- edited description
Allow optional user-provided Lambda to be called from ProcessCloudTrailFunction
I have a function that monitors CloudTrail logs for events like instances being launched or users logging into the console. Theoretically, nobody should be using my Space Crab account for anything other than generating/updating/deleting tokens and the only active user keys are restricted to the Lambdas that correspond to those actions. However, I'm a paranoid soul and I like to keep tabs on what is going on in the account.
Ideally, I could setup a separate trigger for my Lambda that is decoupled from the Space Crab stack. Unfortunately, only a single trigger can be defined for a given location in an S3 bucket. Therefore, I just added some code to ProcessCloudTrailFunction to invoke my function (and propagate the event) once it has finished processing a log file. It seems like it would not be too hard to allow a user to specify the ARN of a Lambda function during setup that will be called by ProcessCloudTrailFunction.
Comments (5)
-
reporter -
reporter - edited description
-
staff -
assigned issue to
-
assigned issue to
-
@CaptainCrabby do you have your modified ProcessCloudTrailFunction in a repo we can see?
this is probably not technically difficult but it'd be a pain with the current configuration process (manually typing things).
I have a todo for file-based configurations, but I don't have an ETA for it.
-
reporter Here's what I did: https://bitbucket.org/CaptainCrabby/spacecrab/src/3d6822dcdae490768fcc9cd3b3b7fa20b02a2c16/ProcessCloudTrailFunction?at=master&fileviewer=file-view-default
And I added the following policy to SpaceCrabStack-SpaceCrabLambdaExecutionRole: https://bitbucket.org/CaptainCrabby/spacecrab/src/c71d4079ef9456ce9df43978c12847e21b67ff32/CloudTrailProcessorPolicy?at=master&fileviewer=file-view-default
There are two lines at the end of lambda_handler(). My rationale for putting the call at the end of lambda_handler() is that even if the call to 'myCloudTrailProcessor' throws an error for some reason, it won't prevent ProcessCloudTrailFunction from publishing records to SNS. Ordinarily, I would just submit pull reqs for these issues, but in the interest of opsec, I'm using a throwaway account.
- Log in to comment