Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I invoke a cross-account AWS lambda from a CloudWatch alarm?

0

I want to configure an alarm action to trigger a cross-account Lambda function when the alarm in the 'alarm' state. I have added an alarm action for the alarm in account A, and I have also created the resource policy for the function in account B using AWS CLI suggested in this doc https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions. Here is the resource-based policy of the lambda in account B:

    {
      "Sid": "AlarmAction",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.alarms.cloudwatch.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:account_b:function:alarmActionLambda",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "account_a"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cloudwatch:us-east-1:account_a:alarm:canary alarm"
        }
      }
    },

The alarm history shows that the lambda action was successfully executed. But I don't see any invocation for the lambda in B account. The lambda monitoring metrics show 0 errors, 0 throttles, async events received but dropped. I have confirmed that the lambda in B account is working if I test it directly or invoke the lambda from the same account as the alarm.

Topics
ServerlessManagement & GovernanceComputeNetworking & Content Delivery
Tags
Amazon CloudWatchAmazon CloudWatch AlarmsAWS Lambda
Language
English
asked a year ago453 views
1 Answer
0

To invoke a cross-account AWS Lambda function from a CloudWatch alarm, you need to ensure that both the alarm configuration and the Lambda function's permissions are set up correctly. Based on the information you've provided, it seems you've taken the right steps, but there might be a few areas to double-check:

  1. Alarm Configuration: Ensure that the alarm in Account A is correctly configured to invoke the Lambda function in Account B. The alarm action should specify the full ARN of the Lambda function in Account B.

  2. Lambda Function Permissions: The resource-based policy you've attached to the Lambda function in Account B looks correct. It allows the CloudWatch Alarms service to invoke the function and includes the necessary conditions for the source account and alarm ARN.

  3. CloudWatch Logs: Check the CloudWatch Logs for the Lambda function in Account B. Even if the function isn't being invoked, there might be some error logs that could provide more information.

  4. IAM Roles: Ensure that the IAM role associated with the CloudWatch alarm in Account A has the necessary permissions to invoke Lambda functions across accounts.

  5. Lambda Function Configuration: Verify that the Lambda function in Account B is configured to accept invocations from other AWS accounts.

  6. AWS CLI or SDK: You can use the AWS CLI or SDK to manually invoke the Lambda function from Account A to Account B to test if the cross-account invocation works outside of the CloudWatch alarm context.

  7. CloudTrail: Check AWS CloudTrail logs in both accounts for any failed API calls or permission issues related to the Lambda invocation.

  8. Lambda Versions and Aliases: If you're using specific versions or aliases of the Lambda function, make sure the ARN in the alarm action matches the intended version or alias.

  9. Region Consistency: Confirm that both the CloudWatch alarm and the Lambda function are in the same AWS region (us-east-1 in your case).

  10. Account IDs: Double-check that the account IDs used in the resource policy and alarm configuration are correct.

If you've verified all these points and the issue persists, you may want to contact AWS Support for further assistance, as they can provide more detailed troubleshooting based on your specific account configuration.
Sources
Amazon CloudWatch alarms adds AWS Lambda as an alarm state change action
Lambda - AWS IoT Core
Tutorial: Using Lambda with Amazon SQS - AWS Lambda

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content