I have set up AWS Secret Manager which contains my Redshift credentials. I have enabled secret rotation on my secret. I have used the sample Code given by AWS to set up a lambda function that gets the credentials and have subscribed SNS topic to the lambda which works fine.
I would like AWS Cloudwatch Events to set up a rule that whenever the rotation of secret has Succeeded it triggers my lambda function.
Upon reading the AWS documentation for monitoring my secrets: https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring.html#monitoring_cloudwatch
I have configured the Cloudtrail logs file to deliver to Cloduwatch Logs.
I have then set up a Cloudwatch Event rule which has Secret Manager as the Service, EventType: AWS API call events and specific operations: ** RotationSucceeded** - a mechanism that notifies you of a successful rotation event.
However, when the secret rotation successfully occurs, the cloud watch event does not trigger the lambda function I have set as the target.
What changes should I make so that the lambda function is triggered every time the Secret is successfully rotated in aws secret manager?
Posting the answer here:
Upon doing more research,
in order to set up AWS Cloudwatch Events rule that whenever rotation of secret has Succeeded it triggers my lambda function.
You will need to reference the RotateSecret API reference. Which in return when the secrtres is rotated will send trigger the lambda function.
RotateSecret would replace RotationSuccessed in specific operations
Have attached the document below for more informtion:
https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html
Related
Is there any way to capture AWS Lambda's own CRUD events like lambda create, lambda update, lambda delete
I am trying to create an alert system to slack channel on every lambda update
CloudTrail:
Lambda is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Lambda. CloudTrail captures API calls for Lambda as events. The calls captured include calls from the Lambda console and code calls to the Lambda API operations.
Additionally, many services (but not Lambda) send change events directly to EventBridge. EventBridge is notified when an RDS Instance is deleted, for instance. For finer-grained monitoring, consider the AWS Config service.
I am looking for a way to trigger my gitlab ci pipeline whenever there is a object (with specific name) is added in S3 bucket.
I am new with AWS lambda, can someone please help
You can use s3 event notifications and deliver these events to other AWS services, including AWS Lambda or SQS queues.
Leveraging these event notifications, you could send the event directly to a lambda function that subscribes to putobject events and parses the event content structure to determine if an object of the specific name was created and use the create pipeline API to trigger pipelines on GitLab.
Architecture overview:
I can see that an event is being fired by the doppler user, but the rule is not getting triggered for some reason I don't know how to debug.
Event fired:
Rule pattern:
I have this simple rule to catch updates to the secrets manager, I can see secrets are being updated and the event being fired, why would my rule not be fired? How could I debug this?
You are creating a rule with detail-type of AWS API Call via CloudTrail. In order for these events to be picked up, you must create a CloudTrail Trail:
Form the AWS documentation:
To record events with a detail-type value of AWS API Call via CloudTrail, a CloudTrail trail with logging enabled is required.
I need to add 'SNS' based trigger to my Lambda function, But create-event-source-mapping — AWS CLI Command Reference says only DynamoDB, Kinesis, SQS.
The aws lambda create-event-source-mapping command for SNS, S3 etc based triggers fails with --event-source-arn:
An error occurred (InvalidParameterValueException) when calling the CreateEventSourceMapping operation: Unrecognized event source, must be kinesis, dynamodb stream or sqs. Unsupported source arn
However these can be accomplished through AWS console.
Any thoughts?
To have a SNS triggers a Lambda, the Lambda need to subscribe the SNS's topic. You can refer to Tutorial: Using AWS Lambda with Amazon Simple Notification Service on getting Lambda triggered when a message published to SNS's topic.
*the cdk construct lib links provided are in python but you can use a language or your choice
In order to set a sns trigger on Lambda you have do following things,
1) create a SNS Topic
2) create a Lambda function
3) create a Lambda event source
4) integrate all
You can use AWS CDK to do all this
Creating a SNS Topic:
https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_sns/Topic.html
Creating a Lambda Function
https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_lambda/Function.html
Use functuon_obj.add_ecent_source(SNS_obj) to integrate all.
The IAM permissions to invoke your function on sns event will automatically get handled and you see then under Lambda permissions tab on console.
Do mark the answer right if it helps.
I want to call a lambda function when my EC2 tag "Something" changes. Is it possible? If I cannot listen to changes to a specific tag, I could listen on EC2 config changes. How can I do that? I am not sure which option to select on cloudwatch events ...
UPDATE
I tried AWS Config, but it appears that it only monitors config changes when instance is started?
Yes, you can use Amazon CloudWatch Events with AWS CloudTrail to call a Lambda function, triggered off a CreateTags event. (Changing a tag is actually treated as creating a tag.)
Turn on AWS CloudTrail for your region (this involves pointing it to an Amazon S3 bucket for log storage)
Create an Amazon SNS topic
Create an AWS Lambda function with a trigger on the SNS topic
Create an Amazon CloudWatch Events rule:
Service Name: EC2
Event Type: AWS API Call via CloudTrail
Specific Operations: CreateTags
Add Target: Select your Lambda function
Your Lambda function will receive a notification when a tag is created/changed.