With each lambda invoke either with AWS API or API Gateway HTTP, kms usage is increasing while I haven't added any key management with KMS. Is this indirect cost by aws on lambda usage or there is option to disable kms on lambda invoke.
Each AWS account has a default KMS managed key to encrypt/decrypt the data store and connections.
There should be a section to ask you if you want to encrypt/protect your data when you create Lambda/EC2/DBs, if you click yes, then the default key will be used.
That's how you get charged. You can ask their customer service, and they may refund with unnecessary calls.
Related
I am working in a multi aws account context.
I have Lambdas in account A,B,C and an ECR in account D. Lambdas pull image from account D.
There is a client managed KMS with a dedicated key that is used by the ECR in account D.
The KMS policy key allows ROLE used by lambda to do KMS operations.
Lambda roles in account A,B,C allow use of KMS.
When i try to run my lambdas i have the following response:
Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings.
KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to acustomer master key that does not exist,
does not exist in this region, or you are not allowed to access.
Here is my KMS key policy strategy
And following, here is my role used by the Lambda:
And finally my ECR using the key
I have followed this docs from aws : https://aws.amazon.com/fr/premiumsupport/knowledge-center/lambda-kmsaccessdeniedexception-errors/
but error messages discussed in this link are slighty differents
I have administrator access to my AWS account and I'm trying to copy a DB snapshot that has has encryption on it. I'm specifying the key ID but it's still giving me the following error:
/opt/homebrew/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.124.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in
`call': The target KMS key [<my_key_id>] does not exist, is not
enabled or you do not have permissions to access it.
(Aws::RDS::Errors::KMSKeyNotAccessibleFault)
The only thing that has changed from the time it worked to the time it no longer works is me enabling encryption on the database, so now its snapshots are encrypted. As a result, I've added the kms_key_id parameter to my copy_db_snapshot method.
Here's how I'm doing this with the aws-sdk-rds gem:
client.copy_db_snapshot({
source_db_snapshot_identifier: source_db_arn,
target_db_snapshot_identifier: target_db_snapshot_identifier,
source_region: source_db_region,
kms_key_id: '<my_key_id>'
})
I don't quite fully understand this error message. The key definitely exists (I've tried just the key ID and the full ARN), and I definitely have permission. I'm using a key generated by AWS so not sure if this helps.
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/Client.html#copy_db_snapshot-instance_method
If you copy an encrypted snapshot to a different Amazon Web Services
Region, then you must specify an Amazon Web Services KMS key
identifier for the destination Amazon Web Services Region. KMS keys
are specific to the Amazon Web Services Region that they are created
in, and you can't use KMS keys from one Amazon Web Services Region in
another Amazon Web Services Region.
You need to specify the KMS key id of a KMS key in the destination region. This is because the kms_key_id parameter is actually supposed to be the ID of the KMS Key used to encrypt the new snapshot copy, not your original snapshot.
Recently I've started to use Secrets Manager to read credentials from Lambda, and I noticed that reading a secret from SM takes several seconds. Introducing VPC interface endpoint as described here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html#vpc-endpoint didn't help, I see the same response time.
In CloudTrail I see that created VPC endpoint is used to call Secrets Manager.
Did anyone have similar issue?
What are permissions that my lambda function need to be able to retrieve secrets from AWS Secrets Manager and change it also ?
You need the secretsmanager:GetSecretValue policy to retrieve secrets and the secretsmanager:UpdateSecret policy to update secrets.
Note that if you are using a customer-managed AWS KMS key for encryption you will also need some KMS permissions:
kms:Decrypt for retrieving the secret.
kms:Decrypt and kms:GenerateDataKey for updating the secret.
https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html
https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html
If you are using the Lambda functions provided by AWS, then (as described in the docs) you will need: DescribeSecret, GetSecretValue, PutSecretValue, UpdateSecretVersionStage and GetRandomPassword. If you are using a Custom KMS Key (CMK) you will also need Decrypt and GenerateDataKey permissions for that CMK (both in the Lambda policy and in the KMS key policy).
If you are seeing Task timed out errors, it is likely your Lambda can not access either the secrets manager endpoint (try using a VPC endpoint), or the Lambda can not connect to the DB (check security group settings).
My current stack is like this:
User creates an account via AWS Cognito
A post confirmation lambda is triggered which then adds further user details to a database
My database uses the sub id generated by cognito as the userId so they are the same. I also copy the email address as the Username in my database. My intention is to use Cognito for Authentication and my own database for the functionality of my app.
However if the user wishes to update their email address I need to amend this in both cognito and my database. My first attempt made a call to cognito in my lambda using admin_update_user_attributes but soon realised it was blocked from making external calls to the internet, so i created a nat gateway which worked but it simply costs way too much!
My second idea was to go through cognito, having my front end make the call and then have cognito trigger a lambda to update my database but I don't think this is possible.
Is there a configuration or something I'm missing to be able to access AWS cognito via a lambda through the API gateway as they are both AWS services.
I dont want to make two seperate calls via my frontend as this creates a risk of one being completed but not the other.
Thanks
A NAT gateway will be needed if you have your Lambda function in a VPC as there are no Cognito VPC endpoints at this time.
List of currently supported AWS services with endpoints.
If you are using a DB like Dynamo, the Lambda function does not need to be in a VPC so you could achieve the usecase you mentioned above.
Another option could be to do the Cognito update asynchronously, so your Lambda could potentially use VPC endpoints to put an object in SQS and then have a Lambda poller (outside VPC) to poll the messages and update Cognito. Or achieve a similar usecase by making use of private API Gateways.
These are just potential ideas which I have not done myself.