I set up my Lambda function according to the AWS guides by setting a trigger in the setup stage. (the guide except that the guide is using IoT button and I'm using a rule)
It sets up the trigger rule in the AWS IoT console for me. The thing is setup with a certificate and an "iot:*" policy which gives it full IoT access.
The thing is continuously sending messages to the cloud under a certain topic. The messages can be received if I subscribe to it in the AWS IoT Test console.
My lambda function gets triggered if I publish something under that topic from the AWS IoT Test console.
But the function doesn't trigger from the continuous messages sent by the thing. It only triggers from the IoT Test console.
I didn't add any other policy under certificates for the thing in relation to this trigger. Do I have to do so? What should it be?
I tried changing my topic SQL to SELECT * FROM '*'
Try to change your SQL to SELECT * FROM '#'. With # you get every published topic. When you use *, then you don't get topics e.g. sample/newTopic.
With this SQL statement the Lambdas Function gets invoked for every incoming message. When the AWS IoT Console shows the message and your Lambda Function doesn't do anything, try to look if Lambda did a log in CloudWatch.
If your AWS IoT Thing can't trigger AWS Lambda function, you may have a JSON mapping issue and also to improve your SQL query. In my case, I used the following code to provide Lambda a clean input:
SELECT message.reported.* from "#"
With JSON mapping:
{
"desired": {
"light": "green",
"Temperature": "55",
"timestamp": 1526323886
},
"reported": {
"light": "blue",
"Temperature": "55",
"timestamp": 1526323886
},
"delta": {
"light": "green"
}
}
Then you analyze CloudWatch logs:
Then, check your AWS IoT Console for shadow updates (green below - "Atualizações de sombra") and also Publications (orange)
So, your solution will look like this:
For full details of an end-to-end implementation of AWS IoT using Lambda, please access:
IoT Project - CPU Temperature from Ubuntu to AWS IoT
Related
I'm attempting to set up a Cloudwatch Event Rule to notify on any AWS IAM actions like DeleteUser or CreateUser. But when I tried to create an event pattern I couldn't find IAM in the service Name list even though when I searched in the AWS documentation i cant's find a mention of IAM not being supported by Cloudwatch event rules. So I tried to create a custom event but i didn't receive any email from SNS (my target), and yes I made sure cloudwatch has permissions to invoke SNS as we already have other working events, any idea on why this is not working ?
{
"source":[
"aws.iam"
],
"detail-type":[
"AWS API Call via CloudTrail"
],
"detail":{
"eventSource":[
"iam.amazonaws.com"
],
"eventName":[
"CreateUser",
"DeleteUser"
]
}
}
I figure it out, IAM emits cloudtrail events only in us-eas-1 and I'm using a different region, it worked when I created the Cloudwatch event in N. Virgenia
The source parameter needs to be "aws.cloudtrail" not "aws.iam".
IAM policy is a global service. It can only report in US-East-1(N.Virginia).
I have same exact config and the region is same as well but creating a new user still don't trigger the event as there is event in clouldtrail as well as in the monitoring of the event rule created. I see that they say in document that cloudtrail has to be enabled but when I create a rule for security group modification which is ec2 events then it is working fine but not with iam one. Is there any permission that I am missing for aws events to send logs to clould trail , if so how did you guys resolved it.
I'm struggling to fully understand the way configuration sets and their associated delivery options work.
I'm trying to ensure that each message sent via AWS SES will enforce tls encryption rather than using the default opportunistic approach.
As per official documentation I have created a new set using AWS cli:
aws ses put-configuration-set-delivery-options --configuration-set-name TlsEncryption --delivery-options TlsPolicy=Require
But I cannot seem to be able to verify that this delivery option is actually attached to this configuration set.
When I run
aws ses describe-configuration-set --configuration-set-name=TlsEncryption
I only get
{
"ConfigurationSet": {
"Name": "TlsEncryption"
}
}
therefore I'm unsure whether the delivery option has been actually set on it and will work with each call when using X-SES-CONFIGURATION-SET: TlsEncryption or not.
Could someone shine some light on it please?
It's buried in the AWS CLI enumerations.
aws ses describe-configuration-set --configuration-set-name tls-config-set --configuration-set-attribute-names deliveryOptions --region=eu-west-1
Note, the magic enum is deliveryOptions
{
"ConfigurationSet": {
"Name": "tls-config-set"
},
"DeliveryOptions": {
"TlsPolicy": "Require"
}
}
I am not able to delete these subscriptions attached to the CloudWatch Logs Groups.
These subscriptions are created by CloudFormation stack via Serverless Framework. However, when I finished testing and deployed to the template, there was a permission error during the cleanup. Hence, these subscriptions became dangled and I am not able to locate it.
Tried with CLI and seems no relevant info regarding that.
$ aws logs describe-log-groups --log-group-name-prefix yyy
{
"logGroups": [
{
"logGroupName": "yyy",
"creationTime": 1555604143719,
"retentionInDays": 1,
"metricFilterCount": 0,
"arn": "arn:aws:logs:us-east-1:xxx:log-group:yyy:*",
"storedBytes": 167385869
}
]
}
Select the Log Group using the radio button on the left of the Log Group name. Then click Actions, Remove Subscription Filter.
Via CLI is listed in AWS document => This link
Via Console UI -> This capture
As you created the subscription with cloudformation stack via serverless, manually removing the subscription filter as jarmod is not a best practice.
What you should do is remove the cloudwatchLog event from the lambda functions and deploy, it should remove the subscriptions.
I have lambda which is triggered by cloudwatch event when VPN tunnels are down or up. I searched online but can't find a way to trigger this cloudwatch event.
I see an option for test event but what can I enter in here for it to trigger an event that tunnel is up or down?
You can look into CloudWatchEventsandEventPatterns
Events in Amazon CloudWatch Events are represented as JSON objects.
For more information about JSON objects, see RFC 7159. The following
is an example event:
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "EC2 Instance State-change Notification",
"source": "aws.ec2",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-west-1",
"resources": [
"arn:aws:ec2:us-west-1:123456789012:instance/ i-1234567890abcdef0"
],
"detail": {
"instance-id": " i-1234567890abcdef0",
"state": "terminated"
}
}
Also log based on event, you can pick your required event from AWS CW EventTypes
I believe in your scenario, you don't need to pass any input data as you must have built the logic to test the VPN tunnels connectivity within the Lamda. You can remove that JSON from the test event and then run the test.
If you need to pass in some information as part of the input event then follow the approach mentioned by #Adiii.
EDIT
The question is more clear through the comment which says
But question is how will I trigger the lambda? Lets say I want to
trigger it when tunnel is down? How will let lambda know tunnel is in
down state? – NoviceMe
This can be achieved by setting up a rule in Cloudwatch to schedule the lambda trigger at a periodic interval. More details here:
Tutorial: Schedule AWS Lambda Functions Using CloudWatch Events
Lambda does not have an invocation trigger right now that can monitor a VPN tunnel, so the only workaround is to poll the status through lamda.
I am working on Amazon SES with SQS to receive the bounce list of the email. For security reason, I am only given the information that necessary to connect to the SES and SQS service (host name, API keys, etc), so I am not able to use the AWS console to see the status of the queue. This is reasonable as I don't want to mess with many other services that are under the same account - especially when the services are not free. However, as the job is added to SQS by SES, I would need a way to see what's in SQS, so as to know if the bug is because the job is not inside SQS or simply because my code failed to retrieve the job.
So, are there tools that I can view the SQS status when I don't have access to AWS console?
Yes, you can use the AWS CLI (https://aws.amazon.com/cli/) to view basic information about the queue:
For example:
aws sqs get-queue-attributes --queue-url https://sqs.us-east-1.amazonaws.com/99999999/HBDService-BackgroundTaskQueue --attribute-names All
will show you this:
{
"Attributes": {
"LastModifiedTimestamp": "1522235654",
"ApproximateNumberOfMessages": "7",
"ReceiveMessageWaitTimeSeconds": "20",
"CreatedTimestamp": "1522235629",
"ApproximateNumberOfMessagesDelayed": "0",
"QueueArn": "arn:aws:sqs:us-east-1:999999999:HBDService-BackgroundTaskQueue",
"RedrivePolicy": "{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:999999999:HBDService-BackgroundTaskQueue-DLQ\",\"maxReceiveCount\":100}",
"MaximumMessageSize": "262144",
"DelaySeconds": "0",
"ApproximateNumberOfMessagesNotVisible": "0",
"MessageRetentionPeriod": "1209600",
"VisibilityTimeout": "180"
}
}