Total Pageviews


June 15, 2018

AWS Logging and Analysis - Part 5 - Sending Alerts for Security Incidents on the basis of AWS Log Filtering

by 4hathacker  |  in AWS Logging and Analysis at  3:58 PM

Hi folks !!!

Welcome to AWS Logging and Analysis quest...

In the previous article, we have discussed about use of Lambda function for filtering log events. In this post, we will see how we can generate alerts for particular events in the AWS.

To ensure the security and integrity of information or data, we will always set some benchmarks and try to figure out the deviation from them. In this post, I would like to give you one example for AWS benchmarks. To check and configure security options with AWS, Centre for Internet Security (CIS)  has documented AWS-CIS-Foundation-Benchmarks. This document comprises of  some security recommendations for AWS covering four aspects viz. Identity and Access Mangement, Logging, Monitoring and Networking. This whole quest - AWS Logging and Analysis is based on the recommendations provided in the same.

The very first recommendation says - 'Avoid the use of the "root" account'. Its recommended to create users with appropriate privileges to work in AWS environment. Because, Root has the highest privileges to do any activity which is dangerous. This is the simple case, we will be considering with our alert generation.

Also, I feel that the master log bucket ('all-logs-bucket123') and filtered logs bucket ('all-logs-filtered-123') must not be deleted at any cost. Ensure that bucket versioning is enabled on them, so that you can recover the content post accidental deletion or overwrite. Similarly, the universal trail ('all-logs-trail123') has also immense importance.

Scenario: With respect to above mentioned security aspects, we will be generating alerts for three events:
1. Root Activity
2. Log Bucket Deletion
3. Log Trail Deletion

For the alert generation, I preferred here to go with the AWS SES (Simple Email Service). This will emphasize more on security perspective. Suppose if a critical security incident happened, e.g. a root activity is found in the logs, being not allowed. So, the IT Team must notify the Security Team to investigate the issue further. Also, the IT Team must provide the IP, Time of Activity and all other important information to Security Team. This is where SES can help out.

AWS SES is currently available in three regions as per AWS documentation. I have used N.Virginia (us-east-1) region to verify two email addresses,
1.Sender -  IT Team <>
2. Recipient - Security Team <>

Steps to verify email addresses in AWS SES:
1. Go to, Services --> Customer Engagement --> Simple Email Service.

2. In SES Home --> Identity Management --> Email Addresses
3. Click on Verify a new email address. A pop up will appear. Enter the email address and click Verify. Do this for both sender and recipient address.

4. A verification link will be sent to the addresses. Click and verify.

Now, lets make some modifications in our previously written Lambda code. 

1. I have included some more services and events for filtering out from the CloudWatch Logs Log Group. Now, this includes,  ec2, vpc, s3, cloudtrail, securitygroup and loginevents. Do make a note, I have included only Create, Modify and Delete events.

2. To check for the critical buckets and trails, I have used a tuple and a flag variable. If any critical event found, the flag and subject of mail will change.

3. The SES mailing snippet is very simple to understand. If you have better understanding with SES and S3, you can store and retrieve the mailing contents.

4. In the previous function, I was storing the filtered log events as JSON only. This time I have added a gzipper snippet, which writes the JSON in gzipped format in /tmp of Lambda and then store it in respective folder of S3 bucket.

5. To make Lambda capable of sending email through SES, attach a sendemail policy to the Lambda function role (my_log_filter_role) via IAM.

Upon testing with a dummy critical trail and bucket, I found that the function is working appropriately. Please find the notification email in the image below. 


I have tried to remain as specific and to the point in the mails sent via AWS-SES. It depends on the requirement, what information must be communicated in case of any security incident. You can find the complete Lambda Function at my Github.


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.