We are using multiple AWS services from last few years. Now we have many aws resources which are created but doesnt have created by tag. We would like to tag each on our resources (which supports tagging) with w created by tag, specifying name/email of the user who created it. Is it possible to to do through any API (Boto3) or Console. As per my research it seems impossible but I would like to confirm with the community if there is any way to do it.
There is no out of the box solution but you can create a custom solution by using CloudWatch Events and Lambda. I implemented a similar solution only for EC2 resources last year.
Create event rules for the resources you want to tag. For example, the following event rule calls the target Lambda function whenever a/an instance/volume/snapshot/AMI is created.
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"CreateVolume",
"RunInstances",
"CreateImage",
"CreateSnapshot"
]
}
}
The target Lambda function parses the event data. You need to extract all resource IDs and principal data and make an API call to tag the resources. The following example uses Boto3 EC2 API; resource_ids, username and principal are variables extracted from the event.
ec2.create_tags(Resources=resource_ids, Tags=[{'Key': 'Owner', 'Value': username}, {'Key': 'PrincipalId', 'Value': principal}])
You can extend this solution to tag other resources too.
Related
I have the following pattern in event bridge:
{
"source": [
"aws.secretsmanager"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"secretsmanager.amazonaws.com"
],
"eventName": [
"CreateSecret",
"UpdateSecret",
"DeleteSecret",
"PutSecretValue",
"GetSecretValue",
"ListSecrets",
"RotationFailed",
"RotationSucceeded",
"DescribeSecret"
]
}
}
it is pointing to a Lambda that prints the event to Cloudwatch. Works just fine but when i try to capture events like:
"ListSecrets",
"RotationFailed",
"RotationSucceeded",
"DescribeSecret"
They never get capture by the event system filter i created. Other actions like Update/Create/Delete works just fine.
Is there any steps i am missing to get those?
Documentation Reference: https://docs.amazonaws.cn/en_us/secretsmanager/latest/userguide/retrieve-ct-entries.html
Thanks
All events that are delivered via CloudTrail have AWS API Call via CloudTrail as the value for detail-type. Events from API actions that start with the keywords List, Get, or Describe are not processed by EventBridge, with the exception of events from the following STS actions: GetFederationToken and GetSessionToken. Data events (for example, for Amazon S3 object level events, DynamoDB, and AWS Lambda) must have trails configured to receive those events. Learn more.
Warning from AWS at EventBridge page about Secrets Manager
Although AWS considers using git webhooks to be antiquated practice, the documentation on aws codestar connections seems to be a bit scarce. I want to create a generic pipeline that can be triggered when a new repository is committed to for the first time (that it contains a folder of TF config). To do this, I need to be able to monitor when an aws codestar connection is used. I think that doing it this way will mean that I can build something that scales better.
But there doesn't appear to be a well documented way to monitor when 'anything' accesses a codestar connection:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html#awscodestarconnections-actions-as-permissions
In the image above, one can see that there is an action that happens that needs a permission to work, but that is not directly accessible. In cloud trail, I found an action with a payload like this:
"eventTime": "2021-07-06T11:22:46Z",
"eventSource": "codestar-connections.amazonaws.com",
"eventName": "UseConnection",
"awsRegion": "us-east-1",
"sourceIPAddress": "codepipeline.amazonaws.com",
"userAgent": "codepipeline.amazonaws.com",
"requestParameters": {
"connectionArn": "arn:aws:codestar-connections:*:connection/",
"referenceType": "COMMIT",
"reference": {
"FullRepositoryId": "GitHub-User/Github-Repo",
"Commit": "SHA"
}
},
I believe that this is enough for me to use for what I want. I could create an SNS notification with a Lambda listener when this event triggers, but that requires setting up infrastructure to monitor CloudTrail events.
But while I was researching this, I noticed that AWS event bridge appears to know about codestar connections:
Note, if I take this a bit further, I can get something that looks like this:
{
"source": [
"aws.codestar-connections"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"codestar-connections.amazonaws.com"
]
}
}
... but I see no sample events, as it appears that I should, if they were there. And I'm unable to find documentation describing how to make codestar connections log the the UseConnection event to cloudwatch.
If this can be used, instead, then I can use a more direct approach without needing to build the infrastructure to monitor the CloudTrail events.
Can this be done?
I need to trigger a Lambda function based on ELB Events.
I need to create the cloud watch event rule for ELB creation, deletion, register instances, deregister the instances. Based on this my lambda function should get trigger and call the appropriate functions based on the events i received.
can any one help me to accomplish this.
The only CloudWatch Events supported by ELB are AWS API Call Using AWS. For this to work however, you have to create a CloudTrial trial for the region you are interested, i.e. where your ALB is located.
Having CT trial enabled, you can then create a CW rule to catch ELB API events (e.g. for ALB they are listed here. For instance, the rule for CreateLoadBalancer and DeleteLoadBalancer would be:
{
"source": [
"aws.elasticloadbalancing"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"elasticloadbalancing.amazonaws.com"
],
"eventName": [
"CreateLoadBalancer",
"DeleteLoadBalancer"
]
}
}
I'm doing large number of AMI copying to different regions, and calling describe image from image waiter at the end of copying to make sure successful copying, the large number of describe image calls are being heavily rate limited. I know there are EC2 instance state change events, I wonder if it is possible to generate AMI available/ready event, if yes I can use the event to trigger a message to my SQS, from which I can get notification and avoid making the describe image calls.
My search so far does not find any AMI events, in case I missed something, does anyone know if it is possible to generate AMI available/ready events? Thanks.
I'm answering my owner question.
AMi ready events can be generated in CloudWatch:
rules->create new rule
Service name: EC2
Event Type: EBS Snapshot Notification
Specific event(s): copySnapshot
Specific result(s): succeeded
Hope this helps someone with similar need.
{
"source": [
"aws.ec2"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"CreateImage"
]
}
}
this will capture ami create event if cloudtrail enabled
I have a lambda function in Python that I want to invoke whenever a new s3 bucket is created. I want to create a custom event trigger to invoke it. What would be the best way to go ahead implementing this.
You can create a cloudwatch rule (see below) that triggers when a bucket is created or deleted and launches a lambda as its target.
In Cloud watch create rule > Choose
Service Name: Simple Storage Service s3
Event type: Bucket Level Operations
and select Specific Operations, specifying CreateBucket (and DeleteBucket) if you need it.
This will produce "custom" code similar to below.
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"source": [
"aws.s3"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"CreateBucket",
"DeleteBucket"
]
}
}
I could answer here, but have a look on this: How to Execute Lambda Functions on S3 Event Triggers
Hello You can monitor new bucket creation from AWS Config or AWS Cloud Trail services and call Lambda function for such event.