AWS Cross-Account, Cross-Region (to China) access? No Lambda in CN - alternatives?

0
votes

In our "standard" AWS account, I have a system that does something like this:

CloudWatch Rule (Scheduled Event) -> Lambda function (accesses DynamoDB table, makes computations, writes metrics) -> CloudWatch Alarm (consume metrics, etc.)

However, in our separate CN account, we need to do a similar thing, but in CN, there's no Lambda...

Is there any way we can do something similar to what was done above using the systems available to CN? For example, is it possible to create a rule and have it trigger a lambda function in our "standard/nonCN" AWS account that access the other account's DynamoDB table?

2
amazon-web-servicesaws-lambda
Because of how AWS China is structured/managed, I'm going to say 'no' to having it trigger an external lambda via the event because AWS-China essentially operate independently from Amazon. However, one possible alternative is to have the event generate an SNS message, and have the SNS topic hit an HTTP endpoint (probably a service you have running on some EC2 instance in the China region). Then you have that thing do the necessary DynamoDB read/computation and generate the alarm. - 逆さま

2 Answers

1
votes

I ultimately accomplished this by having the Lambda and the CloudWatch alarm live in the non-CN account, and then having the Lambda access the dynamoDB table across accounts and across regions.

This actually ended up working, though it did involve me using user credentials instead of a role like I would have been able to had it not been CN.

If anyone is interested in more details on this solution, feel free to comment and I can add more.

0
votes

You can mix and match between AWS resources between regions. When you do your code, you need to make sure you have the regions correctly configured to those resources.

With respect to trigger, Have the trigger where ever you have your lambda. That will ease your process.

Hope it helps.