Send Slack Notifications for AWS IAM Policy Changes Using AWS Lambda and Amazon EventBridge

Introduction

In today’s cloud-native world, managing and securing user permissions is one of the most critical aspects of maintaining a strong security posture. AWS Identity and Access Management (IAM) provides a powerful way to control access to AWS resources. However, the same power can be risky if IAM changes go unnoticed. An overly permissive policy, a mistakenly altered access level, or an unauthorized change can lead to potential security breaches.

For organizations operating in regulated environments or following best practices like least privilege, monitoring AWS IAM policy changes is not just helpful, it’s essential. Often, AWS IAM policies evolve, especially in dynamic development environments where different teams might deploy and iterate frequently. This means new permissions are being granted, existing ones modified, and sometimes even sensitive ones accidentally exposed. Without visibility into these changes, auditing, controlling, and responding to threats becomes difficult.

Automation is the key to bridging this gap. Using AWS native services like AWS CloudTrail, Amazon EventBridge, and AWS Lambda, you can create a proactive notification system that informs you in real-time whenever an AWS IAM policy is changed. Add Slack into the mix, and you’ve got instant visibility for your DevOps or SecOps teams.

This blog will walk you through how to:

Detect AWS IAM policy changes using Amazon EventBridge and AWS CloudTrail.
Trigger the AWS Lambda function to format the event details.
Send these alerts directly to a Slack channel using a webhook.

The best part? You can set it up in minutes using the AWS CloudFormation (SAM) template.

Imagine a scenario where someone:

Adds AdministratorAccess to a user
Modifies a trusted role used by a CI/CD pipeline
Deletes an AWS IAM user with access keys

These events should trigger immediate attention, and that’s exactly what we’ll automate in this post using Slack notifications integrated with AWS Lambda, Amazon EventBridge, and AWS CloudTrail.

Reference: If you haven’t already set up a Slack bot for pushing messages, follow this guide to get started:
Post Messages to Slack Using AWS Lambda Function URLs

We will set up the following:

AWS CloudTrail to capture AWS IAM API activity
Amazon EventBridge Rule to filter relevant AWS IAM changes
AWS Lambda Function to format and send Slack messages
Slack Webhook Integration for real-time alerts

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

AWS CloudFormation Template

Here’s the CFT to deploy the AWS Lambda function, AWS IAM role, and Amazon EventBridge rule.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Notify Slack on IAM policy changes via Lambda

Parameters:
  SlackWebhookSSMParam:
    Type: String
    Default: "/IAM/slack/webhook/url"
    Description: SSM Parameter Name for Slack Webhook URL

Resources:
  LambdaExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: "IAMChangeNotificationRole"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action: 'sts:AssumeRole'
            Principal:
              Service: 'lambda.amazonaws.com'
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

  IAMChangeNotifierFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      FunctionName: "IAMChangeNotifier"
      CodeUri: lambdaFunction/
      Handler: 'iam_notify.lambda_handler'
      Runtime: "python3.12"
      Timeout: 60
      Role: !GetAtt LambdaExecutionRole.Arn
      Environment:
        Variables:
          SLACK_WEBHOOK_URL: !Sub '{{resolve:ssm:${SlackWebhookSSMParam}}}'

  IAMChangeEventRule:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: 'IAMChangeEventRule'
      EventPattern:
        source:
          - "aws.iam"
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventSource:
            - "iam.amazonaws.com"
          eventName:
            - "PutRolePolicy"
            - "PutUserPolicy"
            - "AttachRolePolicy"
            - "AttachUserPolicy"
            - "DeleteUserPolicy"
            - "DetachRolePolicy"
            - "UpdateAssumeRolePolicy"
      Targets:
        - Arn: !GetAtt IAMChangeNotifierFunction.Arn
          Id: 'TargetFunctionV1'

  LambdaInvokePermission:
    Type: 'AWS::Lambda::Permission'
    Properties:
      Action: 'lambda:InvokeFunction'
      FunctionName: !Ref IAMChangeNotifierFunction
      Principal: 'events.amazonaws.com'
      SourceArn: !GetAtt IAMChangeEventRule.Arn

Outputs:
  LambdaFunctionArn:
    Description: Lambda Function ARN
    Value: !GetAtt IAMChangeNotifierFunction.Arn

AWSTemplateFormatVersion: '2010-09-09'

Transform: AWS::Serverless-2016-10-31

Description: Notify Slack on IAM policy changes via Lambda

Parameters:

SlackWebhookSSMParam:

Type: String

Default: "/IAM/slack/webhook/url"

Description: SSM Parameter Name for Slack Webhook URL

Resources:

LambdaExecutionRole:

Type: 'AWS::IAM::Role'

Properties:

RoleName: "IAMChangeNotificationRole"

AssumeRolePolicyDocument:

Version: '2012-10-17'

Statement:

- Effect: 'Allow'

Action: 'sts:AssumeRole'

Principal:

Service: 'lambda.amazonaws.com'

ManagedPolicyArns:

- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

IAMChangeNotifierFunction:

Type: 'AWS::Serverless::Function'

Properties:

FunctionName: "IAMChangeNotifier"

CodeUri: lambdaFunction/

Handler: 'iam_notify.lambda_handler'

Runtime: "python3.12"

Timeout: 60

Role: !GetAtt LambdaExecutionRole.Arn

Environment:

Variables:

SLACK_WEBHOOK_URL: !Sub '{{resolve:ssm:${SlackWebhookSSMParam}}}'

IAMChangeEventRule:

Type: 'AWS::Events::Rule'

Properties:

Name: 'IAMChangeEventRule'

EventPattern:

source:

- "aws.iam"

detail-type:

- "AWS API Call via CloudTrail"

detail:

eventSource:

- "iam.amazonaws.com"

eventName:

- "PutRolePolicy"

- "PutUserPolicy"

- "AttachRolePolicy"

- "AttachUserPolicy"

- "DeleteUserPolicy"

- "DetachRolePolicy"

- "UpdateAssumeRolePolicy"

Targets:

- Arn: !GetAtt IAMChangeNotifierFunction.Arn

Id: 'TargetFunctionV1'

LambdaInvokePermission:

Type: 'AWS::Lambda::Permission'

Properties:

Action: 'lambda:InvokeFunction'

FunctionName: !Ref IAMChangeNotifierFunction

Principal: 'events.amazonaws.com'

SourceArn: !GetAtt IAMChangeEventRule.Arn

Outputs:

LambdaFunctionArn:

Description: Lambda Function ARN

Value: !GetAtt IAMChangeNotifierFunction.Arn

Python Lambda Function: iam_notify.py

import json
import os
import urllib.request

SLACK_WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]

def send_to_slack(message):
    payload = {"text": message}
    req = urllib.request.Request(
        SLACK_WEBHOOK_URL,
        data=json.dumps(payload).encode("utf-8"),
        headers={"Content-Type": "application/json"},
        method="POST"
    )
    with urllib.request.urlopen(req) as response:
        return response.read()

def format_message(event):
    user = event["userIdentity"].get("arn", "Unknown")
    event_name = event.get("eventName", "UnknownEvent")
    timestamp = event.get("eventTime", "UnknownTime")
    request_params = json.dumps(event.get("requestParameters", {}), indent=2)

    return (
        f"⚠️ *IAM Policy Change Detected*\n"
        f"*Event:* `{event_name}`\n"
        f"*User:* `{user}`\n"
        f"*Time:* `{timestamp}`\n"
        f"*Details:*\n```{request_params}```"
    )

def lambda_handler(event, context):
    if "detail" in event:
        msg = format_message(event["detail"])
        send_to_slack(msg)
        return {"statusCode": 200, "body": "Notification sent"}
    return {"statusCode": 400, "body": "Invalid event"}

import json

import os

import urllib.request

SLACK_WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]

def send_to_slack(message):

payload = {"text": message}

req = urllib.request.Request(

SLACK_WEBHOOK_URL,

data=json.dumps(payload).encode("utf-8"),

headers={"Content-Type": "application/json"},

method="POST"

)

with urllib.request.urlopen(req) as response:

return response.read()

def format_message(event):

user = event["userIdentity"].get("arn", "Unknown")

event_name = event.get("eventName", "UnknownEvent")

timestamp = event.get("eventTime", "UnknownTime")

request_params = json.dumps(event.get("requestParameters", {}), indent=2)

return (

f"⚠️ *IAM Policy Change Detected*\n"

f"*Event:* `{event_name}`\n"

f"*User:* `{user}`\n"

f"*Time:* `{timestamp}`\n"

f"*Details:*\n```{request_params}```"

)

def lambda_handler(event, context):

if "detail" in event:

msg = format_message(event["detail"])

send_to_slack(msg)

return {"statusCode": 200, "body": "Notification sent"}

return {"statusCode": 400, "body": "Invalid event"}

Test It Out

Deploy the stack with your Slack webhook SSM param already created.
Perform an AWS IAM action such as:

aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

1	aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

3. Check your Slack channel, and the notification should arrive in seconds.

Why Monitor AWS IAM Policy Changes?

Security: Detect privilege escalation attempts in real-time.
Governance: Ensure only authorized CI/CD pipelines or users make changes.
Compliance: Maintain an audit trail for regulatory requirements.

Conclusion

Monitoring AWS IAM policy changes is non-negotiable for secure AWS operations. This solution enables instant visibility into such events, keeping your team informed and reactive. Best of all, it’s low-cost, serverless, and easily extendable.

Drop a query if you have any questions regarding AWS IAM and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. What if I want to monitor more AWS IAM actions?

ANS: – You can expand the eventName list using the EventBridge rule. Include events like CreateUser, DeleteRole, UpdateGroup, etc.

2. How do I secure the Slack webhook URL?

ANS: – Store it in SSM Parameter Store as a SecureString, then fetch it in Lambda using the ${resolve:ssm:} syntax.

WRITTEN BY Deepak S

Deepak S works as a Research Intern at CloudThat. His expertise lies in AWS's services. Deepak is good at haunting new technologies and automobile enthusiasts.