Listen to this Post
In this article, Darryl R., a Cloud Solutions Architect at Ciena, explains how to set up a Serverless AWS Account Watcher using Amazon EventBridge, AWS Lambda, and Simple Notification Service (SNS). This solution allows you to monitor critical AWS account activities, such as IAM key creation/deletion, S3 bucket deletions, root user logins, and more. Notifications can be sent via email, SMS, or Slack.
The provided GitHub repository includes a Serverless Application Model (SAM) Infrastructure as Code (IaC) template to simplify deployment in your AWS account.
You Should Know:
Here are some practical commands and code snippets to implement and extend the Serverless AWS Account Watcher:
1. Deploy the SAM Template:
sam deploy --template-file template.yaml --stack-name aws-account-watcher --capabilities CAPABILITY_IAM
2. Create an SNS Topic for Notifications:
aws sns create-topic --name AccountWatcherNotifications
3. Subscribe to the SNS Topic:
aws sns subscribe --topic-arn arn:aws:sns:region:account-id:AccountWatcherNotifications --protocol email --notification-endpoint [email protected]
4. Lambda Function to Restore Resources (Example):
import boto3
def lambda_handler(event, context):
s3 = boto3.client('s3')
bucket_name = event['detail']['requestParameters']['bucketName']
s3.create_bucket(Bucket=bucket_name)
return {
'statusCode': 200,
'body': f'Bucket {bucket_name} restored successfully!'
}
5. EventBridge Rule to Trigger Lambda:
aws events put-rule --name "TrackS3Deletions" --event-pattern '{"source":["aws.s3"],"detail-type":["AWS API Call via CloudTrail"],"detail":{"eventSource":["s3.amazonaws.com"],"eventName":["DeleteBucket"]}}'
aws lambda add-permission --function-name RestoreS3Bucket --statement-id TrackS3Deletions --action 'lambda:InvokeFunction' --principal events.amazonaws.com --source-arn arn:aws:events:region:account-id:rule/TrackS3Deletions
6. Extend Lambda for IAM Role Restoration:
import boto3
def lambda_handler(event, context):
iam = boto3.client('iam')
role_name = event['detail']['requestParameters']['roleName']
iam.create_role(RoleName=role_name, AssumeRolePolicyDocument='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}')
return {
'statusCode': 200,
'body': f'IAM Role {role_name} restored successfully!'
}
What Undercode Say:
The Serverless AWS Account Watcher is a powerful tool for monitoring and responding to critical AWS account activities. By leveraging EventBridge, Lambda, and SNS, you can ensure real-time notifications and even automate corrective actions like resource restoration. This setup is particularly useful for maintaining security and operational integrity in cloud environments. For further exploration, check out the GitHub repository and AWS documentation on EventBridge and Lambda.
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
