Question

Hi folks, I have been assigned a project for which I am suppossed to be working with CloudTrail and CloudWatch.

Scenario: Use CloudWatch to watch for changes in SSM and send notifications to slack channel. And then use CloudWatch Events via CloudTrail to monitor for actions to create DynamoDB and send notifications.

Can somebody help me with this? Thanks in advance!

Answer 1

Hey @Hannah, 

This project will require you to have a serverless framework installed and an AWS account configured.

Set up the CloudTrail.

"Create trail" and configure a trail for "write-only" management events

Have your trail write to a Cloudwatch Logs log group so you can subscribe to notifications

Set an incoming webhook app to get notifications to slack. 

example of SSM parameter store:

{
  "version": "0",
  "id": "6a7e4feb-b491-4cf7-a9f1-bf3703497718",
  "detail-type": "Parameter Store Change",
  "source": "aws.ssm",
  "account": "123456789012",
  "time": "2017-05-22T16:43:48Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:ssm:us-east-1:123456789012:parameter/foo"
  ],
  "detail": {
    "operation": "Create",
    "name": "foo",
    "type": "String",
    "description": "Sample Parameter"
  }
}

example for serveless.yml:

service: cloudwatch-ssm

provider:
  name: aws
  runtime: python3.6
  stage: dev
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "ssm:DescribeParameters"
      Resource: "*"
  environment:
    SLACK_URL: 'SLACK URL'

functions:
  parameter:
    handler: handler.parameter
    events:
      - cloudwatchEvent:
          event:
            source:
              - "aws.ssm"
            detail-type:
              - "Parameter Store Change"

handler.py

# handler.py

import json
import os

from botocore.vendored import requests
import boto3

SLACK_URL = os.environ.get('SLACK_URL')
CLIENT = boto3.client('ssm')

def parameter(event, context):
    formatted = format_message(event)

    send_to_slack(formatted)

def format_message(parameter_event):
    name = parameter_event.get('detail').get('name')
    operation = parameter_event.get('detail').get('operation')
    resp = CLIENT.describe_parameters(
        Filters=[
            {
                "Key": "Name",
                "Values": [name]
            }
        ]
    )
    last_modified_user = resp['Parameters'][0]['LastModifiedUser']
    version = resp['Parameters'][0]['Version']

    text = '\n'.join([
        "Paramater changed in SSM!",
        "A *{}* operation was performed on parameter *{}*".format(operation.upper(), name),
        "Change made by {}".format(last_modified_user),
        "Parameter now on version {}".format(version)
    ])

    return {
        "text": text
    }

def send_to_slack(message, url=SLACK_URL):
    resp = requests.post(url, json=message)

    resp.raise_for_status()

Go ahead and deploy the service