Sending CloudTrail Alerts to Lambda Functions

The CloudTrail Alert Manager allows you to enable/disable CloudCheckr’s recommended pre-configured Built-In CloudTrail alerts, or create Custom Alerts.  These alerts are triggered when specific events are detected by AWS CloudTrail.

CloudCheckr provides several different methods to be notified when a CloudTrail alert is triggered including email, SNS notification, Pager Duty alert, Syslog, and/or Slack webhook.  CloudCheckr can also call a Lambda function from a CloudTrail alert to take an action, which is the subject of this help page.

LAMBDA FUNCTION

Lambda is an AWS service that allows its users to upload code, and the service can run the code on their behalf. To get the service to execute your code you must create a Lambda function, which consists of code and any associated dependencies. When Lambda executes a function on your behalf, it takes care of provisioning and managing the resources needed to run the function.

When you configure your CloudTrail alert in CloudCheckr, your must enter the Lambda function ARN. When the alert is triggered, CloudCheckr will send the full event json (plus other useful properties) as a payload to the Lamdba function. This will invoke the Lamdba function, allowing you to automate activity within your Amazon account based on CloudTrail alerts.

IMPORTANT: for this functionality to work, you must update the IAM policy associated with the credentials added to the CloudCheckr account with “lambda:InvokeFunction” permissions. It is recommended that you qualify the permission with the name of the function.  Without this permission, CloudCheckr will not be able to invoke the function on your behalf.

Obtaining the Function ARN

To obtain your function’s ARN (which is needed to configure this setting within CloudCheckr), first login to your AWS Management Console and load the Lambda service. Select the function whose ARN you would like to use from your list of functions.

lamba_function

When you are viewing your selected function, you will see your ARN displayed in the top-right corner of the Management Console (as shown above).  Copy the entire ARN, which will be added to the CloudTrail alert within CloudCheckr.


ADDING ARN TO CLOUDCHECKR ALERT

Once you have the ARN you will want to update whichever alert(s) you would like to invoke your Lambda function.

lamba_cc_alert

Load whichever account in CloudCheckr you would like to update and in the report navigation access Security > Alerts > CloudTrail > Manage. On this page you will see your built-in CloudTrail alerts, as well as your custom CloudTrail alerts. Any of these can be configured with your Lambda ARN.

Click the alert you would like to update to edit the alert, and then expand on the Notification section. Enter the ARN within the ‘Lambda Function ARN’ section and save.

Now, the next time the alert is triggered by CloudCheckr, the payload will be delivered to the Lambda function.