how to AWS lambda trigger mail using yaml file - amazon-web-services

Trigger message when filter criteria matches,in yaml file.
This code is triggering message to sqs queue, and shows message available also,but at endpoint message is not delivered to user emailid.
policies:
- name: high-risk-groups
resource: security-group
description: |
Remove any rule from a security group that allows open ports ingress
and notify the user who added the violating rule.
filters:
- type: ingress
Cidr:
value_type: cidr
op: eq
value: "0.0.0.0/0"
mode:
role: arn:aws:iam::91*******:role/rolename
schedule: 'cron(30/10 10 * * ? *)'
type: periodic
actions:
- type: notify
template: default.html
priority_header: 1
subject: "Open Security Group Rule Created-[ {{ account }} - {{ region }}]"
violation_desc: |
"Security Group(s) Which Had Rules Open To The World:"
action_desc: |
"Actions taken"
"Actions Taken: The Violating Security Group Rule Needs to be Removed As It
Violates Our Company's Cloud Policy. Please Refer To The Cloud FAQ."
to:
- user#gmail.com
transport:
type: sqs
queue: https://sqs.region-id.amazonaws.com/91*******/queuename
region: eu-west-1
Message is passing to queue but it is not delivered to usermail. can we trigger mails with SQS rather than using SES/SNS?

I didn't find anything in the official documentation for this, but my theory is you can't mix the to field with the sqs transport type.
actions is a list, so you should probably have two actions: one with the email address and sns transport type (as the example in the documentation), and another using just the sqs transport type.

Related

Catch event when an SSM-agent becomes active

I want to trigger a lambda whenever a new EC2 instance is registred in SSM's Fleet Manager (meaning the instance can be connected to using SSM), however I can't find what pattern to use in EventBridge.
Within EventBridge, I tried using the following pattern I found in the docs (so far its looks like the closest thing to my goal):
{
"source": ["aws.ssm"],
"detail-type": ["Inventory Resource State Change"]
}
However when I create a new EC2 and wait for its SSM agent to become active, it still doesn't trigger the above pattern.
Any idea how to catch this kind of event?
I think you have to go through CloudTrail API call.
Please find below a CloudFormation template I used in the past that was working. Please note that it just provides the SSM resources. You need to add your own SQS queue as well (see SQS.ARN) and I've used the association with the tag registration set to enabled. So that if you have a lambda function connected, you can set it to false so if the instance connect again, it won't go to the same process again.
AWSTemplateFormatVersion: "2010-09-09"
Description: >
SSM Registration event
# Description of the resources to be created.
Resources:
RegistrationDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: Command
Content:
schemaVersion: "2.2"
description: >
An Automation Document ran by registered instances that gathers their software inventory
and automatically updates their AWS SSM Agent to the latest version.
mainSteps:
- name: GatherSoftware
action: aws:softwareInventory
- name: Sleep
action: aws:runShellScript
inputs:
runCommand:
- sleep 20 || true
- name: UpdateAgent
action: aws:updateSsmAgent
inputs:
agentName: amazon-ssm-agent
source: https://s3.{Region}.amazonaws.com/amazon-ssm-{Region}/ssm-agent-manifest.json
allowDowngrade: "false"
RegistrationDocumentAssociation:
Type: AWS::SSM::Association
Properties:
AssociationName: !Sub registration-association-${AWS::StackName}
Name: !Ref RegistrationDocument
Targets:
- Key: tag:registration
Values:
- enabled
RegistrationEventRule:
Type: AWS::Events::Rule
Properties:
Description: >
Events Rule that monitors registration of AWS SSM instances
and logs them to an SQS queue.
EventPattern:
source:
- aws.ssm
detail-type:
- AWS API Call via CloudTrail
detail:
eventName:
- UpdateInstanceAssociationStatus
requestParameters:
associationId:
- !Ref RegistrationDocumentAssociation
executionResult:
status:
- Success
State: ENABLED
Targets:
- Arn: SQS.ARN
Id: SqsRegistrationSubscription
SqsParameters:
MessageGroupId: registration.events

AWS EventBridge to SNS Topic

I'm working on how to use the default AWS EventBridge Event Bus, then use a resource based policy which will use Cloudtrail to pull an API Call. EventBridge then invokes a SNS topic from another account.
I have the CF template and i was wondering whether anyone had any pointers or similar experience?
Resources:
#Selects the default EventBridge Event Bus
Type: AWS::Events::EventBus
Properties:
#EventSourceName: String
Name: "default" #Name of the Event Bus
#The EventBridge Event Resource Based Policy
EventBridgeResourcedBasedPolicy:
Type: AWS::Events::EventBusPolicy #EventBridge Event bus resource based policy
Properties:
StatementId: "Assume-API-Call-TEST" #Name of the Policy ID for clarity
Statement:
Effect: "Allow" #Allow access to the following below
Principal: "*" #Allow all events
Action: "events.PutEvents" #Required to add custom events that can be matched to rules.
Resource: "arn:aws:events:eu-west-2:XXXXXXX:event-bus/default" #ARN of the eventbus which this policy will attach to
Condition:
StringEquals:
"aws:PrincipalOrgID": "o-XXXXX" #Allows the entire organisation access to the eventbridge event bus
Type: AWS::Events::Rule
Properties:
Description: EventRule-API-ASSUME-RULE-TEST #The event bus rule which will be used to watch for events from a single event bus, in this instance would be in the "default" event bus
EventBusName: "Assume-API-Call-TEST" #Eventbridge event bus name
EventPattern: #Defining the EventPattern
Source: aws.cloudtrail #Using CloudTrail to log SSO API Call
Detail-Type: AWS API Call via CloudTrail #Event type is captured within Cloudtrail
Detail:
EventSource: cloudtrail.amazonaws.com #Use cloudtrail service to capture the AssumeRoleWithSaml attribute so we can filter out.
EventName: AssumeRoleWithSAML #Using the Assume Role for testing, in prod needs to be changed to sso-directory:CreateUser
Account:
!Sub '${AWS::AccountId}' #Using the account ID of the account to which this CF is deployed, testing will be the InfrastructureStaging account
State: ENABLED #Whether the rule is ENABLED or DISABLED
Targets:
#Action: 'sns:Publish' #attribute action to publish to SNS
Arn: !Ref arn:aws:sns:eu-west-2:XXXXX:CentralTestAlerting #ARN of the SNS topic within the Support account
Id: "CentralTestAlerting" #Name of the Event Bus
Sid: "Dead-letter queue permissions"
Effect: "Allow"
Principal:
Service: "events.amazonaws.com"
Action: "sqs:SendMessage"
Resource: "arn:aws:sqs:us-west-2:XXXXX:MyEventDLQ"
Condition:
ArnEquals:
aws:SourceArn: "arn:aws:events:us-west-2:XXXXX:rule/MyTestRule"

How to add a redrive policy (dead-letter queue / DLQ) to a SNS subscription, with Ansible and AWS

In an Ansible script I have:
- name: Subscribe lambda to SNS topic example1
sns_topic:
name: "example1-{{env_name}}"
purge_subscriptions: no
subscriptions:
- endpoint: "arn:aws:lambda:{{ aws.region }}:{{ aws.account }}:function:{{repo_name}}-{{env_name}}"
protocol: "lambda"
It works, and the result is that my lambda is subscribed to my SNS topic.
Now, I would want to add a DLQ to this subscription.
I already have a SQS and I want to state it as my DLQ.
So I rewrite my code like this:
- name: Subscribe lambda to SNS topic example1
sns_topic:
name: "example1-{{env_name}}"
purge_subscriptions: no
subscriptions:
- endpoint: "arn:aws:lambda:{{ aws.region }}:{{ aws.account }}:function:{{repo_name}}-{{env_name}}"
protocol: "lambda"
redrive_policy:
dead_letter_target_arn: "arn:aws:{{ aws.region }}:{{ aws.account }}:dlq-for-example1"
This does not work and I didn't find anything in Ansible or by googling...
What am I doing wrong?
Looks like you are missing sqs between arn:aws:{{aws.region}} on the last line.
dead_letter_target_arn: "arn:aws:sqs:{{ aws.region }}:{{ aws.account }}:dlq-for-example1"
The problem is that the Subscription property that is embedded in the SNS Topic only has two properties: Endpoint and Protocol (See Subscription Property).
For more advanced settings, like RedrivePolicy, you need to use the stand-alone AWS::SNS::Subscription resource (See Subscription Resource).
Since AWS::SNS::Subscription is stand-alone, you must include the TopicArn that the Subscription is bound to. Also note that the RedrivePolicy is in Json format.
Here's a simple example of the Cloud Formation syntax from Redrive Syntax:
{
"Resources": {
"mySubscription": {
"Type" : "AWS::SNS::Subscription",
"Properties" : {
"Protocol": "sqs",
"Endpoint": "arn:aws:sqs:us-east-2:123456789012:MyEndpoint",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:MyTopic",
"RedrivePolicy": {
"deadLetterTargetArn":
"arn:aws:sqs:us-east-2:123456789012:MyDeadLetterQueue"
}
}
}
}
}
But I don't know how Ansible makes these translations.

Access Event ID in a AWS RDS Event subscription

As described in the documentation, when creating a RDS Event subscription you can select any number Event categories that will produce specific Event messages.
Then you can choose to send a notification to an E-mail, SMS or, which is my case, to a SNS topic that triggers a Lambda execution.
How to access the RDS Event ID - i.e. RDS-EVENT-0006 - from the Lambda event parameter?
Add a trigger event like this cloudformation example :
DbRestoredEventRule:
Type: AWS::Events::Rule
Properties:
Name: "xyz-db-restored"
Description: "xyz restored"
EventPattern:
source:
- "aws.rds"
detail-type:
- "RDS DB Instance Event"
detail:
EventCategories:
- "availability"
Message:
- 'DB instance restarted'
Targets:
- Arn:
Fn::GetAtt:
- "MigrationDataFunction"
- "Arn"
Id: "TargetFunctionV1"

When i trigger cloudcustodian policy with sns service the SNS mail message delivering in unreadable format

When I trigger custodian policy with sns service, message is delivering in an unreadable format.
default.html from c7n-mailer
policies:
- name: policyname-groups
resource: security-group
description: |
Remove any rule from a security group that allows open ports ingress
and notify the user who added the violating rule.
filters:
- type: ingress
Cidr:
value_type: cidr
op: eq
value: "0.0.0.0/0"
mode:
role: arn:aws:iam::92*****:role/Custodian
schedule: 'cron(00/10 14 * * ? *)'
type: periodic
actions:
- type: notify
template: default.html
priority_header: 1
subject: " Created-[custodian {{ account }} - {{ region }}]"
violation_desc: |
" Which Had Rules Open To The World:"
action_desc: |
"taken"
"Taken: The Violating Security Group Rule Needs to be Removed As It
Violates Our Company's Cloud Policy. Please Refer To The Cloud FAQ."
to:
- mailid#domain.com
transport:
type: sns
region: regionname
topic: topicname
c7n-mailer is used to actually deliver, lookup addresses, and format messages for delivery.
https://cloudcustodian.io/docs/tools/c7n-mailer.html