I'm struggling to find any information of possibility to setup an alert whenever a VPC Peering connection was deleted or a new one is a Pending acceptance. Is it possible to setup such an alert? How/where I should look to? AWS documentation is nightmare to me and finding anything is even worse.
That is totally possible using AWS Config with SNS.
Read more about AWS Config here
A tutorial on how to Implement AWS Config with SNS
Related
I have created AWS Config for SNS topic not encrypted with AWS KMS. Both SNS and AWS config are in the same region.
I have created 2 sample SNS topics but I can see only one in AWS Config.
AWS config Image:
SNS topics created:
Can anyone explain why the 2nd topic is not showing in AWS Config even though neither is encrypted with KMS?
Regards,
I would recommend checking it with CLI, because sometimes AWS UI works wonders and it just does not show it in the UI, but it is actually there. Either use boto3 for that or CLoudShell. For CloudShell here is the documentation and for boto3 it is here.
We are deploying multi-region (and possibly multi-cloud in the future).
Our ElasticSearch endpoint must thus be public.
I know I can add an IP-based policy on the AWS Elastic Search to essentially whitelist all endpoints which should be allowed to write their logs to the AWS ES service.
Looking for a "saner" alternative, I came across:
https://discuss.elastic.co/t/how-to-connect-beats-to-aws-elasticsearch-with-authentication/83465
and specially
https://forums.aws.amazon.com/thread.jspa?threadID=294252
the latter specifically saying:
Filebeat doesn't support IAM authentication so using it with this AWS
Elasticsearch service typically doesn't work.
However, I found this:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-aws.html#aws-credentials-options
which is the filebeat aws module, which seems to suggest that it actually may support it.
Couldn't find any official documentation nor blog which confirms that I could use filebeat on remote machines to send (authenticated? signed?) logs to a public AWS ElasticSearch endpoint, allowing me to keep the policy open without having to put a whitelist (or maybe I need both).
i want to be able to authenticate/authorize clients to produce/consume messages on certain topics. they would be part of our vpn (incl. aws). as i understand the available documentation the only option to do this is to issue client certificates and setup ACLs based on the clients DNs? Unfortunately i was not able to use my private CA (that i've created on my linux laptop) to create client certs. so the following questions arise:
is it correct that i need to setup an AWS hosted CA (ACM PCA). that would result in almost twice the setup costs incl. the minimum broker configs.
i could proxy the outer world into the msk cluster via something like "kafka rest proxy" from confluent - correct?
am i missing something? is there an easier way built into AWS?
please enlighten me :)
thanks in advance
marcel
Yes, I believe that's correct. To do client authentication over TLS, you need to provide the ARN of your private CA that's set up with AWS PCM at the time the cluster is created - and you have to use the aws command-line tool (aws kafka create-cluster ...) to create the cluster. The UI (last time I looked) didn't have anywhere to specify that ARN.
I don't know - we bit the bullet and set up a private CA with ACM.
Nope. We're hoping that eventually AWS will integrate IAM so you can authenticate as an IAM user instead of a client certificate, but that's not where it stands today. Today, it's client certificate only for authentication.
Support for Username and Password Security looks like what you want? I think it's new..
There's AWS Cognito which you might want to try https://aws.amazon.com/cognito/
I have just started with AWS config. I had set up the AWS config with ec2 instance as resource and I am receiving notification for any changes that are happening with AWS ec2 in my region.
a) my first question whether I can record only for any specific vpc related ec2 or only specific ec2?
since I have quite a few vpc and ec2 in my account region, I am getting a lot of change notification .
b)whether the AWS is recording all the changes happened in the ec2 instance in my region even though I turn off the recorder and I am getting a notification once I turn on the recorder with different settings i.e I change the resources to ec2::EIP?
You can choose to record all resource types supported by AWS Config or specific resource types such as EC2::Instance, EC2::NetworkInterface, IAM::User etc. AWS Config does not offer a capability to only record resources that are associated with a particular VPC. For example, if you choose to record EC2::Instance, AWS Config will start recording configuration changes to all EC2 instances in your AWS account.
If you choose to record only selective resource types, AWS Config will send you notifications when resources of the specified types get created, modified or deleted. For other resources that are not specified in the recorder, AWS Config only sends notifications when they are created or deleted.
If you are using an email client to receive notifications, you can use email filters to select the notifications of your interest. Alternatively, you can write a lambda function that subscribes to your SNS topic to filter notifications.
I have setup event subscriptions for every action in RDS so I can be notified each time there is a change in the RDS infrastructure.
However , when the email arrives there is no info on which aws user made the change so to talk directly with him.
Is there such an option in AWS ?
CloudTrail should have the required features you are looking for -
https://aws.amazon.com/cloudtrail/