I'm struggling to fully understand the way configuration sets and their associated delivery options work.
I'm trying to ensure that each message sent via AWS SES will enforce tls encryption rather than using the default opportunistic approach.
As per official documentation I have created a new set using AWS cli:
aws ses put-configuration-set-delivery-options --configuration-set-name TlsEncryption --delivery-options TlsPolicy=Require
But I cannot seem to be able to verify that this delivery option is actually attached to this configuration set.
When I run
aws ses describe-configuration-set --configuration-set-name=TlsEncryption
I only get
{
"ConfigurationSet": {
"Name": "TlsEncryption"
}
}
therefore I'm unsure whether the delivery option has been actually set on it and will work with each call when using X-SES-CONFIGURATION-SET: TlsEncryption or not.
Could someone shine some light on it please?
It's buried in the AWS CLI enumerations.
aws ses describe-configuration-set --configuration-set-name tls-config-set --configuration-set-attribute-names deliveryOptions --region=eu-west-1
Note, the magic enum is deliveryOptions
{
"ConfigurationSet": {
"Name": "tls-config-set"
},
"DeliveryOptions": {
"TlsPolicy": "Require"
}
}
Related
AWS has auto-join/auto-enable recording of new resources and accounts in Security Hub, which I am happily using.
I wanted to enable the same kind of setting for AWS Config, which currently require manual setup for all new accounts of my organisation. However, I failed to find anything similar to aforementioned Security Hub feature in Config.
Am I missing it or is it currently not available out-of-box?
#Ido Van Orell I do not think there is a native feature in AWS Config but what you can leverage for this is CloudFormation stacksets.
Create a CloudFormation template that enables AWS Config. Deploy it as stackset with automatic deployment enabled. This should ensure that when a new account joins your org AWS Config is enabled.
If you are using AWS Control Tower by any chance, you also get an event when account is vended which you can run automation on the back off.
{
"detail-type": ["AWS Service Event via CloudTrail"],
"source": ["aws.controltower"],
"detail":
{
"eventName": ["CreateManagedAccount"],
"serviceEventDetails":
{ "createManagedAccountStatus": { "state": ["SUCCEEDED"] } },
},
}
Use AWS Config Aggregator's integration with AWS Organisations to get a single pane of glass view across all accounts and regions for org where Config is enabled. Refer this
I'm attempting to set up a Cloudwatch Event Rule to notify on any AWS IAM actions like DeleteUser or CreateUser. But when I tried to create an event pattern I couldn't find IAM in the service Name list even though when I searched in the AWS documentation i cant's find a mention of IAM not being supported by Cloudwatch event rules. So I tried to create a custom event but i didn't receive any email from SNS (my target), and yes I made sure cloudwatch has permissions to invoke SNS as we already have other working events, any idea on why this is not working ?
{
"source":[
"aws.iam"
],
"detail-type":[
"AWS API Call via CloudTrail"
],
"detail":{
"eventSource":[
"iam.amazonaws.com"
],
"eventName":[
"CreateUser",
"DeleteUser"
]
}
}
I figure it out, IAM emits cloudtrail events only in us-eas-1 and I'm using a different region, it worked when I created the Cloudwatch event in N. Virgenia
The source parameter needs to be "aws.cloudtrail" not "aws.iam".
IAM policy is a global service. It can only report in US-East-1(N.Virginia).
I have same exact config and the region is same as well but creating a new user still don't trigger the event as there is event in clouldtrail as well as in the monitoring of the event rule created. I see that they say in document that cloudtrail has to be enabled but when I create a rule for security group modification which is ec2 events then it is working fine but not with iam one. Is there any permission that I am missing for aws events to send logs to clould trail , if so how did you guys resolved it.
I am working on Amazon SES with SQS to receive the bounce list of the email. For security reason, I am only given the information that necessary to connect to the SES and SQS service (host name, API keys, etc), so I am not able to use the AWS console to see the status of the queue. This is reasonable as I don't want to mess with many other services that are under the same account - especially when the services are not free. However, as the job is added to SQS by SES, I would need a way to see what's in SQS, so as to know if the bug is because the job is not inside SQS or simply because my code failed to retrieve the job.
So, are there tools that I can view the SQS status when I don't have access to AWS console?
Yes, you can use the AWS CLI (https://aws.amazon.com/cli/) to view basic information about the queue:
For example:
aws sqs get-queue-attributes --queue-url https://sqs.us-east-1.amazonaws.com/99999999/HBDService-BackgroundTaskQueue --attribute-names All
will show you this:
{
"Attributes": {
"LastModifiedTimestamp": "1522235654",
"ApproximateNumberOfMessages": "7",
"ReceiveMessageWaitTimeSeconds": "20",
"CreatedTimestamp": "1522235629",
"ApproximateNumberOfMessagesDelayed": "0",
"QueueArn": "arn:aws:sqs:us-east-1:999999999:HBDService-BackgroundTaskQueue",
"RedrivePolicy": "{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:999999999:HBDService-BackgroundTaskQueue-DLQ\",\"maxReceiveCount\":100}",
"MaximumMessageSize": "262144",
"DelaySeconds": "0",
"ApproximateNumberOfMessagesNotVisible": "0",
"MessageRetentionPeriod": "1209600",
"VisibilityTimeout": "180"
}
}
I set up my Lambda function according to the AWS guides by setting a trigger in the setup stage. (the guide except that the guide is using IoT button and I'm using a rule)
It sets up the trigger rule in the AWS IoT console for me. The thing is setup with a certificate and an "iot:*" policy which gives it full IoT access.
The thing is continuously sending messages to the cloud under a certain topic. The messages can be received if I subscribe to it in the AWS IoT Test console.
My lambda function gets triggered if I publish something under that topic from the AWS IoT Test console.
But the function doesn't trigger from the continuous messages sent by the thing. It only triggers from the IoT Test console.
I didn't add any other policy under certificates for the thing in relation to this trigger. Do I have to do so? What should it be?
I tried changing my topic SQL to SELECT * FROM '*'
Try to change your SQL to SELECT * FROM '#'. With # you get every published topic. When you use *, then you don't get topics e.g. sample/newTopic.
With this SQL statement the Lambdas Function gets invoked for every incoming message. When the AWS IoT Console shows the message and your Lambda Function doesn't do anything, try to look if Lambda did a log in CloudWatch.
If your AWS IoT Thing can't trigger AWS Lambda function, you may have a JSON mapping issue and also to improve your SQL query. In my case, I used the following code to provide Lambda a clean input:
SELECT message.reported.* from "#"
With JSON mapping:
{
"desired": {
"light": "green",
"Temperature": "55",
"timestamp": 1526323886
},
"reported": {
"light": "blue",
"Temperature": "55",
"timestamp": 1526323886
},
"delta": {
"light": "green"
}
}
Then you analyze CloudWatch logs:
Then, check your AWS IoT Console for shadow updates (green below - "Atualizações de sombra") and also Publications (orange)
So, your solution will look like this:
For full details of an end-to-end implementation of AWS IoT using Lambda, please access:
IoT Project - CPU Temperature from Ubuntu to AWS IoT
I'm using AWS CloudFormation to create an IoT Thing, Policy and Certificate. My stack creates successfully, however, I can't access the certificate file that CloudFormation creates.
Looking at the aws docs here the only output you can get from the certificate via CloudFormation is the ARN and the Certificate ID. However, there is no way to retrieve your certificate using the ARN or Certificate ID that I can see.
If you upload your certificate signing request (CSR) via the AWS IoT Console, it displays a download link that you can get your certificate file.
Unfortunately I need to use CloudFormation to create the IoT Certificate. However it looks like you can download the certificate after it's been created. Specifically it states:
Certificates can be retrieved at any time
I have been unsuccessfully scouring the docs and web interface to figure out how I can download my certificate "at any time". I'm relatively new to the whole world of certs and private keys so hopefully I missed something easy.
Does anyone know if it is possible to get your certificate from an IoT Certificate created by CloudFormation?
Certificates created using CloudFormation (Via a CSR) can be retrieved via the following ways
Aws IoT webpage
Just navigate to Security - Certificates, click on ... and select Download.
AWS CLI
As you mention the CLI is also an option
aws iot describe-certificate --certificate-id fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3
Will return
{
"certificateDescription": {
"certificateArn": "arn:aws:iot:eu-central-1:xxxxxx",
"status": "ACTIVE",
"certificateId": "fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3",
"lastModifiedDate": 1519840881.49,
"certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDsTCCApmg.....VsAzFQ==\n-----END CERTIFICATE-----\n",
"transferData": {},
"ownedBy": "123456789",
"creationDate": 1519840820.888
}
Amazon IoT SDK
Can also be used to retrieve the certificate content (PEM format) as a String based on a certificate ID (that you can output via cloudformation)
import com.amazonaws.services.iot.AWSIot;
import com.amazonaws.services.iot.AWSIotClientBuilder;
import com.amazonaws.services.iot.model.DescribeCertificateRequest;
import com.amazonaws.services.iot.model.DescribeCertificateResult;
DescribeCertificateRequest describeCertificateRequest = new DescribeCertificateRequest();
describeCertificateRequest.setCertificateId("fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3");
DescribeCertificateResult describeCertificateResult = awsIot.describeCertificate(describeCertificateRequest);
describeCertificateResult.getCertificateDescription().getCertificatePem();
AFAIK it is not possible to output it as a variable within a cloudformation template.
Ah I found a way using the AWS CLI. But there really needs to be a way to get it via CloudFormation :(
http://docs.aws.amazon.com/cli/latest/reference/iot/describe-certificate.html