I would like to send out alerts and create logs any time an instance is created within an aws account. The instances in the account are mostly static and are rarely changed, so an alert should go off when an unauthorized change is made.
How can I create a cloudwatch alarm that can do this?
I can think of 2 options:
Option 1 - You write code
Enable CloudTrail
Have S3 trigger a Lambda function for PutObject (gets triggered whenever CloudTrail delivers events)
Write a Lambda function that reads the passed S3 object, looks for RunInstances event and sends a mail including instance name, instance id, who launched the instance etc., using AWS SES
You pay for CloudTrail+S3 only (SES cost is negligible)
Option 2 - Let AWS do everything
Enable CloudTrail
Have CloudTrail logs delivered to CloudWatch
Add an alarm in CloudWatch to send you an alert using SNS when CloudWatch detects RunInstances
You pay for CloudTrail+S3+CloudWatch
More info: Sending Events to CloudWatch Logs
Related
could any one please help me the lambda code , whenever AWS Ec2 instances get stopped, we need to get the email notifications with sns. In the email we need instance name. I could able to get instance id but not the instance name.
AWS CloudTrail allows you to identify and track EC2 instance lifecycle API calls (launch, start, stop, terminate). See How do I use AWS CloudTrail to track API calls to my Amazon EC2 instances?
And you can trigger a Lambda function to run arbitrary code when CloudTrail logs certain events. See Triggering a Lambda function with AWS CloudTrail events.
You can also create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and triggers a Lambda via CloudWatch Events.
You can create a rule in Amazon CloudWatch Events that:
Triggers when an instance enters the Stopped state
Sends a message to an Amazon SNS Topic
Like this:
If you want to modify the message that is being sent, then configure the Rule to trigger an AWS Lambda function instead. Your function should:
Extract the instance information (eg InstanceId) from the event parameter
Call describe-instances to obtain the Name of the instance (presumably the Tag with a Key of Name)
Publish a message to the Amazon SNS Topic
I want to create CloudWatch Rule that would be triggered upon creation of Log Event. For that reason as an event pattern I selected CloudWatch Logs service but when I try to generate some Cloud Watch logs the rule is not getting triggered. I can not find any example of using aws.logs as a source for an event and hence my question if I'm doing something wrong.
This is because the only events for logs available are AWS API Call via CloudTrail. CloudWatch Logs does not generate CloudWatch events on receiving new log entries.
For the Logs API call events to work, you need to setup CloudTrial trial.
However, if you want to trigger your lambda function based on log entries, I can recommend using subscription filters for lambda:
You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as a Amazon Kinesis stream, Amazon Kinesis Data Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems.
Hi came to know that I can enable AWS cloud watch alarm for AWS EC2 spot intance if there is intrputtion for termination notice, here is more details
Now CloudWatch users can setup a rule that automatically sends the EC2
Spot two-minute warning to an SNS topic to get a push notification.
I have no clue how to setup SNS topic to get intrputtion for termination notice?
Create an SNS topic and subscribe to this topic to get notifications.
Create a CloudWatch Event Rule to trigger an action whenever a spot instance is terminated.
Configure your event as shown in the screenshot below.
Select SNS Topic as the target and enter the ARN of the topic you created.
I am using cloudwatch to trigger AWS Lambda. Now to create this trigger first of all I have to create rule then I need to add target and then I need to add permission policy to that lambda function. Now the problem is there is a policy length limit(20k) for each lambda function and each cloudwatch trigger increase policy length. So if there are around 60 cloudwatch rules my lambda can still handle all of those events as size is still less than 20k, but after that if rules increase I get http://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html "policy length exceed exception error".
I know I can delete the policy by using removePermission method but that is not efficient because if there are around 100 rules present in cloudwatch which are triggering my lambda function then my lambda function can't handle that much amount of policy length.
This is how I solved it.
Cloudwatch Alerts --> SNS --> Lambda
No subscription, no permissions configuration needed. You can create multiple different SNS notifications if you want to isolate different team based on your alerts.
Steps:
Create SNS with a topic
Send Cloudwatch Alerts to SNS
Subscribe Lambda to that SNS Topic
Receive Alerts to Lambda!
Hope it helps.
Is it possible to create a CloudWatch alarm that triggers when my EC2 instance is accessed from a remote location (using SSH login with key pairs, for example)?
There is no in-built capability to perform an action when users login to an Amazon EC2 instance. You would have to write a script that activates when users login, checks the situation and then triggers a notification.
Amazon CloudWatch alarms trigger when a metric exceeds a pre-determined value. Therefore, you would need to do the following:
Have your custom script detect the situation and then publish a custom metric to CloudWatch
Create an Alarm in CloudWatch that triggers when the metric exceeds your desired value (for example, when it is greater than zero)
Configure your alarm to respond as desired (eg send a notification via SNS)
If you just wish to receive a notification when the user logs-in, you could bypass CloudWatch and just have your script publish a message to the SNS (Simple Notification Service) topic directly. It would have the same result.