I've submitted my AMI to the AWS Marketplace but it has been rejected saying I need to convert my manual instructions into a CloudFormation template. My manual instructions for the users currently state that:
- User must create a new Role
- Assign AWSS3FullAccess to this role
- Launch the AMI with WebSecurityGroup (port 80 and 443)
I have not used CloudFormation before so I would like to ask a couple of questions
Is it possible to create a CloudFormation template such that it would: 1) create a new role 2) assign a policy to this role 3) Create an EC2 Instance with the AMI (amiID would be specified) with this role and WebSecurityGroup.
I've created the following template that creates a new role and assigns it full S3 access.
But I'm not sure how to do the rest. How can I launch an EC2 instance with this new role and specify my AMI id?
AWSTemplateFormatVersion: '2010-09-09'
Description: Sample
Resources:
MyAmiRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
Path: "/"
Within your Amazon CloudFormation template, you would define the following resources:
IAM::Role (as you have already done)
IAM::InstanceProfile (which allows a Role to be assumed by an Amazon EC2 instance)
EC2::SecurityGroup
AWS::EC2::Instance which would refer to the InstanceProfile, your AMI and the Security Group
For some examples, see:
IAM Role with Embedded Policy and Instance Profiles
Associating an existing IAM role with AWS::EC2::Instance in CloudFormation
AWS CloudFormation Resource Types Reference
The last link typically provides examples with each resource type, so it's a matter of copying the examples and then customizing for your use-case.
Related
I'm using serverless to deploy my Lambda APIs through API Gateway on AWS, but one thing that looks like is missing is the ability to deploy the Lambda API and the API Gateway into different regions. Right now, if I set the region to the serverless deploy command, it deploys both in that region, regardless of the fact that in the serverless.yml file I specified a different region for the Lambda. So let's say you have this file:
service: My-Awesome-API
provider:
name: aws
region: eu-west-1
runtime: nodejs12.x
memorySize: 384
functions:
graphql:
handler: src/index.handler
name: My-Awesome-GraphQL-API
events:
- http:
path: graphql
method: POST
cors: true
- http:
path: graphql
method: GET
cors: true
and you deploy the API with this command serverless deploy --region=eu-central-1.
The Lambda function will be deployed in eu-central-1 rather than in eu-west-1.
Since this can be useful, and it can be done within API Gateway, is there a way to specify this behaviour with the serverless framework too?
The region in the provider settings is just the default. By using the --region argument you overwrite that default, so the behaviour is expected.
Serverless is based on CloudFormation in the background and CloudFormation stacks are region-specific so there's no way in vanilla CloudFormation to deploy resources in a single stack across multiple regions.
(You can do that with custom resources though, but I would recommend against that practice except from a few edge cases.)
I have a small group of people using AWS services.
When we first started, I mistakenly created EC2 instances under the root account, instead of creating them as an individual IAM user.
Now none of the IAM users can see those EC2 instances in the EC2 management portion of the AWS web console. The only way to see them is to log in as the AWS root account user.
Is there any way to make these EC2 instances visible to the IAM users?
AWS has documentation describing how to make instances visible to other accounts, but the same instructions don't seem to apply to this scenario.
The default policy for a IAM user is deny all services on AWS. So you have to provide appropriate permission for the IAM user. Generate policy using this website or assign AWS managed policies to the user.
You can get the information about attaching a policy to an IAM user on the document
You can create a read-only group for EC2 instances by following these steps:
Create a new group which will have all read-only users for EC2
Select and attach the predefined policy AmazonEC2ReadOnlyAccess from the list when creating the new group
Put all the IAM users to this newly created group
I want to give full DynamoDB access for lambda in AWS serverless repo. But policies templates provided by them have not these permissions
You can get an example here
The key part is:
PutFunction:
Type: AWS::Serverless::Function
Properties:
Policies: AmazonDynamoDBFullAccess
My problem
I am writing a Lambda function using the Serverless framework.
The function is invoked by an HTTP request.
It parses the request parameters, fetches some logs from a CloudWatch group and stream according to the parameters and replies with a summary of the logs.
I would like to grant CloudWatch read access to the Lambda function using the serverless configuration file.
Code
The function definition (serverless.yml) is pretty basic:
service: adam-test-sls
provider:
name: aws
runtime: nodejs6.10
region: eu-central-1
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get
What have I tried
Searching the serverless framework forums
Google-fu
AWS CloudFormation documentation (The serverless framework creates CloudFormation files from its YAML configuration)
My question
How do I grant read (and/or write) permissions that will enable this Lambda function to access Specific CloudWatch logs?
Serverless allows you to define a default IAM role for all functions (which should have CloudWatch access by default)
Also by default, your Lambda functions have permission to create and write to CloudWatch logs.
You can also fine tune the IAM role for all functions, or even provide fine-grained permissions for each function using the role attribute.
The reference is here
I am trying to see if anyone knows if it is possible to provision an AWS account straight from code? I have looked at the SDK and API reference but I am not seeing anything. It would be something similar to the way http://qwiklab.com/ provisions a new account for a user for training purposes.
Creating a new AWS acount requires voice verification. AWS actually calls you to confirm. What you can do is create AWS IAM users and allocate very specific permissions within your Amazon VPC for these users. For example you can say users in group "A" can only launch AMIs tagged as "development" and only in a specific subnet. You can be somewhat granular in the permissions you allocate to IAM users/groups. Here is a list of actions you can specify for EC2 resources:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
Here is some general guidance on setting up control within your VPC:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
The examples there can potentially serve as a good starting point for what you are trying to accomplish.