I am trying to add notification action in cloud watch through service catalog, I created new SNS topic and refer the topic in cloud watch actions section it failed, and also when ever I am creating cloud watch action through service catalog it ask me to enable IAM to make action even though I manually created alarm to stop an EC2 instance.
Related
Is there any way to set an alarm for AWS users that been inactive for e.g. 60 days? I mean I need an alarm to be created which will send notification if an AWS user account have been inactive for a period of time
From GenerateServiceLastAccessedDetails - AWS Identity and Access Management:
GenerateServiceLastAccessedDetails() Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.
From GetServiceLastAccessedDetails - AWS Identity and Access Management:
GetServiceLastAccessedDetails() Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.
So, take a look at those commands (available via AWS CLI or AWS SDK) and find the latest date of all the services that the user has accessed.
See also: Identify unused IAM roles and remove them confidently with the last used timestamp | AWS Security Blog
Yes and no. There is no plain Alarm that can do that. AWS CloudWatch Alarms can only alarm based on CloudWatch Metrics and IAM Users do not send any metrics to here.
You could write a Lambda, have it iterate through IAM Users and get their last active date. Then add an EventRule which will run this Lambda regularly, such as once per day. If Users are inactive, you could send a message to an SNS Topic, or if you wanted more adjustable alarms, send some metrics to CloudWatch Metrics in a custom namespace, then create a CloudWatch Alarm to alert on those metrics.
I want to tag AWS resources like dynamodb tables or EC2 objects right at the time of creation.
I will be using id or name fields of the objects to tag the resources.
Is there any 'post-create' trigger available?
--
The current problem is that even if I run my script to tag AWS resources, I can't run it immediately after every resource creation, I end up seeing a lot of billing untagged.
You can do this through AWS Service Catalog service. this has a capability of auto tagging of provisioned resources. AWS reference link. AutoTags are tags that identify the portfolio, product, and user that launched a product, and are automatically applied by AWS Service Catalog to provisioned resources
You can configure a lambda function to write a tag based on the CloudTrail event that is generated whenever a resource is created.
To get Lambda to run against a CloudTrail event you need to setup your CloudTrail to write events to a S3 bucket, then trigger the Lambda on the object creation event in the bucket.
The lambda uses the bucket key in its context object to read the event and determine if a tag needs to be applied.
Check the AWS Documentation for further detail about triggering Lambda from CloudTrail.
Also GorillaStack has published an example on Github of using lambda to auto-tag newly created resources. You could use this as a basis for your solution.
I have a Master account with multiple sub-accounts in AWS. I want to get a notification whenever a new sub-account is created. How can I implement this, please?
You can create a trail in CloudTrail, forward the logs to CloudWatch logs and create alarm for "CreateAccount" event. More details and sample filters are here:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_monitoring.html
http://docs.amazonaws.cn/en_us/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
I have created some IAM users to my AWS account with permission to launch instances.
Now I want to track and store their instance launch activity like time and instance ID in my MySQL or any other database.
Is there any way to achieve this, any suggestion will be appreciated.
All activities of an IAM user can be monitored using aws cloudtrail. Cloudtrail logs all the events.
The cloudtrail log is stored to a S3 bucket. You can use the storage trigger option in aws lambda functions to watch for a particular log .
In this case the log for new EC2 instance creation.
In the lambda function you need to add the code that takes that log information and stores into a Mysql database that you have setup.
Refer this post https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Also you can try creating a cloudwatch for EC2 instance creation and it can trigger an aws lambda function which will do the data insert to the db.
Here is a sample of cloudwatch based scheduler. You have to setup a specific trigger as per your need though.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You should use AWS CloudTrail:
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail.
I have just started with AWS config. I had set up the AWS config with ec2 instance as resource and I am receiving notification for any changes that are happening with AWS ec2 in my region.
a) my first question whether I can record only for any specific vpc related ec2 or only specific ec2?
since I have quite a few vpc and ec2 in my account region, I am getting a lot of change notification .
b)whether the AWS is recording all the changes happened in the ec2 instance in my region even though I turn off the recorder and I am getting a notification once I turn on the recorder with different settings i.e I change the resources to ec2::EIP?
You can choose to record all resource types supported by AWS Config or specific resource types such as EC2::Instance, EC2::NetworkInterface, IAM::User etc. AWS Config does not offer a capability to only record resources that are associated with a particular VPC. For example, if you choose to record EC2::Instance, AWS Config will start recording configuration changes to all EC2 instances in your AWS account.
If you choose to record only selective resource types, AWS Config will send you notifications when resources of the specified types get created, modified or deleted. For other resources that are not specified in the recorder, AWS Config only sends notifications when they are created or deleted.
If you are using an email client to receive notifications, you can use email filters to select the notifications of your interest. Alternatively, you can write a lambda function that subscribes to your SNS topic to filter notifications.