I'm attempting to set up a Cloudwatch Event Rule to notify on any AWS IAM actions like DeleteUser or CreateUser. But when I tried to create an event pattern I couldn't find IAM in the service Name list even though when I searched in the AWS documentation i cant's find a mention of IAM not being supported by Cloudwatch event rules. So I tried to create a custom event but i didn't receive any email from SNS (my target), and yes I made sure cloudwatch has permissions to invoke SNS as we already have other working events, any idea on why this is not working ?
{
"source":[
"aws.iam"
],
"detail-type":[
"AWS API Call via CloudTrail"
],
"detail":{
"eventSource":[
"iam.amazonaws.com"
],
"eventName":[
"CreateUser",
"DeleteUser"
]
}
}
I figure it out, IAM emits cloudtrail events only in us-eas-1 and I'm using a different region, it worked when I created the Cloudwatch event in N. Virgenia
The source parameter needs to be "aws.cloudtrail" not "aws.iam".
IAM policy is a global service. It can only report in US-East-1(N.Virginia).
I have same exact config and the region is same as well but creating a new user still don't trigger the event as there is event in clouldtrail as well as in the monitoring of the event rule created. I see that they say in document that cloudtrail has to be enabled but when I create a rule for security group modification which is ec2 events then it is working fine but not with iam one. Is there any permission that I am missing for aws events to send logs to clould trail , if so how did you guys resolved it.
Related
I am not able to delete these subscriptions attached to the CloudWatch Logs Groups.
These subscriptions are created by CloudFormation stack via Serverless Framework. However, when I finished testing and deployed to the template, there was a permission error during the cleanup. Hence, these subscriptions became dangled and I am not able to locate it.
Tried with CLI and seems no relevant info regarding that.
$ aws logs describe-log-groups --log-group-name-prefix yyy
{
"logGroups": [
{
"logGroupName": "yyy",
"creationTime": 1555604143719,
"retentionInDays": 1,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxx:log-group:yyy:*",
"storedBytes": 167385869
}
]
}
Select the Log Group using the radio button on the left of the Log Group name. Then click Actions, Remove Subscription Filter.
Via CLI is listed in AWS document => This link
Via Console UI -> This capture
As you created the subscription with cloudformation stack via serverless, manually removing the subscription filter as jarmod is not a best practice.
What you should do is remove the cloudwatchLog event from the lambda functions and deploy, it should remove the subscriptions.
I'm trying to create an amazon cloudWatch rule which triggers whenever an object is uploaded into a bucket. I know that to do this I need to trigger on the PutObject Event, however best I can tell that requires enabling object level logging on the bucket. I will be using a multitude of buckets and want to be able to automate that process, and because of how most of the system is set up using boto3 seems to make the most sense. So how can I turn object-level logging on using boto3?
The only AWS official resource I've been able to find so far is: How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events?
Which explains how to enable object level logging through the GUI.
I've also looked through the boto3 library documentation
Both have ultimately not been helpful based on my understanding.
My chief goal is to enable object-level logging through boto3, if that's something that can be done.
You can configure an Amazon S3 Event so that, when a new object is created, it can:
Trigger an AWS Lambda function
Put a message in an Amazon SQS queue
Send a message to an Amazon SNS topic
See: Configuring Amazon S3 Event Notifications
You can use the put_event_selectors() function in CloudTrail service.
client = boto3.client('s3')
client.put_event_selectors(
TrailName='TrailName',
EventSelectors=[
{
'ReadWriteType': 'All',
'IncludeManagementEvents': True,
'DataResources': [
{
'Type': 'AWS::S3::Object',
'Values': [
'arn:aws:s3:::your_bucket_name/',
]
},
]
},
])
I'm creating a logs aggregator lambda to send Cloudwatch logs to a private log analysis service. Given the number of resources used by my employer, it was decided to create a subscription lambda that handles log group subscription to the aggregator.
The solution works fine, but it requires to manually search a resource's log group via amazon console and then invoke the subscription lambda with it.
My question:
Is there a way to, given a resource arn, find which log group is mapped to it? Since I'm using Cloudformation to create resources it is easy to export a resource's arn.
UPDATE
To present an example:
Let's say I have the following arn:
arn:aws:appsync:<REGION>:<ACCOUNTID>apis/z3pihpr4gfbzhflthkyjjh6yvu
which is an Appsync GraphQL API.
What I want it a method (using te API or some automated solution) to get the Cloudwatch log group of that resource.
You can try the describe-log-groups command. It is available on the cli, must also be there on the API.
To get the names of the log groups you can go with:
aws logs describe-log-groups --query 'logGroups[*].logGroupName' --log-group-name-prefix '/aws/appsync/[name-of-the-resource]'
Output will look like this:
[
"/aws/appsync/[name-of-your-resource]"
]
Since AWS has enabled to have CodeCommit, CodeDeploy,... now available also in other regions, I have decided to move some of those services from eu-west-1 to eu-central-1, closer to home.
In the existing setup, I have created a lambda function which gets triggered when a commit is pushed to a CodeCommit repo and sends a nice notification about it to our Slack channel. It works, great.
But now, when I've tried to recreate the same functionality in eu-central-1 (Frankfurt), I got stuck.
I can't seem to create a trigger for CodeCommit to trigger a Lambda function. I've tried in some other regions and it works flawlessly.
I know that:
the rights, roles, policies and permissions are setup correctly
it works in other regions
the code commit item is missing from the list of triggers when you create a Lambda function
If I try to create a trigger the other way around, starting from the code commit side, I get an error:
AWS CodeCommit does not have access to the destination or the destination does not exist.
Any idea if triggering has been forgotten during the implementation of CodeCommit in eu-central-1 or are there any other tricks I can try to get this working?
Thank you!
I believe the issue is that your Lambda function may be missing a policy which allows CodeCommit to invoke your function. If your new lambda function does not specify CodeCommit as a principal, they will not be able to invoke your function.
Usually, the easiest way to have this policy is by setting up your trigger in the Lambda console. Unfortunately, because CodeCommit is newly launched in these regions, this quick setup is not yet available. However, you can still follow the manual setup steps outlined here: http://docs.aws.amazon.com/codecommit/latest/userguide/how-to-notify-lambda-cc.html#how-to-notify-lam-perm
TLDR:
Create a json file 'AllowAccessfromMyDemoRepo.json':
{
"FunctionName": "MyCodeCommitFunction",
"StatementId": "1",
"Action": "lambda:InvokeFunction",
"Principal": "codecommit.amazonaws.com",
"SourceArn": "arn:aws:codecommit:eu-central-1:80398EXAMPLE:MyDemoRepo",
"SourceAccount": "80398EXAMPLE"
}
Run Lambda add-permission api:
aws lambda add-permission --cli-input-json file://AllowAccessfromMyDemoRepo.json
It's simply not yet available at Frankfurt. maybe give a try in Ireland instead?
I am making a call to aws cloudWatchEvent putRule & PutTarget api through aws sdk to create a cloudWatch Rule and attach a target to it. My Target is a lambda function, the rule gets created, the target gets attached to the rule but when the rule triggers based on its schedule the target lambda function not trigger. So I looked further and found out that the event source under the lambda function is not added which makes it not trigger. If I create the rule and target through AWS console the event source gets created and everything works but not thorugh API.
You'll need to call the lambda add-permission after adding the target.
That is (via boto3 for me):
create the lambda
create the rule
create the targets
call lambda add-permission with the lambda arn
see boto3 documentation or the cli doc.
It is possible to add event sources via aws sdk. I faced the same issue and please see code below as the solution using java.
AddPermissionRequest addPermissionRequest = new AddPermissionRequest();
addPermissionRequest.setStatementId("12345ff"); //any unique string would go
addPermissionRequest.withSourceArn(ruleArn);
addPermissionRequest.setAction("lambda:InvokeFunction");
addPermissionRequest.setPrincipal("events.amazonaws.com");
addPermissionRequest.setFunctionName("name of your lambda function");
AWSLambdaAsyncClient lambdaClient = new AWSLambdaAsyncClient();
lambdaClient.withRegion(Regions.US_EAST_1); //region of your lambda's location
lambdaClient.addPermission(addPermissionRequest);
I had same issue here, and i solve this by what #Anvita Shukla has sugested.
This worked fine when i do:
create the lambda (this i was created in web page)
And with SDK
create the rule object
create the target object
put request of the rule
put request of the target
get response object of rule request to retrieve the rule ARN
create permission object (has #Anvita Shukla said) and set the rule
ARN
add permission by lambda client object
In the aws lambda page i can see my lambdas with associated triggers events. And in aws cloudwatch events page i can see the created rules.
I wrote this in java lang. If you want i can share the code.
I fixed it. You need to add permission for lambda with SourceArn is cloud watch after putTargets. For example :
var lambdaPermission = {
FunctionName: 'cloudwatch-trigger',
StatementId : timestamp.toString(),
Action: 'lambda:InvokeFunction',
Principal: 'events.amazonaws.com',
SourceArn: 'arn:aws:events:ap-southeast-1:XXXXXX:rule/schedule_auto_1'
};
lambda.addPermission(lambdaPermission, function(err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
console.log("add permisson done");
}
});
As far as I understand this is currently not possible through the SDK, CloudWatch event sources can only be added to lambdas through the console as you said or using the CLI. If I'm wrong I would love to know what is possible, but the documentation here seems to agree.
http://docs.aws.amazon.com/lambda/latest/dg/with-scheduled-events.html