I'm pretty new to AWS but I did some research about my issue and I couldn't find an answer anywhere so hopefully someone can help me with this.
I would like to be notified on Slack whenever someone logs in with a Root account on any of my AWS accounts. I have set up Cloudtrail at the Organisation level to monitor cloudtrail logs on all my AWS account. I have set up a Cloudwatch alarm to trigger whenever a root account is used, the alarm is then sent to a SNS topic that sends it to a Lambda that triggers a message to Slack.
All of this is working fine. However, the message I receive from SNS is basically the following: The alarm (root_login) has been trigerred
Ideally I would want to receive the Cloudwatch event that shows me more information like the IP Address of the user, the AWS account where it occured, etc...
Basically I would like to receive the Cloudwatch event log to the lambda instead of the Cloudwatch alarm trigger. Is that something that is possible?
Thanks
Yes that is possible. Here are some instructions from the AWS site on the aws-sns-to-slack-publisher. The page contains the steps you need to take to deploy .
Here is an example of publishing a health event to slack.
You will ofcourse need to modify the code to meet your requirements.
Related
2 weeks back, I saw a notification in AWS saying, the one of the 3 AWS EC2 instance will be stopped because of the underlying hardware cause. I almost missed the dead line as I didn't the notification via email. Is there a way get these notification via email?
It would be much better if I can get the notifications using cloud watch to my email.
If you're on Business or Enterprise Support, AWS provides a solution named "AWS Health Aware" built on top of AWS Health API, it does exactly what you're after sends you notifications via several methods including emails regarding outages and planning maintenance that affect your account(s).
If you're on a Basic support plan you can easily built something similar yourself using based on [AWS Health events][2]
This is an example of capturing AWS Health events via EventBridge so they can be further send to a lambda or SNS
https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.html
What I've done in the is following:
Capturing AWS Health events via EventBridge in spoke accounts and forward them to the event bus in my hub account
In the hub account I would subscribe a lambda function for all events with source "aws.health" and then send email or slack message whatever works for you.
I think Amazon EventBridge is what you are looking for. With EventBridge you can detect and react to different events such as EC2 instances scheduled for updates. You can, for example, create a rule for detecting a specific health event and in the target section choose to receive an email through SNS or invoke a CloudWatch log group, etc. Read more here.
I've set up an SNS topic that notifies through an email. It's working when I ask to test it through the AWS console. It sends a test email.
I've set up an EventBridge rule that should trigger when security group related actions are executed. I've set the target for that rule to be the SNS topic i described above. But when I make changes to my security groups (through the AWS console or through API calls), no emails are sent.
Can someone look into my configuration and tell me what else I can look into?
Thanks in advance!
You need to have trail enabled for EB to detect API events. From docs:
To record events with a detail-type value of AWS API Call via CloudTrail, a CloudTrail trail with logging enabled is required.
I have to monitor CloudWatch logs for particular lambda. When the specific error message such as HTTP-50X is logged to CloudWatch, then we need to send an email notification to alert that the something is wrong.
We need help to create alert email in AWS to monitor manually the logs to see if there is any such error logged.
This is exactly what metric filter is for. Create a metric filter that monitors your log group for specific pattern. Then create a CloudWatch alarm based on a new metric and configure it with an SNS action. Then simply subscribe your email to that SNS topic.
All of this can be easily done via CloudFormation(Metric filter, Alarm, SNS). You can also use CDK.
You can process/monitor logs in real-time using lambda functions. Checkout Using AWS Lambda with Amazon CloudWatch Logs and Real-time Processing of Log Data with Subscriptions for details.
I am new with AWS and I m trying to find a way to get alarms from cloud watch. I set up an SNS topic and set a server endpoint but I relize that this needs confirmation of subscription.Do you know how to set up the webhook or if there is a call for getting alarms?
Go to CloudWatch
Choose Alarms from the left menu
Create Alarm
Select your metric
Specify metric and conditions then next
In the Configure actions part you may select an SNS Topic from the dropdown list.
Fill name, description on the next step
Preview and create.
Edit:
For subscription part; i've created a topic and a lambda for it's subscription which will get SNS event and send it to slack. There are other options such as http(s) calls, email, sms etc.
I am trying to get lambda in another account to get it invoked by RDS instance event notifications.
RDS event subscription is set to invoke SNS topic which triggers lambda in other account.
I have setup an entire stack using cloudformation. Things I achieved so far are
RDS events are able to invoke SNS topic, I have tested it using creating email subscription to SNS topic
SNS topic is able to trigger lambda in another account. I have tested it using publish messages in SNS topic. I can see that is flowing through in cloudwatch logs.
Part I am not able to get working is, RDS events triggering SNS and then Lamba in other account. Its very strage as individual bits are working fine but not end to end. Other observation is status of the SNS subscription in RDS events is shown as Active and I can see subscription log in lambda but nothing happens after I reboot RDS instance to test.
Also, I see this bizzare behaviour that subscription status is set to Null.
I followed below links for reference
https://jimmythompson.co.uk/blog/sns-and-lambda/
https://medium.com/pablo-perez/infrastructure-as-a-code-should-not-be-imperative-43d9a64e3998
Is there something I am missing? Any help is much appreciated.