AWS Guardduty to Slack

AWS Account Data flow

I. First off

II. Modules

  • AWS Guardduty Master
  • AWS Guardduty Members
  • AWS Guardduty Invitations
  • AWS Guardduty Slack notifications

III. Lambda function

$ virtualenv -p python3 venv
Running virtualenv with interpreter /usr/local/bin/python3
Using base prefix '/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7'
New python executable in /Users/oli/Documents/venv/bin/python3.7
Also creating executable in /Users/oli/Documents/venv/bin/python
Installing setuptools, pip, wheel...
$ source venv/bin/activate

IV. Slack configuration

Create a new App
Enable Incoming Webhooks
Once you select your channel, you’ll receive this message

V. SSM parameters

  • Slack Channel
  • Slack Incoming webhook
  • Email address used by the root account
AWS System Manager

VI. Deploy!

21:50 $ ./
Collecting pylint
Downloading pylint-2.4.4-py3-none-any.whl (302 kB)
|████████████████████████████████| 302 kB 1.4 MB/s
Collecting mccabe<0.7,>=0.6
Using cached mccabe-0.6.1-py2.py3-none-any.whl (8.6 kB)
Collecting astroid<2.4,>=2.3.0
Downloading astroid-2.3.3-py3-none-any.whl (205 kB)
|████████████████████████████████| 205 kB 1.9 MB/s
Collecting isort<5,>=4.2.5
Using cached isort-4.3.21-py2.py3-none-any.whl (42 kB)
Processing /Users/oli/Library/Caches/pip/wheels/d7/de/2e/efa132238792efb6459a96e85916ef8597fcb3d2ae51590dfd/wrapt-1.11.2-cp37-cp37m-macosx_10_14_x86_64.whl
Collecting six~=1.12
Downloading six-1.14.0-py2.py3-none-any.whl (10 kB)
Collecting typed-ast<1.5,>=1.4.0; implementation_name == "cpython" and python_version < "3.8"
Downloading typed_ast-1.4.1-cp37-cp37m-macosx_10_9_x86_64.whl (223 kB)
|████████████████████████████████| 223 kB 9.4 MB/s
Collecting lazy-object-proxy==1.4.*
Using cached lazy_object_proxy-1.4.3-cp37-cp37m-macosx_10_13_x86_64.whl (19 kB)
Installing collected packages: mccabe, wrapt, six, typed-ast, lazy-object-proxy, astroid, isort, pylint
Successfully installed astroid-2.3.3 isort-4.3.21 lazy-object-proxy-1.4.3 mccabe-0.6.1 pylint-2.4.4 six-1.14.0 typed-ast-1.4.1 wrapt-1.11.2
~/Documents/AWS_Guardduty_Slack_integration/modules/sns-guardduty-slack ~/Documents/AWS_Guardduty_Slack_integration/modules
Your code has been rated at 10.00/10
~/Documents/AWS_Guardduty_Slack_integration/modules/sns-guardduty-slack ~/Documents/AWS_Guardduty_Slack_integration/modules
adding: (deflated 68%)
17:17 $ terraform init
Initializing modules...
- aws_guardduty_invite_member in modules/guardduty-invitation
- aws_guardduty_master in modules/guardduty-master
- aws_guardduty_member in modules/guardduty-member
- aws_guardduty_sns_notifications in modules/sns-guardduty-slack
Initializing the backend...Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.55.0...
Terraform has been successfully initialized!You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
17:39 $ terraform apply Refreshing state... Refreshing state... Refreshing state...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:# module.aws_guardduty_invite_member.aws_guardduty_member.members will be created
+ resource "aws_guardduty_member" "members" {
+ account_id = "123456789012"
+ detector_id = (known after apply)
+ email = ""
+ id = (known after apply)
+ invitation_message = "please accept guardduty invitation"
+ invite = true
+ relationship_status = (known after apply)
# module.aws_guardduty_master.aws_cloudwatch_event_rule.main will be created
+ resource "aws_cloudwatch_event_rule" "main" {
+ arn = (known after apply)
+ description = "AWS GuardDuty event findings"
+ event_pattern = jsonencode(
+ detail = {
+ severity = [
+ 3,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
Apply complete! Resources: 0 added, 16 changed, 0 destroyed.
Terraform state file appears after applying the plan

VII. Testing your deployment

Generate finding for testing your deployment




Cloud technologies and solutions lover,

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Planning the next decade, the 4 strategic tools

Metaverse Explained: Plugins, an easy way to connect to Metaverse

Introducing conjunction choices

Git Revert multiple commits at a time — Technolize Your Future

Building simulations with a Go cellular automata framework


Flash Stock Rom on Itel IT1508 plus

Flash Stock Rom on Itel

Optimizing and Monitoring a Trading System with Quantiacs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Olivier Butterbach

Olivier Butterbach

Cloud technologies and solutions lover,

More from Medium

Embedded CAIOS Eliminates the Cloud Installation Step

How to set up WordPress with a dedicated Database Server along with NAT Gateway on AWS Cloud?

How do AWS products fulfill CI/CD requirements?

How to setup Mattermost alerts on AWS Cloud Events