Total Pageviews


December 7, 2018

AWS Logging and Analysis - Part 8.3 - GuardDuty Logging Lambda Function Deployment with CloudFormation

by 4hathacker  |  in AWS Logging and Analysis at  2:08 AM

Hi folks!!!

In the previous article, we have devised a strategy to capture security incident logs with AWS GuardDuty and Lambda function. However, if you have noticed, GuardDuty as well as Lambda is a regional service in AWS. We have created the whole setup in Singapore region and this will not provide us the status for AWS resources in any other region.

It is highly recommended that AWS GuardDuty must be enabled in all supported regions. But how to proceed for the same. If you are going to follow the previous article step by step, it will take a hell lot of time playing with AWS Infrastructure in different regions one by one. To simplify this, AWS has one service for writing "Infrastructure As A Code - IaaC". The service is none other than, CloudFormation.

CloudFormation is also a regional service used for writing infrastructure templates for deployment automation. The templates could be written in text, json or yaml format. And the template, in turn gives rise to our infrastructure which is called a Stack. In this post, we will be writing a simple template for deploying our Lambda Function in Sydney Region.

Note: This article follows a task based approach well defined in the previous two articles of the series.

Task 1: Writing CloudFormationTemplate

Lets start writing the CloudFormation Template by defining "AWSTemplateFormatVersion" which is universally defined as "2010-09-09". Notice that we will be writing the YAML formatted version of template. Next we will add a "Description" of the template, which defines a string value for describing high level information about the template. The only mandatory part of CloudFormation Template is "Resources" section.

Keeping in mind the AWS Logging architecture, lets decide about resources needed:

1. A role to govern the Lambda function - GDF1LambdaRole

2. A Lambda role needs necessary policies to be attached - GDF1LambdaPolicy

3. A CloudWatch Events Rule required with the trigger pattern definition - GDFLambdaReporter

4. A trigger to invoke the Lambda Function - PermissionsForEventsInvokingGDFLambda

5. A Lambda function which gets the deployment code from S3 - GDFLambdaFunction

6. A CloudWatch Logs LogGroup resource to capture logs - GDFLogGroup

After defining all these, resources our template is complete and looks like below.

Task 2: Zip the file as "" and upload zipped file to S3 bucket with bucket name "gdf-lambda-function".

Task 3: Uploading CloudFormation Template

1. Go to "Services" and click on "CloudFormation" from "Management and Governance".
2. Browse and Upload the yaml template file and proceed.

3. Enter Stack Name as "GDFLambdaDeployment" and click Next.

4. Let the Options pane remain as it is and hit Next.

5. Post this, CloudFormation will ask for CAPABILITY_IAM for creation of IAM Role. Check and acknowledge to proceed and hit Create

6. Now, the template will start creating resources in the Stack and you can see the progress in the Events and Resources Section.

7. Post Completion, it will reflect as "CREATE_COMPLETE" and all the resources will come under the "Resources" options.

Manually, check and confirm the Lambda function and Log Group.

To check if the setup is working fine, Go to GuardDuty DashBoard and generate some sample events. Note that, the Lambda code and CloudFormation Template is available at my Github account.

This is how we can deploy a Lambda Function using CloudFormation. However, we can reduce the Cloudformation template to fewer lines using AWS Serverless.


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.