PAW: Privileged Access Watcher
This goal of this project is to watch privileged IAM groups in AWS
for membership additions and deletions, then notify a specific Slack
channel for visibility and notification to the affected person.
All of this is accomplished in an automated fashion, with a reaction
time of 1-2 minutes of the membership event occurring. This relies on
a CloudWatch Event Rule, Lambda function, and Slack Incoming Webhook.
When a user is added to a group, the following Slack message appears in a
channel:
Conversely, when a user is removed from a group, the following message
appears:
Launching the Project
Since the IAM component being monitored is a global resource, the
AWS resources are all created in one region.
- Deploy the IAM resources.
Run make deploy-iam-stack
and follow the prompts.
- Set the Slack Webhook URL into SSM ParameterStore
Run make init-ssm
and follow the prompts.
- Deploy the code resources.
Run make deploy-code-stack
and follow the prompts.
- Prepare the Lambda function for code deployment.
Run make prepare-code-stack
and follow the prompts.
- Deploy the code.
Run make deploy-code
and follow the prompts.
The code deploy step can happen as frequent as needed, while the
infrastructure stack will update rarely. If the infrastructure
does need to be updated, it is best to use CloudFormation Change Sets
to control the update and enforce change management.
Custom Slack Emojis
This project uses custom Slack emojis to personalize the messages sent
to Slack. You can find the custom emojis in the
extras/emojis directory. Customize your Slack emojis
by uploading the PNG files with the names specified in
constants.go.