This integration will do three things:
- Process all CloudTrail logs and copy them to a processed directory. You can specify if there are certain events that are high priority based on any attribute of the event, and that will be recorded in the processed logfile. The default rules are:
- Creation of a new IAM user.
- Access to any API from a non US IP address.
- Inform you about any high priority events seen in the logfiles by posting to Slack.
- Upon request, return more information about any CloudTrail event:
@umbrellabot check out xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
You'll need a free Transposit account and a free ipstack account for determining the physical location of an IP address. You'll also need the ability to install an application on Slack.
You'll need an AWS account.
- Create an S3 bucket
- Enable CloudTrail to write to that bucket.
- You'll need to create an IAM user with the following permissions:
AmazonS3FullAccessAmazonAthenaFullAccess
- Create or choose a channel for the posts. Suggested names: 'cloudtrail' or 'cloudtrail_alerts'.
- Fork the app https://console.transposit.com/t/transposit-sample/athena_cloudtrail_slack (find the Fork button at the top of the editor view).
- Edit the
enrich_cloudtrail_objectfunction at the top of theget_log_filesoperation. This is where you mark interesting events with a priority. - Navigate to Deploy > Production Keys and add keys for all the data connectors.
- Navigate to Deploy > Environment Variables and fill out the following environment variables:
cloudtrail_bucket_name: the name of your cloudtrail bucket.cloudtrail_initial_prefix: the prefix to your CloudTrail log files. If you accept the default setup, it is:AWSLogs/xxxxxxx/CloudTrail/wherexxxxxxxis your AWS account number.cloudtrail_processed_prefix: by default the system stores the enriched log files in the same bucket and key as the unprocessed CloudTrail logs, except the key has this prefix added to it.athena_results_prefix: the location (undercloudtrail_bucket_name) where we store Athena results.slack_channel: the name of the Slack channel you created above.
- Navigate to Deploy > Scheduled Tasks and set up the
scheduled_joboperation on whatever schedule you'd like notifications to occur. Running every 10 minutes:0 /10 * ? * *
To interact with your bot, you need to create a Slack App. Here's the entire guide, but the cliff notes are:
- Navigate to Deploy > Endpoints Keys and copy the
webhookurl (something likehttps://athena-cloudtrail-slack-xxx.transposit.io/api/v1/execute-http/webhook?api_key=xxxx). - Create a new Slack App.
- Create a bot user for the app (I named mine 'umbrellabot'.)
- Give your app the following OAuth scopes:
bot,chat:write:bot. Use https://accounts.transposit.com/oauth/v2/handle-redirect for the redirect URL. - Subscribe to the
app_mentionevent. Use thewebhookurl from above for the 'Request URL'. - Set up the Transposit app to act as the bot user by grabbing the client secret and following the instructions here.
- Install the app to your workspace.
- Create the Athena table (the script is also in the git repo). The values in brackets below need to be replaced with the real values as specified in the environment variables above.
CREATE EXTERNAL TABLE default.cloudtrail_enriched (
xpriority string,
eventTime string,
eventName string,
awsRegion string,
eventSource string,
eventID string
)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
WITH SERDEPROPERTIES ('ignore.malformed.json' = 'true')
LOCATION 's3://[bucketname]/[cloudtrail_processed_prefixe]/[cloudtrail_initial_prefix]';