How to monitor AWS account activity with Cloudtrail, Cloudwatch Events and Serverless

0 votes
Hi folks, I have been assigned a project for which I am suppossed to be working with CloudTrail and CloudWatch.

Scenario: Use CloudWatch to watch for changes in SSM and send notifications to slack channel. And then use CloudWatch Events via CloudTrail to monitor for actions to create DynamoDB and send notifications.

Can somebody help me with this? Thanks in advance!
Oct 1 in AWS by Hannah
• 14,960 points
141 views

1 answer to this question.

0 votes

Hey @Hannah, 

This project will require you to have a serverless framework installed and an AWS account configured.

Set up the CloudTrail.

"Create trail" and configure a trail for "write-only" management events

Have your trail write to a Cloudwatch Logs log group so you can subscribe to notifications

Set an incoming webhook app to get notifications to slack. 

example of SSM parameter store:

{
  "version": "0",
  "id": "6a7e4feb-b491-4cf7-a9f1-bf3703497718",
  "detail-type": "Parameter Store Change",
  "source": "aws.ssm",
  "account": "123456789012",
  "time": "2017-05-22T16:43:48Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:ssm:us-east-1:123456789012:parameter/foo"
  ],
  "detail": {
    "operation": "Create",
    "name": "foo",
    "type": "String",
    "description": "Sample Parameter"
  }
}

example for serveless.yml:

service: cloudwatch-ssm

provider:
  name: aws
  runtime: python3.6
  stage: dev
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "ssm:DescribeParameters"
      Resource: "*"
  environment:
    SLACK_URL: 'SLACK URL'

functions:
  parameter:
    handler: handler.parameter
    events:
      - cloudwatchEvent:
          event:
            source:
              - "aws.ssm"
            detail-type:
              - "Parameter Store Change"

handler.py

# handler.py

import json
import os

from botocore.vendored import requests
import boto3

SLACK_URL = os.environ.get('SLACK_URL')
CLIENT = boto3.client('ssm')

def parameter(event, context):
    formatted = format_message(event)

    send_to_slack(formatted)

def format_message(parameter_event):
    name = parameter_event.get('detail').get('name')
    operation = parameter_event.get('detail').get('operation')
    resp = CLIENT.describe_parameters(
        Filters=[
            {
                "Key": "Name",
                "Values": [name]
            }
        ]
    )
    last_modified_user = resp['Parameters'][0]['LastModifiedUser']
    version = resp['Parameters'][0]['Version']

    text = '\n'.join([
        "Paramater changed in SSM!",
        "A *{}* operation was performed on parameter *{}*".format(operation.upper(), name),
        "Change made by {}".format(last_modified_user),
        "Parameter now on version {}".format(version)
    ])

    return {
        "text": text
    }

def send_to_slack(message, url=SLACK_URL):
    resp = requests.post(url, json=message)

    resp.raise_for_status()

Go ahead and deploy the service

answered Oct 1 by Jack

Related Questions In AWS

0 votes
1 answer

How to get AWS account/service cost using CloudWatch API?

You can check this link for a ...READ MORE

answered Jul 13, 2018 in AWS by Priyaj
• 56,580 points
151 views
0 votes
1 answer
0 votes
1 answer

How to link AWS Lambda function to Amazon CloudWatch ?

In order to create Log Group and ...READ MORE

answered Jul 20, 2018 in AWS by datageek
• 2,440 points
190 views
0 votes
1 answer

How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service

refer this link  https://aws.amazon.com/certificate-manager/faqs/ You can't install the certificates ...READ MORE

answered Jul 19, 2018 in AWS by Priyaj
• 56,580 points
79 views
0 votes
1 answer