Im creating a lambda function to tag resources with a specific tag depending on the role that creates the resource:
if role = dev:
then
ec2.create_tags(Resources=instance_ids,Tags=[{'Key':'environnement','Value':'dev'}])
elif role = prod:
ec2.create_tags(Resources=instance_ids,Tags=[{'Key':'environnement','Value':'prod'}])
.....
My question:
How can I get information about the role that creates the resource?
Thanks in advance !!
AWS resources do not store "who" created the resource.
When an API call is sent to AWS to create a resource, AWS will check whether the provided credentials are permitted to create the resource (eg an Amazon EC2 instance). If they are permitted, then the resource is created and the resource is associated with an AWS account. No indication of who made the API request is stored on the resource.
However, you can use AWS CloudTrail to view an audit log of API calls, including the identity that made the API call. This identity might be associated with an IAM User or an IAM Role, or even the root credentials of the AWS account.
From Using AWS Lambda with Amazon CloudWatch Events - AWS Lambda:
Amazon CloudWatch events help you to respond to state changes in your AWS resources. When your resources change state, they automatically send events into an event stream. You can create rules that match selected events in the stream and route them to your AWS Lambda function to take action.
Thus, you can configure CloudWatch Events to trigger the Lambda function whenever a specific event happens (eg RunInstances). Full details of the event will be passed to the Lambda function, so it can determine who triggered that event.
Related
We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
I'm working in an environment where anyone with the necessary access is allowed to create an S3 bucket; however, it's getting to a point where we have a lot of buckets and it is hard to keep track of who created the bucket. I know it is possible to tag the buckets with the owner name, but I am looking for a more automated solution.
Is it possible to invoke a lambda function every time a bucket is created? Or is it possible to track bucket creation with cloudtrail where system administrators would get an sns notification when an s3 bucket is created?
I know it is possible to configure s3 event notification inside a bucket to trigger lambda functions/cloudwatch metrics, but I need a trigger for the entire s3 application.
Cloudtrail tracks all API Actions occurring within an account. What you want to do is create a cloudwatch event rule that triggers off the CreateBucket action then have it invoke Lambda or trigger a sns notification.
See: Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail
You can use EventBridge to get at these events, via CloudTrail. The example on here is of a CreateBucket request.
I am trying to figure out a way to trigger a Lambda on the creation or update or a Role in AWS.
The use case is that when a Role is created, we need to update our Identity Server with the new or changed Role.
I'm looking at cloud trail, and having mixed results. I could schedule a lambda to run, but I'd prefer to make it more real time.
Any ideas?
Sounds like going CloudTrail's way is exactly what AWS suggested.
What issue you got into?
AWS CloudTrail saves logs to an S3 bucket (object-created event).
Amazon S3 detects the object-created event.
Amazon S3 publishes the s3:ObjectCreated:* event to AWS Lambda by
invoking the Lambda function, as specified in the bucket notification
configuration. Because the Lambda function's access permissions policy
includes permissions for Amazon S3 to invoke the function, Amazon S3
can invoke the function.
AWS Lambda executes the Lambda function by assuming the execution role
that you specified at the time you created the Lambda function.
The Lambda function reads the Amazon S3 event it receives as a
parameter, determines where the CloudTrail object is, reads the
CloudTrail object, and then it processes the log records in the
CloudTrail object.
You can Ensure a log metric filter and alarm exist for IAM policy changes and similar.
Alarm can put message to SNS for example.
Lambda can be triggered by that SNS message.
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
I want to tag AWS resources like dynamodb tables or EC2 objects right at the time of creation.
I will be using id or name fields of the objects to tag the resources.
Is there any 'post-create' trigger available?
--
The current problem is that even if I run my script to tag AWS resources, I can't run it immediately after every resource creation, I end up seeing a lot of billing untagged.
You can do this through AWS Service Catalog service. this has a capability of auto tagging of provisioned resources. AWS reference link. AutoTags are tags that identify the portfolio, product, and user that launched a product, and are automatically applied by AWS Service Catalog to provisioned resources
You can configure a lambda function to write a tag based on the CloudTrail event that is generated whenever a resource is created.
To get Lambda to run against a CloudTrail event you need to setup your CloudTrail to write events to a S3 bucket, then trigger the Lambda on the object creation event in the bucket.
The lambda uses the bucket key in its context object to read the event and determine if a tag needs to be applied.
Check the AWS Documentation for further detail about triggering Lambda from CloudTrail.
Also GorillaStack has published an example on Github of using lambda to auto-tag newly created resources. You could use this as a basis for your solution.
I have created some IAM users to my AWS account with permission to launch instances.
Now I want to track and store their instance launch activity like time and instance ID in my MySQL or any other database.
Is there any way to achieve this, any suggestion will be appreciated.
All activities of an IAM user can be monitored using aws cloudtrail. Cloudtrail logs all the events.
The cloudtrail log is stored to a S3 bucket. You can use the storage trigger option in aws lambda functions to watch for a particular log .
In this case the log for new EC2 instance creation.
In the lambda function you need to add the code that takes that log information and stores into a Mysql database that you have setup.
Refer this post https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Also you can try creating a cloudwatch for EC2 instance creation and it can trigger an aws lambda function which will do the data insert to the db.
Here is a sample of cloudwatch based scheduler. You have to setup a specific trigger as per your need though.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You should use AWS CloudTrail:
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail.