Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IoT core error actions

0

Hi, How can I go about testing IoT core error action rules to send error messages to an S3 bucket with SSE-KMS? FYI, my action rule in this use case sends telemetry data to another encrypted bucket by way of a Lambda. Thanks Gary

Themen
SpeicherInternet der Dinge (IoT)Sicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS IoT CoreAWS-Schlüsselverwaltungsservice
Sprache
English
gary
gefragt vor einem Jahr390 Aufrufe
2 Antworten
2
Akzeptierte Antwort

Hi there,

Adding onto the response above, here's another example with a sample lambda function IoT rule and error action, however I would also like to point out the SSE-KMS permission requirement. Since the S3 bucket is configured with SSE-KMS you may need the IoT IAM Role seen in "roleArn" section below, to have the correct KMS key policy permissions to write to the S3 bucket, you can find the steps to add these here [1][2][3].

{
    "sql": "expression",
    "ruleDisabled": false,
    "awsIotSqlVersion": "2016-03-23",
    "actions": [{
        "lambda": {
            "functionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-lambda-function"
        }
    }],
    "errorAction": {
        "s3": {
            "roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
            "bucketName": "message-processing-errors",
            "key": "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
        }
    }
}

Please find the resources below for more information :

profile pictureAWS
SUPPORT-TECHNIKER
Panashe
beantwortet vor einem Jahr
  • gary
    vor einem Jahr

    Hi Panashe, thanks. I'll check how i can assign permissions or grants to IoT to write to the bucket.

1

Hi - I am assuming that you referring to this https://docs.aws.amazon.com/iot/latest/developerguide/rule-error-handling.html. Yes the error action can write data to an Amazon S3 bucket. For example see errorAction

{
    "sql" : "SELECT * FROM ..."
    "actions" : [{ 
        "dynamoDB" : {
            "table" : "PoorlyConfiguredTable",
            "hashKeyField" : "AConstantString",
            "hashKeyValue" : "AHashKey"}}
    ],
    "errorAction" : { 
        "s3" : {
            "roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
            "bucketName" : "message-processing-errors",
            "key" : "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
        }
    }
}

If you want to test, you can do like this change the permission of the role which invokes the lambda function so that that error fails.

profile pictureAWS
EXPERTE
AWS-User-Nitin
beantwortet vor einem Jahr
  • gary
    vor einem Jahr

    Hi Nitin, I am, but I'm sending to a SSE-KMS bucket and I see @Panashe has added some more detail on how to achieve this. Thanks for the role permissions suggestion............ah, I see the roleArn statement in you example thanks

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt