browser window itself.
Before 14-Jul-21, eventually, triggers are ineffective.
Please review below output screenshot of cloudwatch event. Invocation is failing. I believe root cause being implicit permission only.
AWS documentation screenshots about permissions are as below.
Please suggest next plan of action to approach a resolution.
Sincerely,
prakash
Related
I'm trying to trigger AWS Step Function whenever a new file is uploaded on S3 bucket. I'm using Cloudwatch rules to do this but I'm getting this warning
I tried to follow AWS documentation link "https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-cloudwatch-events-s3.html#tutorial-cloudwatch-events-s3-step-1" but state machine did not invoked.
Can anyone tell me what exactly I'm doing wrong?
EDIT
I created this trail and region is Ohio
I found the issue, we need to enable data events as well to get API calls for S3. It was not mentioned in above AWS Document.
I am trying to setup a Lambda function that scans for a lifecycle policy on every new S3 bucket that is created. If the function finds there is no lifecycle policy set, it will add a default policy I have defined in the function. The aim is to use the CloudWatch S3 createbucket event as the trigger.
I am able to run tests successfully, but when I create new S3 buckets, it is not placing a default lifecycle policy on the bucket as annotated in the function. I have added full admin-access to the Lambda function IAM Role hoping to mitigate any permission issues (as a test). But when I create new S3 buckets, the CloudWatch event is failing to trigger the function.
It seems like I am missing something small, any suggestions? Thank you!
The problem was that the CloudTrail API was not configured for logging. I had to use my root account to create a trail for S3. Once CloudTrail was configured, CloudWatch was able to send the logged S3 events to Lambda as a trigger.
I have a usecase where I want to put data into an S3 bucket, for it to read later, by another account. I only want the other account to be able to read the file in S3, and once they have read it, I will then delete the file myself.
I have been reading the S3 documentation, and cannot see they cover this usecase: of sending a notification when a file in an S3 bucket is read ?
Can anyone help, or suggest an alternative workflow ? I have been looking at AWS SNS and was wondering if that would be a better solution ?
You could use CloudTrail and CloudWatch Events to enable this workflow.
By default S3 API calls are not logged so you'd want to enable that following the instructions here.
Then enable a CloudWatch event rule for the Simple Storage Service where the "GetObject" operation occurs.
Have this event invoke a Lambda function that will remove the object.
More information available here.
I am trying to figure out a way to trigger a Lambda on the creation or update or a Role in AWS.
The use case is that when a Role is created, we need to update our Identity Server with the new or changed Role.
I'm looking at cloud trail, and having mixed results. I could schedule a lambda to run, but I'd prefer to make it more real time.
Any ideas?
Sounds like going CloudTrail's way is exactly what AWS suggested.
What issue you got into?
AWS CloudTrail saves logs to an S3 bucket (object-created event).
Amazon S3 detects the object-created event.
Amazon S3 publishes the s3:ObjectCreated:* event to AWS Lambda by
invoking the Lambda function, as specified in the bucket notification
configuration. Because the Lambda function's access permissions policy
includes permissions for Amazon S3 to invoke the function, Amazon S3
can invoke the function.
AWS Lambda executes the Lambda function by assuming the execution role
that you specified at the time you created the Lambda function.
The Lambda function reads the Amazon S3 event it receives as a
parameter, determines where the CloudTrail object is, reads the
CloudTrail object, and then it processes the log records in the
CloudTrail object.
You can Ensure a log metric filter and alarm exist for IAM policy changes and similar.
Alarm can put message to SNS for example.
Lambda can be triggered by that SNS message.
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Is it possible to use cloud trail to recieve custom logs like application logs, access logs, security logs?
And cloud trail keeps the logs for how long?
You might be thinking of CloudWatch Logs, which does capture, provide search, and groom custom logs from EC2 instances. The retention grooming rules are configurable.
No. CloudTrail is for AWS APIs activity only. It logs the activity for the last 7 days of API activity for supported services. The list only includes API activity for create, modify, and delete API calls. You can optionally save the logs in S3 buckets for historic API activity.
You could configure VPC flow logs, CloudTrail logs and AWS Config logs with CloudWatch. You can setup a S3 bucket with lifecycle policies enabled to retain logs forever. Refer this.