AWS - Lambda with AWS CloudTrail
We can enable CloudTrail in our AWS account to get logs of API calls and related events history in our account. CloudTrail records all of the API access events as objects in our Amazon S3 bucket that we specify at the time we enable CloudTrail.
Because CloudTrail provides a record of our AWS API calls we can use this data to gain visibility into user activity, troubleshoot operational and security incidents.
We can take advantage of Amazon S3's bucket notification feature and direct Amazon S3 to publish object-created events to AWS Lambda.
Whenever CloudTrail writes logs to our S3 bucket, Amazon S3 can then invoke our Lambda function by passing the Amazon S3 object-created event as a parameter. The S3 event provides information, including the bucket name and key name of the log object that CloudTrail created.
Our Lambda function code can read the log object and process the access records logged by CloudTrail.
For example, we might write Lambda function code to notify us if specific API call was made in our account. In our sample, we enable CloudTrail so it can write access logs to our S3 bucket we configured. As for Lambda, S3 is the event source, and it publishes events (such as object-created event) to AWS Lambda and invokes our Lambda function.
When S3 invokes our Lambda function, it passes an S3 event identifying, among other things, the bucket name and key name of the object that CloudTrail created. The Lambda function can read the log object, and it knows the API calls that were reported in the log.
Each object CloudTrail creates in our S3 bucket is a JSON object, with one or more event records. Each record, among other things, provides eventSource and eventName.
We need turne on AWS CloudTrail for our AWS account to maintain records (logs) of AWS API calls made on our account.
Note that only a reagion where it's created is turned on!
Pic credit : Using AWS Lambda with AWS CloudTrail
The step in the diagram can be summarized as follows:
- AWS CloudTrail saves logs to an S3 bucket (object-created event).
- Amazon S3 detects the object-created event.
- Amazon S3 publishes the s3:ObjectCreated:* event to AWS Lambda by invoking the Lambda function, as specified in the bucket notification configuration. Because the Lambda function's access permissions policy includes permissions for Amazon S3 to invoke the function, Amazon S3 can invoke the function.
- AWS Lambda executes the Lambda function by assuming the execution role that we specified at the time you created the Lambda function.
- The Lambda function reads the Amazon S3 event it receives as a parameter, determines where the CloudTrail object is, reads the CloudTrail object, and then it processes the log records in the CloudTrail object.
- If the log includes a record with specific eventType and eventSource values, it publishes the event to our Amazon SNS topic. In Tutorial: Using AWS Lambda with AWS CloudTrail, we subscribe to the SNS topic using the email protocol, so we get email notifications.
- Each object CloudTrail creates in our S3 bucket is a JSON object, with one or more event records. Each record, among other things, provides eventSource and eventName.
Policy attached to the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream20141101",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:us-east-1:526262051452:log-group:CloudTrail/DefaultLogGroup:log-stream:526262051452_CloudTrail_us-east-1*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents20141101",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:526262051452:log-group:CloudTrail/DefaultLogGroup:log-stream:526262051452_CloudTrail_us-east-1*"
]
}
]
}
{
"Records":[
...
{
"eventVersion":"1.04",
"userIdentity":{
"type":"Root",
"principalId":"526262051452",
"arn":"arn:aws:iam::526262051452:root",
"accountId":"526262051452",
"accessKeyId":"....",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2017-06-05T04:06:42Z"
}
}
},
"eventTime":"2017-06-05T05:18:56Z",
"eventSource":"sns.amazonaws.com",
"eventName":"CreateTopic",
"awsRegion":"us-east-1",
"sourceIPAddress":"107.203.254.106",
"userAgent":"AWSCloudTrail, aws-internal/3",
"requestParameters":null,
"responseElements":null,
"requestID":"a1e71724-016c-58bf-8cb0-468aed6ce321",
"eventID":"5a1e05f5-c5ca-424a-b837-959e25d6aea7",
"eventType":"AwsApiCall","recipientAccountId":"526262051452"
}
},
...
}
The Lambda function notifies us by email if an API call to create an Amazon SNS topic is reported in the log. That is, when our Lambda function parses the log, it looks for records with the following:
"eventSource":"sns.amazonaws.com", "eventName":"ListTopics", eventName = "CreateTopic"
If found, it publishes the event to our Amazon SNS topic.
AWS (Amazon Web Services)
- AWS : EKS (Elastic Container Service for Kubernetes)
- AWS : Creating a snapshot (cloning an image)
- AWS : Attaching Amazon EBS volume to an instance
- AWS : Adding swap space to an attached volume via mkswap and swapon
- AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
- AWS : Creating an instance to a new region by copying an AMI
- AWS : S3 (Simple Storage Service) 1
- AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
- AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
- AWS : S3 (Simple Storage Service) 4 - Uploading a large file
- AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
- AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
- AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
- AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
- AWS : Creating a CloudFront distribution with an Amazon S3 origin
- AWS : Creating VPC with CloudFormation
- AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
- AWS : CloudWatch & Logs with Lambda Function / S3
- AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
- AWS : Lambda and SNS - cross account
- AWS : CLI (Command Line Interface)
- AWS : CLI (ECS with ALB & autoscaling)
- AWS : ECS with cloudformation and json task definition
- AWS Application Load Balancer (ALB) and ECS with Flask app
- AWS : Load Balancing with HAProxy (High Availability Proxy)
- AWS : VirtualBox on EC2
- AWS : NTP setup on EC2
- AWS: jq with AWS
- AWS & OpenSSL : Creating / Installing a Server SSL Certificate
- AWS : OpenVPN Access Server 2 Install
- AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
- AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
- AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
- DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
- AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
- AWS : Autoscaling group (ASG)
- AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
- AWS : Adding a SSH User Account on Linux Instance
- AWS : Windows Servers - Remote Desktop Connections using RDP
- AWS : Scheduled stopping and starting an instance - python & cron
- AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
- AWS : Elastic Beanstalk with NodeJS
- AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
- AWS : Identity and Access Management (IAM) Roles for Amazon EC2
- AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
- AWS : Identity and Access Management (IAM) sts assume role via aws cli2
- AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
- AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
- AWS : Amazon Route 53
- AWS : Amazon Route 53 - DNS (Domain Name Server) setup
- AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
- AWS Amazon Route 53 : Private Hosted Zone
- AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
- AWS : Lambda with AWS CloudTrail
- AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
- AWS : Redshift data warehouse
- AWS : CloudFormation
- AWS : CloudFormation Bootstrap UserData/Metadata
- AWS : CloudFormation - Creating an ASG with rolling update
- AWS : Cloudformation Cross-stack reference
- AWS : OpsWorks
- AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
- AWS CodeDeploy : Deploy an Application from GitHub
- AWS EC2 Container Service (ECS)
- AWS EC2 Container Service (ECS) II
- AWS Hello World Lambda Function
- AWS Lambda Function Q & A
- AWS Node.js Lambda Function & API Gateway
- AWS API Gateway endpoint invoking Lambda function
- AWS API Gateway invoking Lambda function with Terraform
- AWS API Gateway invoking Lambda function with Terraform - Lambda Container
- Amazon Kinesis Streams
- AWS: Kinesis Data Firehose with Lambda and ElasticSearch
- Amazon DynamoDB
- Amazon DynamoDB with Lambda and CloudWatch
- Loading DynamoDB stream to AWS Elasticsearch service with Lambda
- Amazon ML (Machine Learning)
- Simple Systems Manager (SSM)
- AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
- AWS : RDS Importing and Exporting SQL Server Data
- AWS : RDS PostgreSQL & pgAdmin III
- AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
- AWS : MySQL Replication : Master-slave
- AWS : MySQL backup & restore
- AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
- AWS : Restoring Postgres on EC2 instance from S3 backup
- AWS : Q & A
- AWS : Security
- AWS : Security groups vs. network ACLs
- AWS : Scaling-Up
- AWS : Networking
- AWS : Single Sign-on (SSO) with Okta
- AWS : JIT (Just-in-Time) with Okta
Ph.D. / Golden Gate Ave, San Francisco / Seoul National Univ / Carnegie Mellon / UC Berkeley / DevOps / Deep Learning / Visualization
My YouTube channel