I have just started with AWS config. I had set up the AWS config with ec2 instance as resource and I am receiving notification for any changes that are happening with AWS ec2 in my region.
a) my first question whether I can record only for any specific vpc related ec2 or only specific ec2?
since I have quite a few vpc and ec2 in my account region, I am getting a lot of change notification .
b)whether the AWS is recording all the changes happened in the ec2 instance in my region even though I turn off the recorder and I am getting a notification once I turn on the recorder with different settings i.e I change the resources to ec2::EIP?
You can choose to record all resource types supported by AWS Config or specific resource types such as EC2::Instance, EC2::NetworkInterface, IAM::User etc. AWS Config does not offer a capability to only record resources that are associated with a particular VPC. For example, if you choose to record EC2::Instance, AWS Config will start recording configuration changes to all EC2 instances in your AWS account.
If you choose to record only selective resource types, AWS Config will send you notifications when resources of the specified types get created, modified or deleted. For other resources that are not specified in the recorder, AWS Config only sends notifications when they are created or deleted.
If you are using an email client to receive notifications, you can use email filters to select the notifications of your interest. Alternatively, you can write a lambda function that subscribes to your SNS topic to filter notifications.
Related
The default event bus receives events from AWS services. Under normal circumstances, for one AWS service to talk to another AWS service, either Roles or Resource based policy comes into play. However, for publishing events to an event bus (which is part of AWS EventBridge, a separate service), an EC2 instance does not seem to need a policy added to a role attached to it (allowing it to publish instance state change events to event bus).
Is the configuration for AWS services to publish events to AWS
EventBridge handled automatically by AWS behind the hood without needing Roles or Resource based policies?
EC2 instance does not seem to need a policy added to a role attached to it
Your EC2 instance does not publish its state information to EB. It is done by EC2 service itself in the backend. Thus you do not need to add any instance role for that, because EC2 instance does not take part in this process.
In contrast, if you want your application running on the EC2 to publish events onto EB bus, then instance role will be required.
I can't comment on all possible services in AWS if the behavior is same, but I would think that most operate in the same way as the EC2 service.
Im creating a lambda function to tag resources with a specific tag depending on the role that creates the resource:
if role = dev:
then
ec2.create_tags(Resources=instance_ids,Tags=[{'Key':'environnement','Value':'dev'}])
elif role = prod:
ec2.create_tags(Resources=instance_ids,Tags=[{'Key':'environnement','Value':'prod'}])
.....
My question:
How can I get information about the role that creates the resource?
Thanks in advance !!
AWS resources do not store "who" created the resource.
When an API call is sent to AWS to create a resource, AWS will check whether the provided credentials are permitted to create the resource (eg an Amazon EC2 instance). If they are permitted, then the resource is created and the resource is associated with an AWS account. No indication of who made the API request is stored on the resource.
However, you can use AWS CloudTrail to view an audit log of API calls, including the identity that made the API call. This identity might be associated with an IAM User or an IAM Role, or even the root credentials of the AWS account.
From Using AWS Lambda with Amazon CloudWatch Events - AWS Lambda:
Amazon CloudWatch events help you to respond to state changes in your AWS resources. When your resources change state, they automatically send events into an event stream. You can create rules that match selected events in the stream and route them to your AWS Lambda function to take action.
Thus, you can configure CloudWatch Events to trigger the Lambda function whenever a specific event happens (eg RunInstances). Full details of the event will be passed to the Lambda function, so it can determine who triggered that event.
I have created some IAM users to my AWS account with permission to launch instances.
Now I want to track and store their instance launch activity like time and instance ID in my MySQL or any other database.
Is there any way to achieve this, any suggestion will be appreciated.
All activities of an IAM user can be monitored using aws cloudtrail. Cloudtrail logs all the events.
The cloudtrail log is stored to a S3 bucket. You can use the storage trigger option in aws lambda functions to watch for a particular log .
In this case the log for new EC2 instance creation.
In the lambda function you need to add the code that takes that log information and stores into a Mysql database that you have setup.
Refer this post https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Also you can try creating a cloudwatch for EC2 instance creation and it can trigger an aws lambda function which will do the data insert to the db.
Here is a sample of cloudwatch based scheduler. You have to setup a specific trigger as per your need though.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You should use AWS CloudTrail:
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail.
Is there a way (for example in CLI) to check what user stopped an instance?
There is some data in the console:
State transition reason: User initiated (2017-07:24 10:15:42 GMT)
State transition reason message: Client.UserInitiatedShutdown: User initiated shutdown
Amazon CloudTrail can be used to create an Audit Trail of most API requests made to AWS. It records the time, IP address, user and request details.
However, you will need to configure CloudTrail before it captures this information because you will need to specify an Amazon S3 bucket where it can store the data. Therefore, you won't be able to see who stopped your instance this time, but if you configure CloudTrail you'll be able to do it in future.
Does AWS Java SDK have an api that could help me to retrieve list of resources (vpc, dynamodb, volumes, ec2 etc...) for a given AWS account number?
I have gone through AWS Java SDK docs at a higher level but everything is related to one specific AWS client for a given resource.
I would like to have an abstract AWS client so that it could provide me just couple attributes of associated AWS resources to an aws account.
Any help is appreciated. Thanks!!
All AWS API calls are related to specific services. For example, you can request a list of Amazon VPCs, a list of Amazon DynamoDB tables, a list of Amazon EBS volumes -- but each would require a different API call.
Another option would be to use AWS Config:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
AWS Config can deliver a Configuration Snapshot into an Amazon S3 bucket at regular intervals (eg daily). This snapshot (example) is a JSON file that contains information about VPCs, Amazon EC2 instances and related resources.
However, the configuration snapshot only contains information related to a limited number of services, such as EC2, VPC, Amazon Redshift, Amazon RDS and Amazon S3. (See Supported AWS Resource Types)