7/25/2023 0 Comments Alert canary website monitor#!/usr/bin/python3 import json from botocore.vendored import requests def lambda_handler(event, context): webhook_url = "slack-hook-url-goes-here" slack_data = įinally, if the defined image within the repository is pulled, the Eventbridge rule is matched, triggering a Lambda function, resulting in a Slack message based on how we configured the Webhook.Įventbridge’s event-driven architecture allows for powerful integration into existing AWS services, as well as custom notification pipelines. Different targets exist that may make more sense for your environment or integrate to more complex alerting infrastructure via AWS SQS/SNS services. Given the numerous chat platforms that exist, configuring the webhook is out of scope for this blog post. Leveraging a webhook is one of the easiest ways to integrate alerting mechanisms with popular chat applications such as Slack. The SlackMsgPython function is a very simple Python script ( code referenced from AWS example here) that sends the message “ test-alert! ” to a specific Slack webhook. Several different targets exist at the time of this writing, but we will focus on Lambda functions. Up to five different targets can be configured to be triggered if a specific rule is matched. The target is what is invoked if an Eventbridge rule is matched. The next section of the Everbridge form specifies the “target” portion of the Eventbridge architecture. For example, figure – 1 below shows a predefined pattern for an Elastic Container Registry (ECR) rule in the event a PUSH or DELETE action occurs.Īn enduser can configure specific ECR image tags, repositories, actions, etc…for their Eventbridge rule. The Eventbridge rule creation form has pre-populated event types for a variety of AWS services. Eventbridge also supports a schedule feature so a rule can be run on a specific time interval in a cron format.Įventbridge makes the perfect candidate for building alerting infrastructure around a specific AWS resource being accessed. If a rule matches, a target ( such as a Lambda function ) is then executed. ” Eventbridge has the concept of “event buses” that receive events from AWS services and rules that define what is being looked for in a given event. Per Amazon’s Eventbridge documentation, Eventbridge is “ a serverless event bus that makes it easier to build event-driven applications at scale. The final architecture will look something like the image below.ĪWS Architecture Overview Eventbridge & Lambda – Building Simple Notification Pipelines This blog will focus on alerting when a specific image from the Elastic Container Registry (ECR) is pulled. At the end of this blog post, you’ll be able to create simple notification services around AWS service events of your choice via Eventbridge and Lambda. This blog post focuses on how Lacework Labs leverages AWS Eventbridge to create alerting architecture around specific AWS services such as a repo within ECR. Lacework Labs was inspired by both of these entities’ research to publish their findings on creating alerts around internal AWS services being accessed. Spacecrab generates new tokens with deny-all policies and logs any action these tokens take. Security Researcher, Dan Bourke extended this research with project SPACECRAB. This resource is incredibly beneficial for the security community as a whole and was the catalyst for looking at ways to create canarytokens in cloud environments. Thinkist, a security company, runs, a free resource that allows an end user to run canarytokens for numerous file formats such as excel spreadsheets, PDFs, and even network resources such as DNS records or unique web URLs. For example, by labeling a spreadsheet “ passwords_2021.xls ”, the defender is hoping if and when a compromise occurs, this file is taken and opened causing a macro to be triggered, which in turn generates an alert to notify the appropriate stakeholders. Sometimes referred to as “Honeytokens,” Canarytokens can aid in alerting on post-compromise activity in enterprise environments. Eventbridge custom event patterns allow for alerts on virtually every AWS resource.Ĭanarytokens are resources ( directories/files/accounts/etc… ) that exist to alert an administrator when they’ve been accessed.Eventbridge allows you to create trigger events.Canarytokens in AWS can aid defenders in post-compromise situations.Jared Stroud Cloud Security Researcher Key Takeaways
0 Comments
Leave a Reply. |