As described in the documentation, when creating a RDS Event subscription you can select any number Event categories that will produce specific Event messages.
Then you can choose to send a notification to an E-mail, SMS or, which is my case, to a SNS topic that triggers a Lambda execution.
How to access the RDS Event ID - i.e. RDS-EVENT-0006 - from the Lambda event parameter?
Add a trigger event like this cloudformation example :
DbRestoredEventRule:
Type: AWS::Events::Rule
Properties:
Name: "xyz-db-restored"
Description: "xyz restored"
EventPattern:
source:
- "aws.rds"
detail-type:
- "RDS DB Instance Event"
detail:
EventCategories:
- "availability"
Message:
- 'DB instance restarted'
Targets:
- Arn:
Fn::GetAtt:
- "MigrationDataFunction"
- "Arn"
Id: "TargetFunctionV1"
Related
I want to trigger a lambda whenever a new EC2 instance is registred in SSM's Fleet Manager (meaning the instance can be connected to using SSM), however I can't find what pattern to use in EventBridge.
Within EventBridge, I tried using the following pattern I found in the docs (so far its looks like the closest thing to my goal):
{
"source": ["aws.ssm"],
"detail-type": ["Inventory Resource State Change"]
}
However when I create a new EC2 and wait for its SSM agent to become active, it still doesn't trigger the above pattern.
Any idea how to catch this kind of event?
I think you have to go through CloudTrail API call.
Please find below a CloudFormation template I used in the past that was working. Please note that it just provides the SSM resources. You need to add your own SQS queue as well (see SQS.ARN) and I've used the association with the tag registration set to enabled. So that if you have a lambda function connected, you can set it to false so if the instance connect again, it won't go to the same process again.
AWSTemplateFormatVersion: "2010-09-09"
Description: >
SSM Registration event
# Description of the resources to be created.
Resources:
RegistrationDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: Command
Content:
schemaVersion: "2.2"
description: >
An Automation Document ran by registered instances that gathers their software inventory
and automatically updates their AWS SSM Agent to the latest version.
mainSteps:
- name: GatherSoftware
action: aws:softwareInventory
- name: Sleep
action: aws:runShellScript
inputs:
runCommand:
- sleep 20 || true
- name: UpdateAgent
action: aws:updateSsmAgent
inputs:
agentName: amazon-ssm-agent
source: https://s3.{Region}.amazonaws.com/amazon-ssm-{Region}/ssm-agent-manifest.json
allowDowngrade: "false"
RegistrationDocumentAssociation:
Type: AWS::SSM::Association
Properties:
AssociationName: !Sub registration-association-${AWS::StackName}
Name: !Ref RegistrationDocument
Targets:
- Key: tag:registration
Values:
- enabled
RegistrationEventRule:
Type: AWS::Events::Rule
Properties:
Description: >
Events Rule that monitors registration of AWS SSM instances
and logs them to an SQS queue.
EventPattern:
source:
- aws.ssm
detail-type:
- AWS API Call via CloudTrail
detail:
eventName:
- UpdateInstanceAssociationStatus
requestParameters:
associationId:
- !Ref RegistrationDocumentAssociation
executionResult:
status:
- Success
State: ENABLED
Targets:
- Arn: SQS.ARN
Id: SqsRegistrationSubscription
SqsParameters:
MessageGroupId: registration.events
I need to trigger a lambda when a specific object registers on DynamoDB.
For example:
If I create a User with a POST /my-website/user and, I store this User on DynamoDB, I want to trigger
my Lambda.
I don't want to trigger the Lambda if the registered object is
different from the User.
For the management of my stack, I use Serverless (with a serverless.yml file) and CloudFormation syntax.
With the serverless documentation, I can't figure out how I can trigger my Lambda only when a specific entry is registered to DynamoDB ( https://www.serverless.com/framework/docs/providers/aws/events/streams ).
Thanks in advance,
EDIT:
Thank you for your answers :)
It's work:
statement:
handler: lambda/statement.php
layers:
- arn:aws:lambda:#{AWS::Region}:<account_id>:layer:php-73:1
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:ListStreams
- dynamodb:GetItem
events:
- stream:
type: dynamodb
arn: arn:aws:dynamodb:eu-west-3:<account_id>:table/dev-project/stream/2020-11-18T22:34:01.579
maximumRetryAttempts: 1
batchSize: 1
filterPatterns:
- eventName: [INSERT]
dynamodb:
NewImage:
__partitionKey:
S: [myPk]
You have to setup stream filters. The process is explained in:
NEW: DynamoDB Streams Filtering in Serverless Framework
You attach the DynamoDB stream event onto the lambda in your serverless file in the function's "events" sections. https://carova.io/snippets/serverless-aws-dynamodb-stream-to-lamba-function
If you're creating the Dynamo table using serverless, you could output the table's StreamArn as a stack variable.
https://carova.io/snippets/serverless-aws-cloudformation-output-stack-variables
If they're in the same file, you don't need the Output section, you could just set the "events" sections of the lambda and reference
arn: { Fn::GetAtt: [DynamoTable, StreamArn] }
in the arn section of the specific event.
Stream Filters worked (thank you). Here's the final configuration:
statement:
handler: lambda/statement.php
layers:
- arn:aws:lambda:#{AWS::Region}:<account_id>:layer:php-73:1
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:ListStreams
- dynamodb:GetItem
events:
- stream:
type: dynamodb
arn: arn:aws:dynamodb:eu-west-3:<account_id>:table/dev-project/stream/2020-11-18T22:34:01.579
maximumRetryAttempts: 1
batchSize: 1
filterPatterns:
- eventName: [INSERT]
dynamodb:
NewImage:
__partitionKey:
S: [myPk]
I'm working on how to use the default AWS EventBridge Event Bus, then use a resource based policy which will use Cloudtrail to pull an API Call. EventBridge then invokes a SNS topic from another account.
I have the CF template and i was wondering whether anyone had any pointers or similar experience?
Resources:
#Selects the default EventBridge Event Bus
Type: AWS::Events::EventBus
Properties:
#EventSourceName: String
Name: "default" #Name of the Event Bus
#The EventBridge Event Resource Based Policy
EventBridgeResourcedBasedPolicy:
Type: AWS::Events::EventBusPolicy #EventBridge Event bus resource based policy
Properties:
StatementId: "Assume-API-Call-TEST" #Name of the Policy ID for clarity
Statement:
Effect: "Allow" #Allow access to the following below
Principal: "*" #Allow all events
Action: "events.PutEvents" #Required to add custom events that can be matched to rules.
Resource: "arn:aws:events:eu-west-2:XXXXXXX:event-bus/default" #ARN of the eventbus which this policy will attach to
Condition:
StringEquals:
"aws:PrincipalOrgID": "o-XXXXX" #Allows the entire organisation access to the eventbridge event bus
Type: AWS::Events::Rule
Properties:
Description: EventRule-API-ASSUME-RULE-TEST #The event bus rule which will be used to watch for events from a single event bus, in this instance would be in the "default" event bus
EventBusName: "Assume-API-Call-TEST" #Eventbridge event bus name
EventPattern: #Defining the EventPattern
Source: aws.cloudtrail #Using CloudTrail to log SSO API Call
Detail-Type: AWS API Call via CloudTrail #Event type is captured within Cloudtrail
Detail:
EventSource: cloudtrail.amazonaws.com #Use cloudtrail service to capture the AssumeRoleWithSaml attribute so we can filter out.
EventName: AssumeRoleWithSAML #Using the Assume Role for testing, in prod needs to be changed to sso-directory:CreateUser
Account:
!Sub '${AWS::AccountId}' #Using the account ID of the account to which this CF is deployed, testing will be the InfrastructureStaging account
State: ENABLED #Whether the rule is ENABLED or DISABLED
Targets:
#Action: 'sns:Publish' #attribute action to publish to SNS
Arn: !Ref arn:aws:sns:eu-west-2:XXXXX:CentralTestAlerting #ARN of the SNS topic within the Support account
Id: "CentralTestAlerting" #Name of the Event Bus
Sid: "Dead-letter queue permissions"
Effect: "Allow"
Principal:
Service: "events.amazonaws.com"
Action: "sqs:SendMessage"
Resource: "arn:aws:sqs:us-west-2:XXXXX:MyEventDLQ"
Condition:
ArnEquals:
aws:SourceArn: "arn:aws:events:us-west-2:XXXXX:rule/MyTestRule"
I want to send an unique id to my cloudwatch event.
The below image shows the request id. This unique id has to be changed.
Below is the serverless.yml code for my lambda function.
I tried to add an input (InputTransformers) but it didn't do much.
What can i do here???
functions:
stream-function:
handler: src/stream-handler/stream.handler
memorySize: 1024 #in MB, also control CPU throughput
timeout: 31 #in seconds, match with downstream to avoid concurrent request
events:
- stream:
type: kinesis
arn:
Fn::GetAtt: [HagoStream, Arn]
batchSize: 1
parallelizationFactor: 2
Id: "my cloud watch rule name"
InputTransformer: {
InputTemplate: '{"uniqueId": "96c80428-14fe-c8d0-f6e3-639384992391"}',
InputPathsMap: {
id: '$.uniqueId'
}
}
maximumRetryAttempts: 2
destinations:
onFailure:
arn:
Fn::GetAtt: [HagoFailedQueue, Arn]
type: sqs
environment:
DLQ_URL:
Ref: HagoDlqQueue
This is AWS assigned unique ID for your lambda function invocation. You can't change it.
RequestId – The unique request ID for the invocation.
Instead, in your function code, you can generate some extra ID that you output in CloudWatch Logs alongside with other data of yours.
Trigger message when filter criteria matches,in yaml file.
This code is triggering message to sqs queue, and shows message available also,but at endpoint message is not delivered to user emailid.
policies:
- name: high-risk-groups
resource: security-group
description: |
Remove any rule from a security group that allows open ports ingress
and notify the user who added the violating rule.
filters:
- type: ingress
Cidr:
value_type: cidr
op: eq
value: "0.0.0.0/0"
mode:
role: arn:aws:iam::91*******:role/rolename
schedule: 'cron(30/10 10 * * ? *)'
type: periodic
actions:
- type: notify
template: default.html
priority_header: 1
subject: "Open Security Group Rule Created-[ {{ account }} - {{ region }}]"
violation_desc: |
"Security Group(s) Which Had Rules Open To The World:"
action_desc: |
"Actions taken"
"Actions Taken: The Violating Security Group Rule Needs to be Removed As It
Violates Our Company's Cloud Policy. Please Refer To The Cloud FAQ."
to:
- user#gmail.com
transport:
type: sqs
queue: https://sqs.region-id.amazonaws.com/91*******/queuename
region: eu-west-1
Message is passing to queue but it is not delivered to usermail. can we trigger mails with SQS rather than using SES/SNS?
I didn't find anything in the official documentation for this, but my theory is you can't mix the to field with the sqs transport type.
actions is a list, so you should probably have two actions: one with the email address and sns transport type (as the example in the documentation), and another using just the sqs transport type.