Problem: CloudTrail signal to noise ratio is too noisy for a human to understand. This Lambda's goal is to find actionable events and alert/log them.
Event in Slack
CloudWatch Search terms
fields @timestamp, @message
| sort @timestamp desc
| filter msg == "Event"
Example Event
{
"account_id": "123456789012",
"event_id": "ec20d295-2332-4871-9a0c-0f3193119eb6",
"event_name": "PutUserPolicy",
"event_source": "iam.amazonaws.com",
"event_time": "2021-05-14T19:03:40Z",
"level": "info",
"msg": "Event",
"principal": "AIDA123456789EXAMPLE:john.doe@example.com",
"time": "2021-05-14T19:18:19Z",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"user_name": "john.doe@example.com"
}
The following environmental variables are supported:
SLACK_NAME
- (Optional) Specifies the name of the default account events are from.SLACK_CHANNEL
- (Optional) Specifies the Slack Channel to publish eventsSLACK_WEBHOOK
- (Optional) Specifies the webhook URL to send events to if not set only logs will be emitted.SLACK_NAME_${AWS_ACCOUNT_NUMBER}
- (Optional) Specifies the name of the account specific event.
Note: You can uses Slack Emoji's in SLACK_NAME
and SLACK_NAME_*
by using the standard :maple_leaf:
designation.