By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

To trigger lambda function cross accounts

0

Hi AWS, I have to implement a lambda function or set of functions across multiple AWS accounts that are part of the AWS Organization managed using Control Tower. What should be the best approach in provisioning the infrastructure for the same where it will not only save the cost but also reduce the time and makes easy in terms of administration. Also I need to know the implementation steps.

Please assist

Topics
ServerlessComputeSecurity, Identity, & ComplianceDevOpsMicroservices
Tags
AWS LambdaAWS Identity and Access ManagementDevOpsMicroservices
Language
English
profile picture
Arjun Goel
asked 24 days ago414 views
3 Answers
0

Hi Arjun In the question,infrastructure and control tower is mentioned. The exact usecase is not clear. Generally speaking customization to account set up, infrastructure across various accounts in AWS organization is achieved using CFCT

https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/

At the basic level CloudFormation stacksets could be used with some DevOps pipeline that packages the AWS Lambda.

If Governance, auditing and versioning needs arise, the solution can have Service Catalog with advanced features

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-service-catalog-products-in-multiple-aws-accounts-and-aws-regions.html

There is also a terraform version

https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html

AWS
EXPERT
Ram-K
answered 24 days ago
  • Arjun Goel
    24 days ago

    Hi AWS-User-7407181, I am running a lambda function which is generating an IAM report i.e. list of roles, users, user groups and policies attached to the roles and users and which users are the part of usergroups. The output of the lambda function is stored in s3 bucket. Now I need to run this lambda function across 20 accounts and I want to aggregate the output for lambda function that runs in all the accounts into one common S3 bucket and I want to trigger this lambda function in an automated fashion using a service like Amazon EventBridge to avoid manual effort. I need to know how can I provision infrastructure for this using CloudFormation StackSet.

  • Ram-K EXPERT
    24 days ago

    The previous answer still holds good. All you need is to create a CloudFormation template for AWS Lambda with EventBridge rule and deploy that as a stackset targeting the 20 accounts. The Lambda role should have permission to upload the file to the common s3 bucket and also necessary S3 bucket policies.

0

For the use case you described in the comment, you don't need a separate copy of the Lambda function deployed in each target account. You can have your Lambda centrally in one AWS account and region, and in the target accounts, you would only deploy an IAM role that the central Lambda function is allowed the permission to assume.

You could then either schedule as many invocations of the Lambda function as you'd like in the central account, each invocation assuming the role you deployed in the specified target account, do its work, and use the original Lambda execution role (instead of the role in the target account your function explicitly assumed) to save the output in the central S3 bucket. This way, the multiple target accounts also don't have to be granted access to the central output bucket nor have access to a local copy of the Lambda function's code.

Instead of scheduling multiple invocations, a more sophisticated solution would be to use Step Functions to orchestrate invoking the central Lambda function for each account. Step Functions makes it easy and neat to handle errors and retries, as well as having built-in features allowing you to parallelise the Lambda invocations without having to write code to implement the parallelisation.

EXPERT
Leo K
answered 23 days ago
  • Arjun Goel
    23 days ago

    Hi Leo K, can you provide me a working solution for the same.

0

Hello,

AWS CloudFormation StackSets might be the solution, You can now define an AWS resource configuration in a CloudFormation template and then roll it out across multiple AWS accounts and/or Regions with AWS Organizations. . There's no costs associated with using AWS CF Stack Sets. Providing here few links which might be useful.

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
  2. https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/
  3. https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/
profile picture
Sivaraman Selvam
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content