Assuming you create a Lambda ARN and Publish it, what are the default IAM permissions for that Lambda ARN?
i.e. can anyone go ahead and use it if they have the ARN?
When you create a lambda, you have to assign an IAM role to it. There are no predefined roles, although there are some predefined policies that you can assign to a role. As a minimum you would want to allow it to write logs to CloudWatch. If you wanted the lambda to access an S3 bucket, that policy would need to be assigned to the role.
The role you assign to a Lambda only defines what that Lambda can do, not what can invoke it. You can assign triggers for other AWS services to invoke the Lambda, but you can't say set a policy in the lambda role or trigger that would allow anything to invoke it.
If you wanted to invoke the lambda directly (e.g. though an SDK), you would need an IAM role that had permission to invoke that lambda.
The ARN (Amazon Resource Name) is just a naming convention that AWS uses to find something.
Related
We have to update dynamically a Security Group thru a Lambda Function ; the IP to be allowed are extracted from the CloudWatch events.
This Security Group and the owner are deployed by Terraform into a VPC, within a lot of components and with a lot of updates.
These components, included the Security Group, are under control of Terraform, meaning it could be redeployed if Terraform identifies some differences from the source. Then, the differences dynamically made by the Lambda are lost.
How can we control / avoid this behavior, please ?
I am writing a serverless application which is connected to DynamoDB.
Currently I am reading the access key ID and security access key from a json file.
I am going to use Jenkins for CI and need a way to secure these keys.
What I am going to do is setting the keys as environmental variables and read them in the application. But the problem is I don't know how to set the environmental variables every time a lambda function is started.
I have read there's a way to configure this in serverless.yml file, but don't know how.
How to achieve this?
Don't use environment variables. Use the IAM role that is attached to your lambda function. AWS Lambda assumes the role on your behalf and sets the credentials as environment variables when your function runs. You don't even need to read these variables yourself. All of the AWS SDKs will read these environment variables automatically.
There's a good guide on serverless security, which among other topics, cover this one as well. It's similar to the OWASP top 10:
In general, the best practice would be to use the AWS Secrets Manager, together with SSM parameter store.
I have a small group of people using AWS services.
When we first started, I mistakenly created EC2 instances under the root account, instead of creating them as an individual IAM user.
Now none of the IAM users can see those EC2 instances in the EC2 management portion of the AWS web console. The only way to see them is to log in as the AWS root account user.
Is there any way to make these EC2 instances visible to the IAM users?
AWS has documentation describing how to make instances visible to other accounts, but the same instructions don't seem to apply to this scenario.
The default policy for a IAM user is deny all services on AWS. So you have to provide appropriate permission for the IAM user. Generate policy using this website or assign AWS managed policies to the user.
You can get the information about attaching a policy to an IAM user on the document
You can create a read-only group for EC2 instances by following these steps:
Create a new group which will have all read-only users for EC2
Select and attach the predefined policy AmazonEC2ReadOnlyAccess from the list when creating the new group
Put all the IAM users to this newly created group
I wish to create the following using Cloudformation:
An autoscale group with a single spot instance, with an assigned route53 record which will always be directed to the instance, even if the instance is replaced.
I know how to do this with the Ruby API (not cloudformation).
How can I define this using Cloudformation ?
You have two options:
Option #1: Update R53 in your spot instance, after it boots:
In your Cloudformation template create an IAM role with permissions to update the appropriate R53 record
Assign that role to your spot instance
When your spot instance initializes have it update R53 directly via the REST APIs. I usually do this by setting a shell script in the UserData and have cloudinit run it on boot.
To update via Ruby you'll need the access id, access key and security token. Since you assigned an IAM role to the instance these are available via the Metadata API. Most libraries automatically pull out these values so you might not even need to do it manually. Boto and the nodejs SDK does it automatically.
Option #2: Use an ELB
In your CloudFormation create an ELB
In your CloudFormation create an R53 alias record that points at the ELB's DNS name
If cost is a factor, an ELB may be a little expensive to just add an extra layer of indirection.
I am trying to see if anyone knows if it is possible to provision an AWS account straight from code? I have looked at the SDK and API reference but I am not seeing anything. It would be something similar to the way http://qwiklab.com/ provisions a new account for a user for training purposes.
Creating a new AWS acount requires voice verification. AWS actually calls you to confirm. What you can do is create AWS IAM users and allocate very specific permissions within your Amazon VPC for these users. For example you can say users in group "A" can only launch AMIs tagged as "development" and only in a specific subnet. You can be somewhat granular in the permissions you allocate to IAM users/groups. Here is a list of actions you can specify for EC2 resources:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
Here is some general guidance on setting up control within your VPC:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
The examples there can potentially serve as a good starting point for what you are trying to accomplish.