Serverless KMS Sentry

A simple lambda function to monitor certain KMS events through cloudtrail and notify users or security team through slack.

Follow this article in Youtube

1. Pre-Requisities

   We will need the following pre-requisites to successfully complete this activity,

   • Cloudtrail - Get help here to setup cloudtrail
   • IAM Role - i.e Lambda Service Role - with managed permissions Get Help for setting up IAM Role
     • AWSLambdaBasicExecutionRole - To allow Lambda to log events

2. Configure Lambda Function - Serverless KMS Sentry

   • The python script is written(and tested) in Python 3.7.
   • Copy the code from serverless-kms-sentry in this repo to the lambda function
   • Optional: Add slack SLACK_WEBHOOK_URL in the environment variable
   • Save the lambda function

3. Configure Lambda Triggers

   Goto the Cloudwatch Dashboard, We are going to use Event Rules

   • Choose Create a new Rule
   • For Event Source - Choose Event pattern
     • For Service, Choose/Type KMS
     • For Event Type, Choose AWS API Call via CloudTrail
     • Choose Specific Operation(s)
       • Add three operations CreateAlias, DeleteAlias, DisableKey
   • For Target, Choose Lambda Function
     • From dropdown select your Lambda Function Name
   • In the bottom, Configure Details
   • Fill the Rule Name & Rule Description
     • Make sure it is Enabled
   • Enable Trigger by Checking the box
   • Click Save

   Now your lambda function should be triggered when ever there is a KMS event

4. Testing the solution Create a new alias for an existing key or delete an key, you should be getting the message in Slack(if configured). If not use the sample event in the repo to test.