Implementing Real-time Slack Alerts for IAM Key Expiration Using AWS Lambda

By /

Listen to this Post

AWS EventBridge Scheduler is a powerful tool for automating maintenance tasks, such as notifying users about IAM key rotations via Slack. This article explores how to set up real-time Slack alerts for IAM key expiration using AWS Lambda and EventBridge.

You Should Know:

1. Setting Up AWS Lambda for Slack Notifications

To create a Lambda function that checks IAM key expiration and sends Slack alerts, use the following Python code:

import boto3
import os
from datetime import datetime, timedelta
import requests

def lambda_handler(event, context):
iam = boto3.client('iam')
slack_webhook = os.environ['SLACK_WEBHOOK_URL']

users = iam.list_users()['Users']
message = "🔔 IAM Key Rotation Alert 🔔\n"

for user in users:
access_keys = iam.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
for key in access_keys:
if key['Status'] == 'Active':
create_date = key['CreateDate'].replace(tzinfo=None)
age = (datetime.now() - create_date).days
if age >= 85:  Warn if key is older than 85 days
message += f"User {user['UserName']} has an access key ({key['AccessKeyId']}) that is {age} days old. Rotate soon!\n"

if "rotate soon" in message.lower():
requests.post(slack_webhook, json={'text': message})

return {'statusCode': 200, 'body': 'Check completed!'}

2. Configuring EventBridge Scheduler

1. Open AWS EventBridge → Schedules.

2. Click Create Schedule.

  1. Set a cron expression (e.g., `0 9 ? MON-FRI` for weekdays at 9 AM).
  2. Select AWS Lambda as the target and choose your function.
  3. Add environment variable `SLACK_WEBHOOK_URL` with your Slack incoming webhook.

3. Slack Webhook Setup

  1. Go to Slack App Directory → Incoming WebHooks.
  2. Choose a channel and generate a webhook URL.
  3. Store this URL securely in AWS Lambda environment variables.

4. Testing & Troubleshooting

  • Use `aws iam create-access-key` to simulate key creation.
  • Check CloudWatch Logs for Lambda execution errors.
  • Test Slack notifications manually with curl -X POST -H 'Content-type: application/json' --data '{"text":"Test alert"}' YOUR_WEBHOOK_URL.

What Undercode Say

Automating IAM key rotation alerts via Slack ensures better security compliance. Below are additional AWS and Linux commands to enhance your setup:

  • AWS CLI: 
    List all IAM users 
aws iam list-users

Force key rotation 
aws iam update-access-key --access-key-id AKIAEXAMPLE --status Inactive --user-name Bob

Delete old keys 
aws iam delete-access-key --access-key-id AKIAEXAMPLE --user-name Bob

  • Linux (Cron Alternative): 

    Add a cron job to trigger Lambda via CLI 
0 9   MON-FRI aws lambda invoke --function-name KeyRotateAlert /tmp/output.log

  • Windows (PowerShell): 

    Invoke Lambda manually 
Invoke-LMFunction -FunctionName KeyRotateAlert -Payload '{}'

Expected Output:

A Slack message like:

🔔 IAM Key Rotation Alert 🔔 
User admin has an access key (AKIAEXAMPLE) that is 90 days old. Rotate soon!

Reference: Implementing Real-time Slack Alerts for IAM Key Expiration Using AWS Lambda

References:

Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: