Skip to main content

Lambda Function Setup Guide for IAM Event Notifications in Slack

 

Overview

This document provides a step-by-step guide to creating a Lambda function that sends notifications to Slack when:

  • A new IAM user is created.
  • A permission (policy) is attached to an IAM user.

  • Lambda Function Setup Guide for IAM Event Notifications in Slack

Prerequisites

  1. AWS Account with necessary permissions to create and configure Lambda, IAM, CloudTrail, and CloudWatch Logs.
  2. Slack workspace with permissions to create a new app and generate an incoming webhook URL.

Architecture

 IAM event -> CloudTrail -> CloudWatch Logs -> Lambda Function -> Slack

[Good Read: Step-by-Step Guide to Cloud Migration With DevOps ]

Step 1: Setup CloudTrail

  1. Go to CloudTrail Console:
  • Navigate to the AWS Management Console.
  • Go to the CloudTrail service.

2. Create or Configure a Trail:

  • Create a new trail or use an existing one.
  • Ensure that the trail is configured to log management events.
  • Enable the trail to send logs to CloudWatch Logs.

Step 2: Setup CloudWatch Logs

  1. Create Log Group:
  • Navigate to CloudWatch in the AWS Management Console.
  • Create a new log group or use an existing one to receive CloudTrail logs

Step 3: Create Lambda Function

  1. Create a Lambda Function:
  • Go to the AWS Lambda Console.
  • Create a new Lambda function with a suitable name, runtime (Python 3.8+), and role with the necessary permissions.

2. Add the Following Code:

import json

import os

import base64

import gzip

import urllib3

webhook_url = os.environ.get('WEBHOOK_URL')

def send_slack_message(message):

    http = urllib3.PoolManager()

    payload = {

        "blocks": message

    }

    encoded_payload = json.dumps(payload).encode('utf-8')

    response = http.request(

        'POST',

        webhook_url,

        body=encoded_payload,

        headers={'Content-Type': 'application/json'},

    )

    return response.status

def create_slack_message(event_detail):

    event_name = event_detail['eventName']

    actor_name = event_detail['userIdentity']['userName']

    if event_name == 'CreateUser':

        user_name = event_detail['requestParameters']['userName']

        title = "New IAM User Created"

        message = f"A new IAM user `{user_name}` has been created by `{actor_name}`."

        color = "#36a64f"

    elif event_name in ['AttachUserPolicy', 'PutUserPolicy']:

        user_name = event_detail['requestParameters']['userName']

        policy_name = event_detail['requestParameters']['policyArn']

        title = "Policy Attached to IAM User"

        message = f"Policy `{policy_name}` has been attached to user `{user_name}` by `{actor_name}`."

        color = "#FFA500"

    slack_message = [

        {

            "type": "section",

            "text": {

                "type": "mrkdwn",

                "text": f":rotating_light: *{title}* :rotating_light:"

            }

        },

        {

            "type": "section",

            "fields": [

                {

                    "type": "mrkdwn",

                    "text": f"*Event Name:*\n{event_name}"

                },

                {

                    "type": "mrkdwn",

                    "text": f"*User Name:*\n{user_name}"

                },

                {

                    "type": "mrkdwn",

                    "text": f"*Performed By:*\n{actor_name}"

                }

            ]

        },

        {

            "type": "section",

            "text": {

                "type": "mrkdwn",

                "text": message

            }

        },

        {

            "type": "divider"

        }

    ]

    return slack_message

def parse_event(event):

    if 'awslogs' in event:

        log_data = event['awslogs']['data']

        compressed_payload = base64.b64decode(log_data)

        uncompressed_payload = gzip.decompress(compressed_payload)

        log_events = json.loads(uncompressed_payload)['logEvents']

        for log_event in log_events:

            message = log_event['message']

            log_entry = json.loads(message)

            if log_entry['eventName'] in ['CreateUser', 'AttachUserPolicy', 'PutUserPolicy']:

                slack_message = create_slack_message(log_entry)

                send_slack_message(slack_message)

def lambda_handler(event, context):

    try:

        parse_event(event)

    except Exception as e:

        print(f"Error parsing event: {e}")

    return {

        'statusCode': 200,

        'body': json.dumps('Notification sent!')

    }

# Example test event

if __name__ == "__main__":

    test_event = {

        'awslogs': {

            'data': base64.b64encode(gzip.compress(json.dumps({

                'logEvents': [

                    {

                        'message': json.dumps({

                            'eventName': 'CreateUser',

                            'requestParameters': {

                                'userName': 'NewTestUser'

                            },

                            'userIdentity': {

                                'userName': 'AdminUser',

                            }

                        })

                    }

                ]

            }).encode())).decode()

        }

    }

    lambda_handler(test_event, None)

Set Environment variable

  • Set the WEBHOOK_URL environment variable to the Slack webhook URL you created.

Step 4: Configure CloudWatch Logs Filter Pattern

  1. Create Metric Filter:
  • Go to the CloudWatch Console.
  • Select the log group that receives CloudTrail logs.
  • Create a new metric filter with the following pattern:
  • { ($.eventName = “CreateUser”) || ($.eventName = “AttachUserPolicy”) || ($.eventName = “PutUserPolicy”) }
  • Provide a name for the filter and configure it.

Step 5: Add CloudWatch Logs Trigger to Lambda

  1. Add Trigger:
  • Go to the Lambda Console.
  • Select your Lambda function.
  • In the “Function overview” section, click “Add trigger”.
  • Select “CloudWatch Logs” as the trigger type.
  • Choose the log group that contains the CloudTrail logs.
  • Specify the filter pattern created earlier.
  • Click “Add”.

Step 6: Test the Setup

  1. Generate Test Events:
  • Create a new IAM user or attach a policy to an existing user to generate test events.

2. Verify Slack Notifications:

  • Check your Slack channel to ensure notifications are being received as expected.

You can check more info about: Lambda Function Setup Guide for IAM Event Notifications in Slack.

Location: Dubai - United Arab Emirates

Comments

Post a Comment

Popular posts from this blog

How to Turn CloudWatch Logs into Real-Time Alerts Using Metric Filters

Why Alarms Matter in Cloud Infrastructure   In any modern cloud-based architecture , monitoring and alerting play a critical role in maintaining reliability, performance, and security.   It's not enough to just have logs—you need a way to act on those logs when something goes wrong. That's where CloudWatch alarms come in.   Imagine a situation where your application starts throwing 5xx errors, and you don't know until a customer reports it. By the time you act, you've already lost trust.   Alarms prevent this reactive chaos by enabling proactive monitoring—you get notified the moment an issue surfaces, allowing you to respond before users even notice.   Without proper alarms:   You might miss spikes in 4xx/5xx errors.   You're always proactive instead of reactive .   Your team lacks visibility into critical system behavior.   Diagnosing issues becomes more difficult due to a lack of early signals.   Due to all the reasons Above, th...
Post a Comment
Read more

Comparison between Mydumper, mysqldump, xtrabackup

Backing up databases is crucial for ensuring data integrity, disaster recovery preparedness, and business continuity. In MySQL environments, several tools are available, each with its strengths and optimal use cases. Understanding the differences between these tools helps you choose the right one based on your specific needs. Use Cases for Database Backup : Disaster Recovery : In the event of data loss due to hardware failure, human error, or malicious attacks, having a backup allows you to restore your database to a previous state.  Database Migration : When moving data between servers or upgrading MySQL versions, backups ensure that data can be safely transferred or rolled back if necessary.  Testing and Development : Backups are essential for creating realistic testing environments or restoring development databases to a known state.  Compliance and Auditing : Many industries require regular backups as part of compliance regulations to ensure data retention and integri...
Post a Comment
Read more

How to Perform Penetration Testing on IoT Devices: Tools & Techniques for Business Security

The Internet of Things (IoT) has transformed our homes and workplaces but at what cost?   With billions of connected devices, hackers have more entry points than ever. IoT penetration testing is your best defense, uncovering vulnerabilities before cybercriminals do. But where do you start? Discover the top tools, techniques, and expert strategies to safeguard your IoT ecosystem. Don’t wait for a breach, stay one step ahead.   Read on to fortify your devices now!  Why IoT Penetration Testing is Critical  IoT devices often lack robust security by design. Many run on outdated firmware, use default credentials, or have unsecured communication channels. A single vulnerable device can expose an entire network.  Real-world examples of IoT vulnerabilities:   Mirai Botnet (2016) : Exploited default credentials in IP cameras and DVRs, launching massive DDoS attacks. Stuxnet (2010): Targeted industrial IoT systems, causing physical damage to nuclear centrifu...
Post a Comment
Read more