AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

IoT core error actions

0

Hi, How can I go about testing IoT core error action rules to send error messages to an S3 bucket with SSE-KMS? FYI, my action rule in this use case sends telemetry data to another encrypted bucket by way of a Lambda. Thanks Gary

주제
스토리지사물 인터넷(IoT)보안, 신원 및 규정 준수
태그
아마존 심플 스토리지 서비스AWS IoT CoreAWS 키 관리 서비스
언어
English
gary
질문됨 일 년 전390회 조회
2개 답변
2
수락된 답변

Hi there,

Adding onto the response above, here's another example with a sample lambda function IoT rule and error action, however I would also like to point out the SSE-KMS permission requirement. Since the S3 bucket is configured with SSE-KMS you may need the IoT IAM Role seen in "roleArn" section below, to have the correct KMS key policy permissions to write to the S3 bucket, you can find the steps to add these here [1][2][3].

{
    "sql": "expression",
    "ruleDisabled": false,
    "awsIotSqlVersion": "2016-03-23",
    "actions": [{
        "lambda": {
            "functionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-lambda-function"
        }
    }],
    "errorAction": {
        "s3": {
            "roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
            "bucketName": "message-processing-errors",
            "key": "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
        }
    }
}

Please find the resources below for more information :

profile pictureAWS
지원 엔지니어
Panashe
답변함 일 년 전
  • gary
    일 년 전

    Hi Panashe, thanks. I'll check how i can assign permissions or grants to IoT to write to the bucket.

1

Hi - I am assuming that you referring to this https://docs.aws.amazon.com/iot/latest/developerguide/rule-error-handling.html. Yes the error action can write data to an Amazon S3 bucket. For example see errorAction

{
    "sql" : "SELECT * FROM ..."
    "actions" : [{ 
        "dynamoDB" : {
            "table" : "PoorlyConfiguredTable",
            "hashKeyField" : "AConstantString",
            "hashKeyValue" : "AHashKey"}}
    ],
    "errorAction" : { 
        "s3" : {
            "roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
            "bucketName" : "message-processing-errors",
            "key" : "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
        }
    }
}

If you want to test, you can do like this change the permission of the role which invokes the lambda function so that that error fails.

profile pictureAWS
전문가
AWS-User-Nitin
답변함 일 년 전
  • gary
    일 년 전

    Hi Nitin, I am, but I'm sending to a SSE-KMS bucket and I see @Panashe has added some more detail on how to achieve this. Thanks for the role permissions suggestion............ah, I see the roleArn statement in you example thanks

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠