is there a way to use the AWS CLI to modify attributes of an SNS topic ?
I'm trying to enable Encryption for an SNS topic but the documentation presented here
https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html
only specifies 2 methods:
Using the AWS Console
Using the Java AWS SDK
Here is what you are looking for:
https://docs.aws.amazon.com/cli/latest/reference/sns/set-topic-attributes.html
--attribute-name (string)
A map of attributes with their corresponding values.
The following attribute applies only to server-side-encryption :
KmsMasterKeyId - The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see Key Terms . For more examples, see KeyId in the AWS Key Management Service API Reference .
Use set-topic-attribute command.
Example:
aws sns set-topic-attributes --topic-arn arn:aws:sns:us-west-2:123456789012:MyTopic --attribute-name KmsMasterKeyId --attribute-value arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
You can also use the key id, key id arn or just alias name for the attribute value.
Related
In Terraform can read the values from Vault (stored in AWS SSM as secure strings). However, with CDK we have to put it in SSM or secrets manager and read the value in CDK. Is there a way CDK can read from the Vault?
It should be possible using AWS Custom Resources. AWS CDK provides a way to create custom resources that respond to CloudFormation's CRUD events (https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html).
According to the AWS Custom Resource docs, "return values are defined by the custom resource provider, and are retrieved by calling Fn::GetAtt on the provider-defined attributes". So after creating a custom resource that returns your Hashicorp Vault key as an attribute, you can have another resource reference that value using Fn::GetAtt in CDK, and the value should not get publicly exposed in the CloudFormation template.
Another alternative could be to sync secret values between Hashicorp Vault and AWS SSM/SecretsManager.
I'm wondering if something is possible at all, or I'm trying to build something that is not possible from the start.
Let's say within Account A there is an RDS DB Password, (can be any AWS resource ID or value) that I have stored in Secrets Manager or Parameter Store.
Now I want to use that value in AWS CDK in Account B, is this possible?
It is possible to retrieve the value based on ARN, see: https://bobbyhadz.com/blog/get-secrets-manager-values-aws-cdk#get-secrets-manager-value-by-arn---alternative but would this work cross-account?
You can attach a policy to your secret granting access to other AWS account. Check https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/
I want to configure my SQS Terraform Script to use an aws provided SSE Key.
I know that you can do this with the follwing code:
resource "aws_sqs_queue" "terraform_queue" {
name = "terraform-example-queue"
kms_master_key_id = "alias/aws/sqs"
kms_data_key_reuse_period_seconds = 300
}
But with this example I need to first create my own KMS Key. In the aws console it is possible to use a default one without creating one by myself. How do I do this in Terraform, what do I have to type in kms_master_key_id?
The default key for any service is given by the alias alias/aws/$service. So when you refer to alias/aws/sqs you're using the default AWS managed KMS key for that service in that region.
This is briefly covered in the AWS user guide:
The alias name cannot begin with aws/. The aws/ prefix is reserved by Amazon Web Services to represent AWS managed CMKs in your account.
I'm creating a logs aggregator lambda to send Cloudwatch logs to a private log analysis service. Given the number of resources used by my employer, it was decided to create a subscription lambda that handles log group subscription to the aggregator.
The solution works fine, but it requires to manually search a resource's log group via amazon console and then invoke the subscription lambda with it.
My question:
Is there a way to, given a resource arn, find which log group is mapped to it? Since I'm using Cloudformation to create resources it is easy to export a resource's arn.
UPDATE
To present an example:
Let's say I have the following arn:
arn:aws:appsync:<REGION>:<ACCOUNTID>apis/z3pihpr4gfbzhflthkyjjh6yvu
which is an Appsync GraphQL API.
What I want it a method (using te API or some automated solution) to get the Cloudwatch log group of that resource.
You can try the describe-log-groups command. It is available on the cli, must also be there on the API.
To get the names of the log groups you can go with:
aws logs describe-log-groups --query 'logGroups[*].logGroupName' --log-group-name-prefix '/aws/appsync/[name-of-the-resource]'
Output will look like this:
[
"/aws/appsync/[name-of-your-resource]"
]
There's an AWS CloudFormation stack which defines an SNS topic and an SNS subscription. In another Ansible task, I want to update another subscription, but this isn't possible as SNS subscriptions can't be updated.
Using Ansible to perform CloudFormation. What are the alternatives?
Club AWS CLI with Ansible and then execute plays which contain AWS CLI content?
Create a custom module in Ansible using boto? But this would be difficult as I should store SNS ARN's and give those to the custom module.
Ansible v2.0 added support of an sns_topic module. You can provide a name or ARN of an existing SNS topic to converge. You also probably want to set purge_subscriptions to False so any existing subscriptions are not removed.
- name: Update SNS topic subscriptions
sns_topic:
name: "my-topic"
purge_subscriptions: False
subscriptions:
- endpoint: "some-email#example.com"
protocol: "email"
http://docs.ansible.com/ansible/sns_topic_module.html