I am currently configuring my production instances to use AWS Backup Service rather than Lamdba. However, I notice AWS Backup Service does not have the "no reboot" option or anything mentioning that it will not reboot the EC2 instances.
Hence, Will AWS Backup Service restart my EC2 instances during the backup(create AMI) process?
It will not reboot your instance. I checked that using on-demand backup of my instance. Then in CloudTrial I verified that the CreateImage API call made by the backup is set with "noReboot": true:
From CloudTrial event (part shown):
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxx:AWSBackup-AWSBackupDefaultServiceRole",
"arn": "arn:aws:sts::xxxx:assumed-role/AWSBackupDefaultServiceRole/AWSBackup-AWSBackupDefaultServiceRole",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateImage",
"requestParameters": {
"description": "This image is created by the AWS Backup service.",
"noReboot": true
},
}
Related
I have created a Lambda which is triggered by an EventBridge rule that I created.
The purpose is for the Lambda to send a slack notification when an OpenSearch Service Upgrade is available.
I've tested the Lambda manually with a sample event and it works well, but I want to test it "for real" by getting a real OpenSearch instance to send a notification.
The OpenSearch domain I created is not sending notifications like I would expect it to.
I've created a new OpenSearch domain and used an old version of OpenSearch (1.0).
When I look at the OpenSearch domain I created in the AWS console, it shows the Version is OpenSearch 1.0 and there is an Upgrade Available (to 1.3).
However, this did not trigger a notification.
How do notifications get triggered? Would a notification only get triggered if a new Upgrade becomes available (e.g. 1.4) when my OpenSearch domain is already up and running?
Is there any way to force OpenSearch to trigger the notification?
I want OpenSearch to trigger a notification, which in turn is captured by EventBridge, and triggers my Lambda with an event like:
`
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "Amazon OpenSearch Service Software Update Notification",
"source": "aws.es",
"account": "123456789012",
"time": "2016-11-01T13:12:22Z",
"region": "us-east-1",
"resources": [
"arn:aws:es:us-east-1:123456789012:domain/test-domain"
],
"detail": {
"event": "Service Software Update",
"status": "Available",
"severity": "Informational",
"description": "Service software update [R20200330-p1] available."
}
}
`
I was trying to get a notification, it doesn't matter how as though via email, sms, etc. The notification shouldn't be for state-changes only, which I have already done. Instead, I'd like to be notified when a EIP is disassociated, either network interface or volume is detached, or something bearing on affecting the Ec2 itself.
Is this possible?
I have been working with Amazon EventBridge rules, but I only get captured when is stopped, terminated or running.
I'd like to be notified when a EIP is disassociated, either network interface or volume is detached, or something bearing on affecting the Ec2 itself.
If you want to be notified of a specific event, such as when an EIP is disassociated, I would recommend you use EventBridge with a CloudTrail pattern (in this case, for the DisassociateAddress event).
If you want to be notified of any changes to the EC2 instance, I would recommend you use Config.
So, I figured it out as you said it #paolo. Basically, I have looked for the event on CloudTrail, and match it on Eventbridge; however, I had to do all the Event Patterns separately as follows to make them work.
For the detach network which is attach to the instance I want to monitor:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["DetachNetworkInterface"],
"requestParameters": {"attachmentId": ["eni-attach-0671ffxxx10bxxx46"]}
}
And for the instance status
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"RunInstances",
"StartInstances",
"StopInstances",
"TerminateInstances"
],
"requestParameters": {
"instancesSet": {
"items": {"instanceId": ["i-09513xxxd3xxxa04"]}
}
}
}
And so on for AIM roles, DetachVolumes, ModifyNetworkInterface, etc.
I'm looking at triggering a lambda when a new automated DB Snapshot is available in RDS (System ones instead of Manual ones). Although after digging in CloudTrail, I don't see any events marked as follow (AWS Sample):
{
"version": "0",
"id": "844e2571-85d4-695f-b930-0153b71dcb42",
"detail-type": "RDS DB Snapshot Event",
"source": "aws.rds",
"account": "123456789012",
"time": "2018-10-06T12:26:13Z",
"region": "us-east-1",
"resources": ["arn:aws:rds:us-east-1:123456789012:db:mysql-instance-2018-10-06-12-24"],
"detail": {
"EventCategories": ["creation"],
"SourceType": "SNAPSHOT",
"SourceArn": "arn:aws:rds:us-east-1:123456789012:db:mysql-instance-2018-10-06-12-24",
"Date": "2018-10-06T12:26:13.882Z",
"SourceIdentifier": "rds:mysql-instance-2018-10-06-12-24",
"Message": "Automated snapshot created"
}
}
Thanks again if you know which AWS Events I should lookup for :)
Oli
Cloudtrail won't give you such information. I would go with the flow highlighted bellow
RDS (event notification) -> SNS -> Lambda
You need to have an SNS topic as source of your lambda, because RDS fans out its events to this service
Check what RDS document states
Amazon RDS uses the Amazon Simple Notification Service (Amazon SNS) to provide notification when an Amazon RDS event occurs
Regarding the notification itself, I could see that the DB snapshot event event bellow might be the one that you're looking for
Category
RDS event ID
Description
creation
RDS-EVENT-0091
An automated DB snapshot is being created.
I have an OpenShift cluster running in AWS that dynamically creates volumes for projects. I need all my resources (EC2 instances, EBS Volumes, etc.) to have some required and enforced tags. However, volumes created by OpenShift/Kubernetes only come with a few default tags and I cannot, from the OpenShift side, add custom tags.
I would like, when volumes are attached to an instance, to have volumes inherit the tags from the instance they are attached to. I already have a lambda script which can do this, but the CloudWatch event for attachVolume only triggers when a volume FAILS to attach. Is there a way to trigger a CloudWatch event to trigger when a volume successfully attaches to an instance?
My Useless CloudWatch Event:
{
"source": [
"aws.ec2"
],
"detail-type": [
"EBS Volume Notification"
],
"detail": {
"event": [
"attachVolume"
]
}
}
This CloudWatch Event Rule will be triggered when an EBS AttachVolume occurs:
{
"source": [
"aws.ec2"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"AttachVolume"
]
}
}
I am using AWS CLI to create AWS spot instance but each time I am getting the below error.
"An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation."
Note :- I am able to create spot instance from EC2 console(GUI) successfully.
below mention is aws cli
aws ec2 request-spot-instances --spot-price "0.003" --instance-count 1 --type "persistent" --launch-specification file://param.json --instance-interruption-behavior "stop" --profile ""
content for param.json
{
"ImageId": "ami-0123456",
"UserData":"file:://my_script.txt"
"KeyName": "gistdev_default_rsa",
"SecurityGroupIds": [ "sg-0123456" ],
"InstanceType": "t2.medium",
"Placement": {
"AvailabilityZone": "us-west-2a"
},
"NetworkInterfaces": [
{
"DeviceIndex": 0,
"SubnetId": "subnet-0123456",
"Groups": [ "sg-0123456" ],
"AssociatePublicIpAddress": true
}
]
}
I have not specified "IamInstanceProfile" parameter in json file. Is this mandatory to have it?
~Ashish
Just because you can create spot instances using console (GUI) does not mean you can create them using CLI. What can go wrong?
Is API/SDK access enabled for the user?
How is the credentials supplied to the CLI? using access/secret or using metadata server (IAMProfile)
Is the credentials supplied to the CLI different from the one for the IAM user using the console/GUI? (most likely reason)
Is the CLI getting credentials in some other way? See: Configuration Settings and Precedence
There is missing permission to iam user of AmazonEC2SpotFleetRole .Try after attaching AWS managed AmazonEC2SpotFleetRole policy to you iam user.
There is no mandatory of add "IamInstanceProfile" in json file while creating spot-instance . IamInstanceProfile is a Role that can be accessed via ec2 entity as a trusted enitity .
When you create a new user, you have the option to grant them "Programmatic access" and/or "AWS Managed Console access"
You need to be sure "Programmatic access" is enabled for users who need to use the CLI.