forked from pbudzon/aws-maintenance
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudtrail-monitor.py
75 lines (57 loc) · 2.35 KB
/
cloudtrail-monitor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import json
import boto3
import gzip
def lambda_handler(event, context):
sns_topic = None
info = boto3.client('lambda').get_function(
FunctionName=context.function_name
)
iam = boto3.client('iam')
role_name = info['Configuration']['Role'].split('/')[1]
policies = iam.list_role_policies(
RoleName=role_name
)
for policy in policies['PolicyNames']:
details = iam.get_role_policy(
RoleName=role_name,
PolicyName=policy
)
for statement in details['PolicyDocument']['Statement']:
for action in statement['Action']:
if action == 'sns:publish':
sns_topic = statement['Resource']
break
if sns_topic is None:
raise Exception("Could not find SNS topic for notifications!")
sns = boto3.client('sns')
if 'Records' not in event:
raise Exception("Invalid message received!")
for record in event['Records']:
if 'Message' not in record['Sns']:
print(record)
raise Exception("Invalid record!")
message = json.loads(record['Sns']['Message'])
if 's3Bucket' not in message or 's3ObjectKey' not in message:
raise Exception("s3Bucket or s3ObjectKey missing from Message!")
s3 = boto3.resource('s3')
for s3key in message['s3ObjectKey']:
s3.meta.client.download_file(message['s3Bucket'], s3key, '/tmp/s3file.json.gz')
with gzip.open('/tmp/s3file.json.gz', 'rb') as f:
file_content = json.loads(f.read())
for record in file_content['Records']:
if record['eventSource'] == "ec2.amazonaws.com" and record['eventName'] == 'RunInstances':
print(record)
for topic in sns_topic:
sns.publish(
TopicArn=topic,
Message=json.dumps(record),
Subject="RunInstances invoked at " + record['eventTime']
)
if __name__ == '__main__':
lambda_handler({
"Records": [{
"Sns": {
"Message": "{\"s3Bucket\":\"cloudtrail-xxx\",\"s3ObjectKey\":[\"AWSLogs/xxx/CloudTrail/ap-northeast-1/2016/06/15/abc.json.gz\"]}"
}
}]
}, None)