EventBridge/CloudTrail pass the below json string to my lambda function when the results get too long.
Is there anyway to view the responseElements like paginators or NextToken?
"responseElements":{
"omitted":true,
"originalSize":175918,
"reason":"responseElements too large"
}
I'm using the following EventBridge pattern
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"]
}
}
This is a limitation of CloudTrail, so at this time it's not be possible to pass that information from CloudTrail if it exceeds 100KB.
Potential work-around that may be useful to others with this message is to create an EventBridge rule to track EC2 instance state changes. So instead of monitoring the api call runinstances look for instances changing into the state running triggering from that as this should have a smaller response.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatch-Events-tutorial-CloudWatch-Logs.html
Related
Everytime an EC2 instance gets created, I want to run a script on that instance. I understand this could be done using the user_data parameter but some of these instances get created manually so people may forget to fill in that parameter sometimes. I want to rely on something automatic instead.
I figured to do it with EventBridge, catch an event that would indicate me that an instance has been created then trigger a lambda that would run the script. But when looking in the documentation I couldn't find any event that would relate to "EC2 created", see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/monitoring-instance-state-changes.html.
Any idea how to get this done?
Create an EventBridge rule with the following pattern to catch the event:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"]
}
}
and configure the target of the rule to be an AWS lambda function. Configure the lambda to parse the event and invoke an SSM run command against the instance.
In my case I have an EventBridge Rule with the following detail:
{
"detail-type": ["EC2 Instance State-change Notification"],
"detail": {
"state": ["running"]
},
"source": ["aws.ec2"]
}
And my target is a lambda function that runs an SSM document on that instance.
I was trying to get a notification, it doesn't matter how as though via email, sms, etc. The notification shouldn't be for state-changes only, which I have already done. Instead, I'd like to be notified when a EIP is disassociated, either network interface or volume is detached, or something bearing on affecting the Ec2 itself.
Is this possible?
I have been working with Amazon EventBridge rules, but I only get captured when is stopped, terminated or running.
I'd like to be notified when a EIP is disassociated, either network interface or volume is detached, or something bearing on affecting the Ec2 itself.
If you want to be notified of a specific event, such as when an EIP is disassociated, I would recommend you use EventBridge with a CloudTrail pattern (in this case, for the DisassociateAddress event).
If you want to be notified of any changes to the EC2 instance, I would recommend you use Config.
So, I figured it out as you said it #paolo. Basically, I have looked for the event on CloudTrail, and match it on Eventbridge; however, I had to do all the Event Patterns separately as follows to make them work.
For the detach network which is attach to the instance I want to monitor:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["DetachNetworkInterface"],
"requestParameters": {"attachmentId": ["eni-attach-0671ffxxx10bxxx46"]}
}
And for the instance status
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"RunInstances",
"StartInstances",
"StopInstances",
"TerminateInstances"
],
"requestParameters": {
"instancesSet": {
"items": {"instanceId": ["i-09513xxxd3xxxa04"]}
}
}
}
And so on for AIM roles, DetachVolumes, ModifyNetworkInterface, etc.
Although AWS considers using git webhooks to be antiquated practice, the documentation on aws codestar connections seems to be a bit scarce. I want to create a generic pipeline that can be triggered when a new repository is committed to for the first time (that it contains a folder of TF config). To do this, I need to be able to monitor when an aws codestar connection is used. I think that doing it this way will mean that I can build something that scales better.
But there doesn't appear to be a well documented way to monitor when 'anything' accesses a codestar connection:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html#awscodestarconnections-actions-as-permissions
In the image above, one can see that there is an action that happens that needs a permission to work, but that is not directly accessible. In cloud trail, I found an action with a payload like this:
"eventTime": "2021-07-06T11:22:46Z",
"eventSource": "codestar-connections.amazonaws.com",
"eventName": "UseConnection",
"awsRegion": "us-east-1",
"sourceIPAddress": "codepipeline.amazonaws.com",
"userAgent": "codepipeline.amazonaws.com",
"requestParameters": {
"connectionArn": "arn:aws:codestar-connections:*:connection/",
"referenceType": "COMMIT",
"reference": {
"FullRepositoryId": "GitHub-User/Github-Repo",
"Commit": "SHA"
}
},
I believe that this is enough for me to use for what I want. I could create an SNS notification with a Lambda listener when this event triggers, but that requires setting up infrastructure to monitor CloudTrail events.
But while I was researching this, I noticed that AWS event bridge appears to know about codestar connections:
Note, if I take this a bit further, I can get something that looks like this:
{
"source": [
"aws.codestar-connections"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"codestar-connections.amazonaws.com"
]
}
}
... but I see no sample events, as it appears that I should, if they were there. And I'm unable to find documentation describing how to make codestar connections log the the UseConnection event to cloudwatch.
If this can be used, instead, then I can use a more direct approach without needing to build the infrastructure to monitor the CloudTrail events.
Can this be done?
I have a Lambda function that I want to take action on a transit gateway when a new VPC is created, or when a VPC is updated. I've used CloudWatch Events for similar triggers in the past (such as when an EC2 instance was terminated) and was hoping to do something similar for this use case. What I've found is that VPC is not listed as one of the services available in Events, and the CloudTrail trail I have configured doesn't appear to be catching CreateVpc or DeleteVpc events, so I'm not sure that using the CloudTrail event pattern is possible either.
I was hoping to use an event similar to what's below, but have not had any luck -
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"],
"eventName": ["CreateVpc"]
}
}
Is it possible to catch a CreateVpc event for use as a Lambda trigger?
doesn't appear to be catching CreateVpc or DeleteVpc events
You have to double check your trail setup. CreateVpc and DeleteVpc are for sure captured by the CloudTrial.
However, it may be problem with your rule. The source should be aws.ec2:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateVpc"]
}
}
I'm new to AWS and here is the task I'm trying to solve.
SQS queue is set up and from time to time new messages are coming to it. I want to set up Lambda and retrieve those messages and perform some business logic on the content of that messages.
Searching across AWS site and Internet in general I understood that SQS itself can't be a trigger for Lambda, hence I need to set up Cloud Watch that will trigger Lambda by schedule (every minute for example). Here is code example from aws github how to consume a message.
So far so good. Now, when creating Lambda itself, I need to specify the input type to implement RequestHandler interface:
public interface RequestHandler<I, O> {
O handleRequest(I var1, Context var2);
}
But if my Lambda is not expecting any input, it will go to SQS on its own and pull the messages does it make any sense to have input?
Can I leave it void or even use some other method signature at all (of course not implementing that interface in this case)?
Here your Lambda will get a reference to the cloudwatch trigger.
You might not be interested in that but there can be instances where the Lambda wants to know the trigger details even if the trigger is a cloudwatch alarm
The following is an example event:
{ "version": "0", "id": "53dc4d37-cffa-4f76-80c9-8b7d4a4d2eaa",
"detail-type": "Scheduled Event", "source": "aws.events", "account":
"123456789012", "time": "2015-10-08T16:53:06Z", "region": "us-east-1",
"resources": [
"arn:aws:events:us-east-1:123456789012:rule/my-scheduled-rule" ],
"detail": {} }