1. Atlassian Security Team Avatar Atlassian Security Team
  2. public tools
  3. spacecrab
  4. Issues

Allow optional user-provided Lambda to be called from ProcessCloudTrailFunction

Issue #6 new
Captain Crabby created an issue

I have a function that monitors CloudTrail logs for events like instances being launched or users logging into the console. Theoretically, nobody should be using my Space Crab account for anything other than generating/updating/deleting tokens and the only active user keys are restricted to the Lambdas that correspond to those actions. However, I'm a paranoid soul and I like to keep tabs on what is going on in the account.

Ideally, I could setup a separate trigger for my Lambda that is decoupled from the Space Crab stack. Unfortunately, only a single trigger can be defined for a given location in an S3 bucket. Therefore, I just added some code to ProcessCloudTrailFunction to invoke my function (and propagate the event) once it has finished processing a log file. It seems like it would not be too hard to allow a user to specify the ARN of a Lambda function during setup that will be called by ProcessCloudTrailFunction.

Comments (5)

  4. danb

    @CaptainCrabby do you have your modified ProcessCloudTrailFunction in a repo we can see?

    this is probably not technically difficult but it'd be a pain with the current configuration process (manually typing things).

    I have a todo for file-based configurations, but I don't have an ETA for it.

  5. Captain Crabby reporter

    Here's what I did: https://bitbucket.org/CaptainCrabby/spacecrab/src/3d6822dcdae490768fcc9cd3b3b7fa20b02a2c16/ProcessCloudTrailFunction?at=master&fileviewer=file-view-default

    And I added the following policy to SpaceCrabStack-SpaceCrabLambdaExecutionRole: https://bitbucket.org/CaptainCrabby/spacecrab/src/c71d4079ef9456ce9df43978c12847e21b67ff32/CloudTrailProcessorPolicy?at=master&fileviewer=file-view-default

    There are two lines at the end of lambda_handler(). My rationale for putting the call at the end of lambda_handler() is that even if the call to 'myCloudTrailProcessor' throws an error for some reason, it won't prevent ProcessCloudTrailFunction from publishing records to SNS. Ordinarily, I would just submit pull reqs for these issues, but in the interest of opsec, I'm using a throwaway account.

  6. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
new
Votes
0
Watchers
2