Using Lambda Function with CloudTrail



AWS CloudTrail is a service available with Amazon, which helps to logs all the activities done inside AWS console. It logs all the API calls and stores the history, which can be used later for debugging purpose. Note that we cannot trigger Lambda from CloudTrail. Instead, CloudTrail stores all the history in the form of logs in S3 bucket and we can trigger AWS Lambda from S3. Once any logs are to be processed, AWS Lambda will get triggered whenever any logs are added to S3 bucket.

Requisites

Before you start to work with AWS CloudTrail, S3 and AWS Lambda, you need to perform the following −

  • Create S3 bucket to store CloudTrail logs
  • Create SNS service
  • Create a trail in CloudTrail and assign the S3 bucket and SNS service
  • Create IAM role with permission.
  • Create aws lambda function
  • AWS Lambda configuration

Example

Let s consider an example which shows the working of AWS CloudTrail, S3 and AWS Lambda. Here, we will create a bucket in S3 which will store all the logs for any interaction done in AWS console. Let us create SNS topic and publish it. For this action, the logs will be entered as a file in S3. AWS lambda will get triggered which will send mail using Amazon SES service.

The block diagram for explaining this process is as shown below −

Block Diagram Cloudtrail

Create S3 Bucket to Store CloudTrail logs

Go to AWS console and click S3 service. Click Create bucket and enter the name of the bucket you want to store cloudtrail logs as shown −

Create Bucket

Observe that here we have created a S3 bucket cloudtraillogsaws for storing the logs.

Create SNS Service

Go to AWS console and click Simple notification Service. Select topics from left side and click Create new topic button.

Simple Notification

We have created topic called displaytrail to publish a topic. Its details will get stored in S3bucket that is created above.

Create a Trail in Cloudtrail and Assign the S3 bucket and SNS service

Go to AWS console and click CloudTrail service from Management tools as shown −

Create Trails

Click Trails from the left side as shown below −

Trail Dashboard

Trails

Click Create Trail button. Enter the Trail name, Apply trail to all regions and choose Yes. Then So the logs will be applied for all the region.

Trail Name

For Read/Write events, choose All. Add the S3 bucket and SNS topic details as shown below. You can create a new one here or add an existing one.

Read Events

Note that there are options available to encrypt log files, enable log file validation, send sns notification for every log file delivery etc. I have used the default values here. You can allow file encryption and it will ask for encryption key. Click on Create Trail button once the details are added.

Encrypt Log

Create IAM Role with Permission

Go to AWS console and select IAM. Create a role with permission for S3, Lambda, CloudTrail and SES for sending email. The role created is as shown below −

Trail Lambda

Create AWS Lambda Function

Go to AWS service and click Lambda service. Add the function name, select runtime as nodejs, and select the role created for the lambda function. Following is the lambda function created.

Lambda Trail

AWS Lambda Configuration

Next, we need to add S3 as the trigger for AWS lambda created.

Lambda Configuration

Add the S3 bucket details to add the trigger and add the following AWS Lambda code −

const aws =  require("aws-sdk");
const sns = new aws.SNS({
region:'us-east-1'
});
var ses = new aws.SES({
   region: 'us-east-1'
});
exports.handler = function(event, context, callback) {
   console.log("AWS lambda and SNS trigger ");
   console.log(event);
   const s3message = "Bucket Name:"+event.Records[0].s3.bucket.name+"\nLog details:"+event.Records[0].s3.object.key;
   console.log(s3message);
   var eParams = {
      Destination: {
         ToAddresses: ["xxxxxxxxx12@gmail.com"]
      },
      Message: {
         Body: {
            Text: {
               Data:s3message
            }
         },
         Subject: {
            Data: "cloudtrail logs"
         }
      },
      Source: "coxxxxxx@gmail.com"
   };
   var email = ses.sendEmail(eParams, function(err, data) {
      if (err) console.log(err);
      else {
         console.log("===EMAIL SENT===");
         console.log("EMAIL CODE END");
         console.log('EMAIL: ', email);
         context.succeed(event);
         callback(null, "email is send");
      }
   });
};

Note that we are taking the S3 bucket and log details from the event and sending mail using SES service as shown above.

Whenever any activity takes place in AWS console, the logs will be sent to S3 bucket and at the same time, AWS lambda will get triggered and the mail will be send to the email id mentioned in the code.

Cloudtrail Logs

Note that you can process the logs as per your needs in AWS Lambda.

Advertisements