I researched a lot but i'm not convinced or sure if it's possible or not, Your help would be really appreciated.
I want to learn if cross Region resource access is possible using resource based policy if yes then how in this case.
USE CASE:
Same Account Different Regions
AWS SES is in Account A and Region us-east-1
AWS Lambda Function is in Account A Region eu-central-1
I Want to accomplish AWS SES trigger AWS Lambda (Same Account Different Regions)
If this is not possible then your workaround would be appreciated, but understanding this is the main purpose here.
It doesn't look like you can trigger cross region lambda from SES
The Amazon SNS topic you choose must be in the same AWS region as the Amazon SES endpoint you use to receive email.
See
Lambda Action - Amazon Simple Email Service - AWS Documentation
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-action-lambda.html
As a workaround, consider using SQS based Subscribtions, to subscribe an Amazon SQS queue to an Amazon SNS topic in your target region.
See https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-subscribe-queue-sns-topic.html
Related
We have Mobile PlatformApplication arns in AWS account-1, and we can publish PNs to endpoint arns with our java-service in the same account.
But when trying to publish PNs with our java-service in different AWS accounts, we get com.amazonaws.services.sns.model.AuthorizationErrorException.
There seems no option to provide a resource-based policy for these SNS PlatformApplication. How can we solve this?
Thanks in Advance!
Today, you cannot do cross-account publishes directly to endpoints.
However, you can create an IAM role under the account with the endpoints that the other account is able to assume. Once the role has been assumed, the second account would be able to publish to the endpoint as usual.
can anyone help with the format to create an scp policy in json format to restrict the creation of any unencrypted sns topics? Thank you
I don't think this is possible because Actions, resources, and condition keys for Amazon SNS - Service Authorization Reference only lists Tags as the available Conditions for the CreateTopic command.
I have created AWS Config for SNS topic not encrypted with AWS KMS. Both SNS and AWS config are in the same region.
I have created 2 sample SNS topics but I can see only one in AWS Config.
AWS config Image:
SNS topics created:
Can anyone explain why the 2nd topic is not showing in AWS Config even though neither is encrypted with KMS?
Regards,
I would recommend checking it with CLI, because sometimes AWS UI works wonders and it just does not show it in the UI, but it is actually there. Either use boto3 for that or CLoudShell. For CloudShell here is the documentation and for boto3 it is here.
Scenario:
We have a S3 bucket in Region 1 (e.g. Oregon)
We have a Lambda function in Region 2 (e.g. Frankfurt)
We have configured S3 to send event notification whenever object is added to the bucket
Problem:
We need to invoke the Lambda which is in Region 2 using the S3 event notification which is generated in Region 1.
We are aware that cross account S3 event configuration with Lambda is allowed. But how to implement cross Region event and lambda invocation!
What we are thinking:
We thought of using SNS in between S3 and Lambda, but not sure if there is any other alternative available or is this the only way. Any help is appreciated.
As you say, the most straightforward approach is use SNS in the middle:
Region1 S3 notification has a Region1 SNS Topic Destination
Region2 Lambda has a cross-region subscription to the Region1 SNS Topic
S3 cannot send notifications directly cross-region.
You could also have S3 replicate the created items to Region2, at which point Region2 S3 can directly notify the Region2 Lambda, which may work if the items are small and latency not a big problem.
How do I find out what IAM user created certain metrics and alarms?
I tried CLI commands: describe-alarms and list-metrics and they don't seem to provide this information nor when looking at the configuration for the alarms and metrics in the AWS console.
While users call APIs to create resources in AWS, those resources are associated with the AWS Account rather than a user. As long as a user has permission to create resources in the account, the resources will be created/viewed/deleted.
However, you can use AWS CloudTrail to retrieve information about the API calls themselves:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.