This example solution will setup an automated response to an access denied event that occurs within a CloudTrail event, a Failed authentication attempt to the AWS console, or a Client.UnauthorizedOperation event occurs.
The template is designed to allow you to easily add your own responses and your own messaging integrations. Additional responses can be generated by subscribing to the sec-ir-AccessDeniedTopic. We have provided code to publish to slack and chime. If you wish to pubish to additionalk channels you can add an additional subscription to the sec-ir-SecurityMessages topic.
- Ensure that a trail for CloudTrail events to CloudWatch exists
- Bundle each module for uploading into S3. General instructions are available in the AWS documentation.
- Ensure you create an archive of the files in the folder, not of the folder itself
- For publish-security-messages, The Chime and Slack integrations provided depend on the requests module and ensure any custom integration dependencies are also included
- generate-security-messages has no dependencies unless you add custom responses
- Upload the bundles to an S3 bucket
- Launch the AccessDeniedRespones.yaml Cloudformation template and fill in the paramaters as per each description
Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.