AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

IoT core error actions

0

Hi, How can I go about testing IoT core error action rules to send error messages to an S3 bucket with SSE-KMS? FYI, my action rule in this use case sends telemetry data to another encrypted bucket by way of a Lambda. Thanks Gary

トピック
ストレージモノのインターネット (IoT)セキュリティ、アイデンティティ、コンプライアンス
タグ
Amazon Simple Storage Service (S3)AWS IoT CoreAWS Key Management Service
言語
English
gary
質問済み 1年前390ビュー
2回答
2
承認された回答

Hi there,

Adding onto the response above, here's another example with a sample lambda function IoT rule and error action, however I would also like to point out the SSE-KMS permission requirement. Since the S3 bucket is configured with SSE-KMS you may need the IoT IAM Role seen in "roleArn" section below, to have the correct KMS key policy permissions to write to the S3 bucket, you can find the steps to add these here [1][2][3].

{
    "sql": "expression",
    "ruleDisabled": false,
    "awsIotSqlVersion": "2016-03-23",
    "actions": [{
        "lambda": {
            "functionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-lambda-function"
        }
    }],
    "errorAction": {
        "s3": {
            "roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
            "bucketName": "message-processing-errors",
            "key": "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
        }
    }
}

Please find the resources below for more information :

profile pictureAWS
サポートエンジニア
Panashe
回答済み 1年前
  • gary
    1年前

    Hi Panashe, thanks. I'll check how i can assign permissions or grants to IoT to write to the bucket.

1

Hi - I am assuming that you referring to this https://docs.aws.amazon.com/iot/latest/developerguide/rule-error-handling.html. Yes the error action can write data to an Amazon S3 bucket. For example see errorAction

{
    "sql" : "SELECT * FROM ..."
    "actions" : [{ 
        "dynamoDB" : {
            "table" : "PoorlyConfiguredTable",
            "hashKeyField" : "AConstantString",
            "hashKeyValue" : "AHashKey"}}
    ],
    "errorAction" : { 
        "s3" : {
            "roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
            "bucketName" : "message-processing-errors",
            "key" : "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
        }
    }
}

If you want to test, you can do like this change the permission of the role which invokes the lambda function so that that error fails.

profile pictureAWS
エキスパート
AWS-User-Nitin
回答済み 1年前
  • gary
    1年前

    Hi Nitin, I am, but I'm sending to a SSE-KMS bucket and I see @Panashe has added some more detail on how to achieve this. Thanks for the role permissions suggestion............ah, I see the roleArn statement in you example thanks

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ