HI im using below Resource using cloudformation
"SNSTopic1":{
"Default":"<prodteamarn>",
"Description":"ProdteamSNStopic",
"Type":"String"
},
"SNSTopic2":{
"Default":<featureteanarn>,
"Description":"featureteamSNStopic",
"Type":"String"
},
"Resources":{
"SpilloverCountAlarm":{
"Properties":{
"AlarmActions":[
{
"Ref":"SNSTopic1"
},
{
"Ref":"SNSTopic2" //can i use multiple SNS topics
}
],
"AlarmDescription":"Spillover is Too Large",
"ComparisonOperator":"GreaterThanThreshold",
"Dimensions":[
{
"Name":"LoadBalancerName",
"Value":{
"Ref":"xyz"
}
}
],
"EvaluationPeriods":"2",
"MetricName":"SpilloverCount",
"Namespace":"AWS/ELB",
"Period":"100",
"Statistic":"Sum",
"Threshold":"3"
},
"Type":"AWS::CloudWatch::Alarm"
}
So the question is can i use multiple SNS topics in Alarmactions??? as i need to send notifications to both prod and feature teams as they have different Arn for SNS topics.
Yes, according to the CloudFormation documentation for Alarm, the property AlarmActions is a List of actions to be performed. This means you should be able to notify multiple SNS Topics without issue.
You can verify this by looking at the AWS Console UI for setting up an Alarm. The section for Actions is also a List that allows for the configuration of multiple actions to be configured.
Related
I have the following pattern in event bridge:
{
"source": [
"aws.secretsmanager"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"secretsmanager.amazonaws.com"
],
"eventName": [
"CreateSecret",
"UpdateSecret",
"DeleteSecret",
"PutSecretValue",
"GetSecretValue",
"ListSecrets",
"RotationFailed",
"RotationSucceeded",
"DescribeSecret"
]
}
}
it is pointing to a Lambda that prints the event to Cloudwatch. Works just fine but when i try to capture events like:
"ListSecrets",
"RotationFailed",
"RotationSucceeded",
"DescribeSecret"
They never get capture by the event system filter i created. Other actions like Update/Create/Delete works just fine.
Is there any steps i am missing to get those?
Documentation Reference: https://docs.amazonaws.cn/en_us/secretsmanager/latest/userguide/retrieve-ct-entries.html
Thanks
All events that are delivered via CloudTrail have AWS API Call via CloudTrail as the value for detail-type. Events from API actions that start with the keywords List, Get, or Describe are not processed by EventBridge, with the exception of events from the following STS actions: GetFederationToken and GetSessionToken. Data events (for example, for Amazon S3 object level events, DynamoDB, and AWS Lambda) must have trails configured to receive those events. Learn more.
Warning from AWS at EventBridge page about Secrets Manager
tI want to send a Cloudtrail log (Specifically when an secrets manager key rotates) to an S3 bucket. We already have the logs in Cloudtrail, is there an easy way to configure Cloudtrail to send these logs to S3 as soon as it happens? I was thinking of setting up a Lambda function that runs on a CRON schedule to do this for me, but would there be an easier way?
If you want to get specific events from CT in real-time as they happen, then you should setup CloudWatch Event rule for them:
Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail
The rule could be:
{
"source": [
"aws.secretsmanager"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"secretsmanager.amazonaws.com"
],
"eventName": [
"RotateSecret"
]
}
}
With a target of Firehose delivery stream set for S3 bucket of your choise.
There is a slightly easier way, although not necessarily cost-effective (depends on your case) and you won't avoid using Lambda. Instead of setting up a cron, you can enable CloudWatch export for your trail, from where you can set a Lambda subscription filter. This way you can export to S3 exactly the events you want (don't have to code the filters into function) as soon as they come. But - you have to pay extra for the CloudWatch Logs, so it's not a good option if you have a large trail.
I am trying to configure a Cloudwatch Event Rule (to trigger an SNS notification) for whenever
someone assumes a particular role:
{
"detail": {
"eventName": [
"AssumeRole"
],
"eventSource": [
"sts.amazonaws.com"
],
"requestParameters": {
"roleArn": [
"arn:aws:iam::0000:role/the_role_name"
]
}
},
"detail-type": [
"AWS API Call via CloudTrail"
]
}
Where 0000 is the account id and the_role_name is the role I want to alert on.
This is failing to trigger any notification, however when I search in Cloudtrail Insights for the
events:
filter eventName = 'AssumeRole'
| filter requestParameters.roleArn =~ 'the_role_name'
| sort #timestamp desc
| display #timestamp, requestParameters.roleSessionName, eventName, requestParameters.roleArn, userAgent, sourceIPAddress
I DO get results that SHOULD have triggered the rule:
requestParameters.roleSessionName eventName requestParameters.roleArn
my_username AssumeRole arn:aws:iam::0000:role/the_role_name
...
For the sake of trying to dumb things down and catch a broader set of events, I also tried the
following Rule (which would catch all AssumeRole events to any role):
{
"detail": {
"eventName": [
"AssumeRole"
]
},
"detail-type": [
"AWS API Call via CloudTrail"
]
}
This rule also is failing to trigger.
Does anyone have ideas on how to configure Cloudwatch Event Rules to trigger on AssumeRole events?
I read through this related question (which is trying to achieve something similar), but it did not have a solution: AWS CloudWatch Events trigger SNS on STS role assuming for cross account
First of all make sure whether the event is invoked or not by checking the monitoring metrics for the rule. It is possible that it is triggered, but it fails to invoke the target. In this case, you should check your IAM policies.
If it is not triggered, there could be issues with trail delivery to Cloudwatch Logs. Make sure that you created a trail in the same region, which delivers events to Cloudwatch Logs.
I've the following rule in us-east-1 region, which works fine:
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"sts.amazonaws.com"
],
"eventName": [
"AssumeRole"
]
},
"source": [
"aws.sts"
]
}
According an an AWS Support agent I was speaking with yesterday, and also indicated by the linked documents, Eventbridge Rules (formerly Cloudwatch Event Rules) unfortunately do not support STS events.
What's perplexing about this and might lead you down a wrong path, as it did me, is that the sts test-event-pattern api will in fact validate your event against a valid pattern and give no indication that it's an unsupported service.
Hopefully AWS adds STS event support in the future.
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html
I am trying to add some notifications to my Pipeline in AWS.
I have a build stage where I use AWS CodeBuild and I want to receive an email whenever the build fails.
I have followed the tutorial that amazon offers and it works fine to notify me about the failure, but I can't seem to find how to add the logs in the email.
I have created the following CloudWatch Event Rule, which monitors the execution of the entire Pipeline.
{
"source": [
"aws.codepipeline"
],
"detail-type": [
"CodePipeline Pipeline Execution State Change"
],
"detail": {
"state": [
"FAILED",
"SUCCEEDED",
"CANCELED"
],
"pipeline": [
"Pipeline_Trial"
]
}
}
Can anyone help me figure how to add the logs to this rule ?
The event from CodePipeline does not contain the CodeBuild logs so you can't pass this through to your email without something in the middle.
A solution could be to have your CloudWatch event target a Lambda function which looks up the logs via the CodeBuild / CloudWatch logs API. It can then generate the email including the logs and send the notification via SNS.
I use a CF Template to create Beanstalk environments. I would like to trigger a Lambda code via SNS when an environment gets created so I can use the lambda to trigger a jenkins job with integration tests for the new environment.
Is there a way to send an SNS message after an env gets successfully created in Beanstalk? I already defined a topic the lambda code is subscribed to.
The beanstalk API allows you to define a notification endpoint.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.sns.html
But what is this for if I can only specify an email address and I have to confirm subscription? How can I use it to trigger an SNS message automatically?
{
"OptionName": "Notification Endpoint",
"Namespace": "aws:elasticbeanstalk:sns:topics",
"Value": "no-reply#example.com"
},
{
"OptionName": "Notification Protocol",
"Namespace": "aws:elasticbeanstalk:sns:topics",
"Value": "email"
},
A workaround I found is a bit hacky. I create an EC2 instance at the end of the stack creation process and run some AWS commands to send an SNS notification via UserData shell. Is this the only way?
I'm answering my own question. I managed to figure out how to use SNS to trigger lambda code after a new Beanstalk env gets created.
I created an sns topic service-configurator
and added its ARN and name to the template.
{
"OptionName": "Notification Topic ARN",
"Namespace": "aws:elasticbeanstalk:sns:topics",
"Value": "arn:aws:sns:us-east-1:273218181234:service-configurator"
},
{
"OptionName": "Notification Topic Name",
"Namespace": "aws:elasticbeanstalk:sns:topics",
"Value": "service-configurator"
}
Next, I set the sns topic to be an event source for my lambda code.
Now, lambda gets triggered every time something happens to an environment ( instances added/removed, env created etc.)
While Configuring Notifications with Elastic Beanstalk does not provide a specific example for sending Amazon SNS notifications, email is simply the default for the resp. AWS Elastic Beanstalk option setting and you can also create subscriptions for most/all other protocols, see option aws:elasticbeanstalk:sns:topics:
Valid Values: http https email email-json sqs
Obviously AWS Lambda is not referenced there yet, but it is just another SNS protocol, so I would assume/hope that the table has simply not been updated yet and something like the following should just work accordingly (haven't tried it myself yet though):
{
"OptionName": "Notification Endpoint",
"Namespace": "aws:elasticbeanstalk:sns:topics",
"Value": "<Your Lambda function ARN>"
},
{
"OptionName": "Notification Protocol",
"Namespace": "aws:elasticbeanstalk:sns:topics",
"Value": "lambda"
},