AWS Guardduty to Slack

Olivier Butterbach
5 min readJan 7, 2020

Here is a quick guide to send AWS Guardduty notifications to your Slack Channel. In this example, we will link a main AWS Account with its members by using Terraform.

AWS Account Data flow

AWS Guardduty is a threat detection service provided by AWS, cost effective and easily implemented. The following guide is using terraform files which are stored in the following GitHub repository.

I. First off

By using Terraform 12, start by declaring all your AWS Accounts and their aliases into a specific file ( in this case):

Once completed, add your backend:

The acl bucket-owner-full-control allow the main AWS account to keep control over the state file, especially when you assume multiple profile, you can be quite handy.

II. Modules

This project is using multiples modules as follow:

  • AWS Guardduty Master
  • AWS Guardduty Members
  • AWS Guardduty Invitations
  • AWS Guardduty Slack notifications

III. Lambda function

This project is using a bash script for installing / testing and packaging the lambda function:

Before applying Terraform plan, the zip file would have to be present on the local file system.

Prepare a virtual environment for python before running this on your terminal:

$ source venv/bin/activate

IV. Slack configuration

Create a new App

Slack has now shifted to Slack API for creating and installing your applications, it’s really easy to get started

Enable Incoming Webhooks
Once you select your channel, you’ll receive this message

V. SSM parameters

This system is using SSM parameters to fetch the 3 following variables:

  • Slack Channel
  • Slack Incoming webhook
  • Email address used by the root account

Just create these three variables in the main account:

AWS System Manager

VI. Deploy!

Package your lambda script first:

Then, run terraform init command:

Finally, apply the changes with Terraform:

Apply complete! Resources: 0 added, 16 changed, 0 destroyed.

Apply complete! Resources: 0 added, 16 changed, 0 destroyed.

Congratulation 🎉 a state file should be present in your bucket following this stage:

Terraform state file appears after applying the plan

VII. Testing your deployment

After logging to AWS Console, search for Guardduty tabs and go into settings. You can generate sample event from this window by clicking on “Generate sample finding” as follow:

Generate finding for testing your deployment

Once triggered, you should start to see some messages appearing in Slack as follow:

