Skip to content

SAM package for creating a cloudwatch event when ever someone modifies a security group and post into MS Teams/Slack.

License

Notifications You must be signed in to change notification settings

MattTunny/watch-security-group

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security Group Watcher for MS Teams/Slack

I work for @AWSCloud & my opinions are my own.

Basic Intro

SAM package for creating a cloudwatch event whenever someone modifies a security group and posts into MS Teams/Slack in near real time.
This is a simple example that posts the event. You might be asking isn't this the same as sending alerts to email? Correct, however it's what you do after the event has triggered where it becomes much more powerful then email.
You could add features like:

  • Only alarm when certain risky ports/ranges/vpc's are entered (22,3389 to 0.0.0.0/0 etc)
  • Create policy’s that enforce these rules automatically, enabling teams to move faster while still having visibility into what they are doing.

Requirements

  • Python
  • AWS SAM CLI
  • AWS Account
  • MS Teams or Slack account with permissions to install webhooks
  • One S3 bucket to store your files

Demo

  • I add a new rule in my security group to: Allow all traffic on all ports (sigh, if only people never did this)

  • This triggers a cloudwatch event and MS Teams sends a notification

  • Inside Teams:

  • Inside Slack:

Install Steps:

Clone repo

git clone https://github.com/MattTunny/watch-security-group.git

Pre Account Setup

  • Make a s3 bucket for your lambda's: aws s3 mb s3://your-unique-bucket-name --region ap-southeast-2

Create MS Teams Webhook

  • Log into your MS Teams account and select the channel you want to install the webhook

  • Select Connectors

  • Click Add/Manage on Incoming Webhook

  • Give your webhook a name and picture and click create

  • Copy your webhook url

  • Paste your webhook url into the default value in template.yaml and if you want to test locally paste it into vars.json

Deploy App

  • run sam package to s3 bucket you created earlier:
sam package --template-file template.yaml --s3-bucket your-s3-bucket --output-template sam-output.yaml
  • run sam deploy:
sam deploy --template-file sam-output.yaml --stack-name WatchSecurityGroup --capabilities CAPABILITY_IAM

Testing App

Testing is really easy with sam-cli, you just give it the function and event you want to invoke.

Note: you need to modify the "groupId" value in the sample events with a real security group for testing, also add a real webhook value in vars.json.

  • run sam test:
sam local invoke -e events/event_iam.json WatchSecurityGroupFunction -n vars.json

About

SAM package for creating a cloudwatch event when ever someone modifies a security group and post into MS Teams/Slack.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages