In the AWS account, if a new VPC is created , I need that VPC flow logs should get enabled (created) automatically. Is there a way to do it ?
You can use EventBridge to automate response to events, currently, VPC is not integrated with EventBridge so you could:
Monitor CloudTrail events, particuarly the CreateVPC action as described in the AWS docs.
Add an AWS Lambda Function (AWS docs reference) that triggers based on the event
Modify your function to create the flow log using the SDK (python example on the AWS docs)
Related
Is there any way to capture AWS Lambda's own CRUD events like lambda create, lambda update, lambda delete
I am trying to create an alert system to slack channel on every lambda update
CloudTrail:
Lambda is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Lambda. CloudTrail captures API calls for Lambda as events. The calls captured include calls from the Lambda console and code calls to the Lambda API operations.
Additionally, many services (but not Lambda) send change events directly to EventBridge. EventBridge is notified when an RDS Instance is deleted, for instance. For finer-grained monitoring, consider the AWS Config service.
I have an AWS Lambda function that takes in and processes logs from CloudWatch Logs that are sent to specific log groups. The thing is, I may need to add more triggers as more log groups are created. The only way I have found to create a trigger for a specific log group is to use the AWS Lambda console and the AWS CloudFront console. Is it possible to create a trigger for an AWS Lambda function programmatically? For instance, in some Java code?
Yes, one of the common ways of triggering server-less functions is using endpoints. I believe you can expose an API endpoint from the Function's console using a an API Gateway, and call this endpoint URL from your java code or whatever programmatic entity you wish.
Suppose multiple aws services are running (like EC2,S3) and If someone changes the configuration of these services , I want to know immediately and want to pull the updated configuration. So how can i listen to these services to pull configuration immediately . I went through couple of options like aws SNS and all. But i don't want to implement this using any aws services for this.
I am using spring boot application. Any help is appreciated , Thanks in advance.
The two services you should be interested in are:
AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
AWS Config:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
You can also configure Amazon CloudWatch Events rules that trigger when a particular API call is made (eg when a user changes some configuration). This could trigger a notification, a Lambda function, etc.
See:
Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail - Amazon CloudWatch Events
How to monitor AWS account activity with Cloudtrail, Cloudwatch Events and Serverless
I need a way to log API gateway deployments (date/time, user, swagger diff etc.). Is there an event thats fired that i can attach a lambda to, or alternatively is this information already available on the dashboard somewhere?
As Krishna mentioned, CloudTrail can capture API events (both from the AWS console as well as the AWS APIs) for API Gateway, including the deployment of APIs. Since CloudTrail stores the events in S3, you can take advantage of S3 bucket notifications as a means to trigger your Lambda function.
I want to call a lambda function when my EC2 tag "Something" changes. Is it possible? If I cannot listen to changes to a specific tag, I could listen on EC2 config changes. How can I do that? I am not sure which option to select on cloudwatch events ...
UPDATE
I tried AWS Config, but it appears that it only monitors config changes when instance is started?
Yes, you can use Amazon CloudWatch Events with AWS CloudTrail to call a Lambda function, triggered off a CreateTags event. (Changing a tag is actually treated as creating a tag.)
Turn on AWS CloudTrail for your region (this involves pointing it to an Amazon S3 bucket for log storage)
Create an Amazon SNS topic
Create an AWS Lambda function with a trigger on the SNS topic
Create an Amazon CloudWatch Events rule:
Service Name: EC2
Event Type: AWS API Call via CloudTrail
Specific Operations: CreateTags
Add Target: Select your Lambda function
Your Lambda function will receive a notification when a tag is created/changed.