Error creating RDS event subscription - amazon-web-services

I am trying to create an Event Subscription for RDS via AWS CLI
I have successfully created an SNS and can confirm it in AWS Console.
I am also able to create Event Subscription via AWS Console but not through AWS CLI
The command that I am running :
aws rds create-event-subscription --subscription-name rds-replica-events-subscription --sns-topic-arn arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms --enabled
The error message :
An error occurred (SNSInvalidTopic) when calling the CreateEventSubscription operation: Failed to create Subscription because of Topic arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms ARN Name Invalid.

Fixed. I had to add region.
aws rds create-event-subscription --region us-east-2--subscription-name rds-replica-events-subscription --sns-topic-arn arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms --enabled

Related

Cannot list nor describe MSK topic's configuration with AWS CLI

Is it possible to use the AWS CLI tool to list the Kafka MSK topics and describe the configuration of them?
The AWS documentation defines the topic's arn as this: arn:aws:kafka:region:account-id:topic/cluster-name/cluster-uuid/topic-name
I tried to execute the following command (some parts of the id is replaced wit X and the topic name with Y):
aws --profile dev --region eu-central-1 kafka describe-configuration --arn 'arn:aws:kafka:eu-central-1:XXXXXXXXXXX:topic/sre-dev-central-km-msk/0c4e35a9-XXXX-4d32-XXXX-76aa15890225-8/YYYYYYY
But I get the following error:
An error occurred (BadRequestException) when calling the DescribeConfiguration operation: One or more of the parameters are not valid.
You are using topic ARN. But you should be using ARN of MSK configuration:
The Amazon Resource Name (ARN) that uniquely identifies an MSK configuration and all of its revisions.
You can use list-configurations to find ARN of configurations.

submitting a curl command from an ec2 instance does not send credentials of the attached security profile

I have an ec2 instance with a instance profile attached to it. This instance profile has permissions to publish messages to a sns topic. When I remote into the ec2 instance and issue a command like
aws sns publish --topic-arn topic_arn --message hello
This works.
Now I'm trying to do the same with a simple curl command and this is what I use after remoting into the ec2 instance
curl "https://sns.us-west-2.amazonaws.com/?Message=hello&Action=Publish&TargetArn=topic_arn"
I get the following error
<Code>MissingAuthenticationToken</Code>
<Message>Request is missing Authentication Token</Message>
I was hoping that the curl would attach the instance profile details when sending the request (like when using the aws cli) but it does not seem to do so. Does anyone know how I can overcome this ?
When you do:
curl "https://sns.us-west-2.amazonaws.com/?Message=hello&Action=Publish&TargetArn=topic_arn"
you are directly making a request to the SNS endpoint. Which means that you have to sign your request with AWS credentials from your instance profile. If you don't want to use AWS CLI or any AWS SDK for accessing the SNS, you have to program the entire signature procedure yourself as described in the docs.
That's why, when you are using AWS CLI
aws sns publish --topic-arn topic_arn --message hello
everything works, because the AWS CLI makes a signed request to the SNS endpoint on your behalf.

AWS - SNS notification for backup vault events - cross-account

I'm facing a problem regarding SNS notification.
I would like to prepare a backup policy for Organization where I have w backup policy on the master account and SNS topic also. I'm using Terraform to prepare stack in Cloudformation to create a backup vault for each selected account but when I want to set up the notification then I receive the following error:
aws backup put-backup-vault-notifications \
--backup-vault-name test_backup_vault \
--sns-topic-arn arn:aws:sns:eu-central-1:XXXXX:cross-account-backup-topic \
--backup-vault-events RESTORE_JOB_STARTED RESTORE_JOB_COMPLETED RECOVERY_POINT_MODIFIED
An error occurred (InvalidParameterValueException) when calling the PutBackupVaultNotifications
operation: Provided SNS topic belongs to another account
I saw there is an option to grant permission cross-account: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html
How I can achieve this?

Error on attaching a policy to aws cognito pool

I am getting following error when I am trying to attach IOT policy to aws cognito pool. I try to attach policy from CLI. Can someone help me get rid of following error.
An error occurred (InvalidRequestException) when calling the AttachPrincipalPolicy operation: Invalid principal type
I am getting this error after running the following command.
aws iot attach-principal-policy --policy-name 'myPolicy' --principal 'us-east-2_XXXXX' --region 'us-east-2'
Is there any way to attach policy from AWS GUI.
Thanks
I think the error is that you are passing the Pool Id, however in that field you must pass the Identity Pool Id.
Identity pool Id example
foo#bar:~$ aws iot attach-principal-policy --policy-name 'real-time-weather-iot-policy' --principal 'us-west-2:<identity_pool_id>' --region us-west-2

Temporarily allow EC2 instance access to AWS CLI

I am deploying an EC2 instance using CloudFormation and I need to publish information about the created instance to an HTTP endpoint. I plan on doing this using SNS. However, I do not want the instance to have permanent access to publish to the endpoint or be able to use the AWS CLI.
Is there a way to deploy the instance with permission to publish to a specified SNS topic and then rescind permission immediately afterwards?
Use IAM (IAM and Amazon SNS Policies Together) to create a SNS Role which has just enough privileges to publish a specified SNS topic.
Launch the instance and specify the your role as instance's IAM profile
After publishing, remove the SNS privileges from the role using the IAM dashboard or from the instance (make sure the role has privileges to rescind the permission)