Login
June 16, 2025|
Voiced by Amazon Polly |
Introduction
In today’s cloud-native world, managing and securing user permissions is one of the most critical aspects of maintaining a strong security posture. AWS Identity and Access Management (IAM) provides a powerful way to control access to AWS resources. However, the same power can be risky if IAM changes go unnoticed. An overly permissive policy, a mistakenly altered access level, or an unauthorized change can lead to potential security breaches.
For organizations operating in regulated environments or following best practices like least privilege, monitoring AWS IAM policy changes is not just helpful, it’s essential. Often, AWS IAM policies evolve, especially in dynamic development environments where different teams might deploy and iterate frequently. This means new permissions are being granted, existing ones modified, and sometimes even sensitive ones accidentally exposed. Without visibility into these changes, auditing, controlling, and responding to threats becomes difficult.
Automation is the key to bridging this gap. Using AWS native services like AWS CloudTrail, Amazon EventBridge, and AWS Lambda, you can create a proactive notification system that informs you in real-time whenever an AWS IAM policy is changed. Add Slack into the mix, and you’ve got instant visibility for your DevOps or SecOps teams.
This blog will walk you through how to:
- Detect AWS IAM policy changes using Amazon EventBridge and AWS CloudTrail.
- Trigger the AWS Lambda function to format the event details.
- Send these alerts directly to a Slack channel using a webhook.
The best part? You can set it up in minutes using the AWS CloudFormation (SAM) template.
Imagine a scenario where someone:
- Adds AdministratorAccess to a user
- Modifies a trusted role used by a CI/CD pipeline
- Deletes an AWS IAM user with access keys
These events should trigger immediate attention, and that’s exactly what we’ll automate in this post using Slack notifications integrated with AWS Lambda, Amazon EventBridge, and AWS CloudTrail.
Reference: If you haven’t already set up a Slack bot for pushing messages, follow this guide to get started:
Post Messages to Slack Using AWS Lambda Function URLs
We will set up the following:
- AWS CloudTrail to capture AWS IAM API activity
- Amazon EventBridge Rule to filter relevant AWS IAM changes
- AWS Lambda Function to format and send Slack messages
- Slack Webhook Integration for real-time alerts
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
AWS CloudFormation Template
Here’s the CFT to deploy the AWS Lambda function, AWS IAM role, and Amazon EventBridge rule.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Notify Slack on IAM policy changes via Lambda Parameters: SlackWebhookSSMParam: Type: String Default: "/IAM/slack/webhook/url" Description: SSM Parameter Name for Slack Webhook URL Resources: LambdaExecutionRole: Type: 'AWS::IAM::Role' Properties: RoleName: "IAMChangeNotificationRole" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: 'sts:AssumeRole' Principal: Service: 'lambda.amazonaws.com' ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" IAMChangeNotifierFunction: Type: 'AWS::Serverless::Function' Properties: FunctionName: "IAMChangeNotifier" CodeUri: lambdaFunction/ Handler: 'iam_notify.lambda_handler' Runtime: "python3.12" Timeout: 60 Role: !GetAtt LambdaExecutionRole.Arn Environment: Variables: SLACK_WEBHOOK_URL: !Sub '{{resolve:ssm:${SlackWebhookSSMParam}}}' IAMChangeEventRule: Type: 'AWS::Events::Rule' Properties: Name: 'IAMChangeEventRule' EventPattern: source: - "aws.iam" detail-type: - "AWS API Call via CloudTrail" detail: eventSource: - "iam.amazonaws.com" eventName: - "PutRolePolicy" - "PutUserPolicy" - "AttachRolePolicy" - "AttachUserPolicy" - "DeleteUserPolicy" - "DetachRolePolicy" - "UpdateAssumeRolePolicy" Targets: - Arn: !GetAtt IAMChangeNotifierFunction.Arn Id: 'TargetFunctionV1' LambdaInvokePermission: Type: 'AWS::Lambda::Permission' Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref IAMChangeNotifierFunction Principal: 'events.amazonaws.com' SourceArn: !GetAtt IAMChangeEventRule.Arn Outputs: LambdaFunctionArn: Description: Lambda Function ARN Value: !GetAtt IAMChangeNotifierFunction.Arn |
Python Lambda Function: iam_notify.py
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
import json import os import urllib.request SLACK_WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"] def send_to_slack(message): payload = {"text": message} req = urllib.request.Request( SLACK_WEBHOOK_URL, data=json.dumps(payload).encode("utf-8"), headers={"Content-Type": "application/json"}, method="POST" ) with urllib.request.urlopen(req) as response: return response.read() def format_message(event): user = event["userIdentity"].get("arn", "Unknown") event_name = event.get("eventName", "UnknownEvent") timestamp = event.get("eventTime", "UnknownTime") request_params = json.dumps(event.get("requestParameters", {}), indent=2) return ( f"⚠️ *IAM Policy Change Detected*\n" f"*Event:* `{event_name}`\n" f"*User:* `{user}`\n" f"*Time:* `{timestamp}`\n" f"*Details:*\n```{request_params}```" ) def lambda_handler(event, context): if "detail" in event: msg = format_message(event["detail"]) send_to_slack(msg) return {"statusCode": 200, "body": "Notification sent"} return {"statusCode": 400, "body": "Invalid event"} |
Test It Out
- Deploy the stack with your Slack webhook SSM param already created.
- Perform an AWS IAM action such as:
|
1 |
aws iam attach-user-policy --user-name test-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess |
3. Check your Slack channel, and the notification should arrive in seconds.
Why Monitor AWS IAM Policy Changes?
- Security: Detect privilege escalation attempts in real-time.
- Governance: Ensure only authorized CI/CD pipelines or users make changes.
- Compliance: Maintain an audit trail for regulatory requirements.
Conclusion
Drop a query if you have any questions regarding AWS IAM and we will get back to you quickly.
Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.
- Reduced infrastructure costs
- Timely data-driven decisions
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. What if I want to monitor more AWS IAM actions?
ANS: – You can expand the eventName list using the EventBridge rule. Include events like CreateUser, DeleteRole, UpdateGroup, etc.
2. How do I secure the Slack webhook URL?
ANS: – Store it in SSM Parameter Store as a SecureString, then fetch it in Lambda using the ${resolve:ssm:} syntax.
WRITTEN BY Deepak S
Deepak S works as a Research Intern at CloudThat. His expertise lies in AWS's services. Deepak is good at haunting new technologies and automobile enthusiasts.
PREV
Comments