Sending AWS Events to a Slack Channel

Sending AWS Events to a Slack Channel

ยท

3 min read

Play this article

Introduction

As part of my role, I am responsible for ensuring that our business adheres to the AWS Well-Architected Framework. During a recent review, I discovered that we were not meeting one of the framework's requirements.

You must have monitoring and alerting in place to identify when S3 buckets become public. Bucket permissions that grant Upload/Delete access to everyone create potential security vulnerabilities by allowing anyone to add, modify, or remove items in a bucket.

Why Slack?

If enabled, AWS Cloud Trail will log any API calls for S3 that invoke public access:

eventName": ["DeleteBucketPolicy", "PutBucketAcl", "PutBucketPolicy", "DeleteBucketPublicAccessBlock", "PutBucketPublicAccessBlock"]

One could argue that's the answer, events logged, a requirement met ๐Ÿ‘‹.

However let's be honest, who sits and watches CloudTrail logs? Not me!

I decided early on to leverage SNS to achieve alerting, then given my hatred of emails, Slack was my obvious preference for receiving them.

Screenshot 2022-02-09 at 20.32.10.png


Deploying:

To create the solution, I divided it into four main components:

  1. Easy setup across multiple regions

  2. EventBridge to capture alerts

  3. SNS to send alerts

  4. Chatbot to deliver alerts to Slack

Since the S3 bucket location, EventBridge Rules, and SNS Topics are specific to regions, we needed to pre-deploy each service in all six regions we operate in. While manually creating an EventBridge rule and SNS topic for each region is not a difficult administrative task, I decided to utilize CloudFormation to automate the deployment and integration of these services.

To ensure seamless integration of these services, I separated each service into its own CloudFormation template. This approach allowed us to deploy the SNS topic first before providing its Amazon Resource Name (ARN) to our EventBridge rule.

CloudFormation Parent Stack

AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  TemplateURL:
    Description: URL of nested stack template
    Type: String

Resources:

    SNSTopicStack:
      Type: AWS::CloudFormation::Stack
      Properties:
        TemplateURL: !Ref TemplateURL
        TimeoutInMinutes: 5

    EventsRule:
        Type: "AWS::Events::Rule"
        Properties:
            Name: "S3PublicAccess"
            EventPattern: |
                {
                  "source": ["aws.s3"],
                  "detail-type": ["AWS API Call via CloudTrail"],
                  "detail": {
                    "eventSource": ["s3.amazonaws.com"],
                    "eventName": ["DeleteBucketPolicy", "PutBucketAcl", "PutBucketPolicy", "DeleteBucketPublicAccessBlock", "PutBucketPublicAccessBlock"]
                  }
                }
            State: "ENABLED"
            Targets: 
              - 
                Arn: !GetAtt SNSTopicStack.Outputs.SNSTopicARN
                Id: Slackbot

            EventBusName: "default"

    Chatbot:
      Type: AWS::Chatbot::SlackChannelConfiguration
      Properties:
        SNSTopicArns: !GetAtt SNSTopicStack.Outputs.SNSTopicARN

SNS Topic Child Stack

AWSTemplateFormatVersion: "2010-09-09"

Resources:
    SNSTopic:
        Type: "AWS::SNS::Topic"
        Properties:
            DisplayName: "SlackBot"
            TopicName: "SlackBot"

Outputs:
  SNSTopicARN:
    Value: !Ref SNSTopic
    Description: ARN for SNS Topic

AWS Chatbot

AWS Chatbot is an interactive agent that makes it easy to monitor, operate, and troubleshoot your AWS workloads in your chat channels. With AWS Chatbot, you can receive alerts, run commands to retrieve diagnostic information, configure AWS resources, and initiate workflows.

Installing and configuring AWS Chatbot in Slack is pretty straightforward, simply install the Slack app and follow the prompts

You can install it from here > slack.com/apps/A6L22LZNH-aws-chatbot?tab=mo..

Chatbot will live in one region of your choice and receive SNS topic updates from all regions you provision.


Success!

If everything deployed correctly you should start receiving notifications in your chosen Slack channel when an S3 public access is changed ๐Ÿ˜

Screenshot 2022-02-09 at 21.02.38.png

ย