Security in the Public Cloud Platform is very important. Especially, when you have multiple users in IAM and everyone can modify the security groups, it is important to Monitor and Alert the event. When we talk about ChatOps, Slack is the first preference of most of the Corporates. In this article, we will discuss How to Monitor and Alert AWS Security Group Modifications in Slack. Also, we will discuss store the Logs in the Database for the security audits.
Table of Contents
Plan of Action.
Before getting our hands dirty, let’s discuss how we are going to approach this solution. So, we are going to create a CloudWatch Event with will AWS API Call via CloudTrail source type. Then, we are going to create a Lambda function for the CloudWatch Event Target. Then, we are going to Post messages using Slack Incoming WebHook API. Refer to the below diagram.
As part of this, we are going to discuss how to create the services one by one below.
Create Lambda Function
Firstly, we will create Lambda function which will be needed to be pointed in the CloudWatch Event Target later. So, to create the same, simply follow the below steps.
We will discuss the complete explanation of the code in this article.
Create CloudWatch event
Secondly, we will create a Cloud watch Event that will call the AWS API via CloudTrail and feed the information to the CloudWatch Event. So, to create the same, simply follow the below steps.
Create Slack Channel Webhook.
Before getting into the Slack Webhook creation, we will see how the Incoming webhook works. Slack messages can be posted to the Slack channel via API calls as the JSON payload. So, follow the below procedure to create the Incoming Webhook.
Lambda Code Explanation.
Now, let’s see the Lambda python code by block by block.
slack_webHook_URL = <Your Slack Incoming Webhook>
userName = str(event['detail']['userIdentity']['userName']) awsRegion = str(event['detail']['awsRegion']) groupId = str(event['detail']['requestParameters']['groupId']) eventName = str(event['detail']['eventName']) eventTime = str(event['detail']['eventTime']) security_group_URL = "https://"+awsRegion+".console.aws.amazon.com/ec2/v2/home?region="+awsRegion+"#SecurityGroup:group-id="+groupId security_group_URL_text = "<"+security_group_URL+"|"+groupId+">" data = {"text": "*Security Group Modification Alert!*\n*UserName*: "+userName+"\n*Security Group ID*: "+security_group_URL_text+"\n*Event Name*: "+eventName+"\n*Event Time*: "+eventTime+"\n*Region*: "+awsRegion}
http = urllib3.PoolManager() req = http.request("POST",slack_webHook_URL, body = json.dumps(data), headers = {"Content-Type": "application/json"})
That’s all, we Go and change any of the Security Group Inbound/Outbound rule and you can see the Modification Notification in your slack channel as shown in the below image.
NOTE: AWS CloudTrail API will watch all the modification event in Security Groups available in the entire AWS account. We can Restrict the Security Groups to be monitored by using Tags and Python Boto Library. We will discuss how to restrict the Specific Security Group in our next article.
Conclusion
In this article, we have discussed How to Monitor and Alert AWS Security Group Modifications in Slack. Hope this article gives you enough idea of how to configure the CloudWatch Event and make use of Lambda Target. But we haven’t discussed much how to filter the sources and manipulate the AWS Services using Python Boto Library. We will discuss the same in our upcoming article. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
I read your post and I enjoyed it. I think that everyone would enjoy reading this blog and I believe it’s important to share this blog with the public.
AWS Training in Hyderabad
AWS Course in Hyderabad
I’m so happy to read this blog thank you for sharing sir
nice explanation thank you for sharing