Sending CloudTrail Alerts to Lambda Functions

The CloudTrail Alert Manager allows you to enable or disable CloudCheckr's built-in or custom CloudTrail alerts. When AWS CloudTrail detects specific events, it triggers a CloudTrail alert.

WCloudCheckr can notify customers about these alerts by email, SNS, Pager Duty, Syslog, Slack, or Lambda function.

This topic focuses on how to configure a notification via a Lambda function.

What is the Lambda Function?

Lambda is an AWS service that allows its users to upload code, and runs the code on their users. To get the service to execute your code, you must create a Lambda function, which consists of code and any associated dependencies. When Lambda executes a function on your behalf, it takes care of provisioning and managing the resources needed to run the function.

When you configure your CloudTrail alert in CloudCheckr, your must enter the Lambda function ARN value. When the alert is triggered, CloudCheckr will send the full event JSON file (plus other useful properties) as a payload to the Lamdba function. This action will invoke the Lamdba function, allowing you to automate activity within your Amazon account based on CloudTrail alerts.

For this functionality to work, you must update the IAM policy associated with your account credentials with lambda:InvokeFunction permissions. It is recommended that you qualify the permission with the name of the function. Without this permission, CloudCheckr will not be able to invoke the function on your behalf.

Obtaining the Function ARN

To obtain your function's ARN value, launch your AWS Management Console, open the Lambda service, and select the function with the ARN value you would like to use.

You will see your ARN value displayed in the top-right corner of the console. Copy the ARN value, so you can add it to the CloudTrail alert in CloudCheckr.

Adding ARN to CloudCheckr Alert

To update the alert(s) where you want to invoke your Lambda function:

  1. Launch CloudCheckr, and open the account that contains the CloudTrail alert that you want to update.
  2. From the left navigation pane, choose Security > Alerts > CloudTrail > Manager.
    On this page, you will see the Built-In and Custom tabs for the CloudTrail alerts. You can configure any of these alerts with your Lambda ARN.
  3. Click the name of the alert that you want to update. For the purposes of this procedure, we selected the built-in alert, Any security-related event.
    CloudCheckr displays details about the alert.
  4. Click Notification and in the Lambda Function ARN text field, type the ARN value.
    The next time the alert is triggered by CloudCheckr, the payload will be delivered to the Lambda function.

How did we do?