IAM Access Denied Responder

This example solution will setup an automated response to an access denied event that occurs within a CloudTrail event, a Failed authentication attempt to the AWS console, or a Client.UnauthorizedOperation event occurs.

Architecture overview

The template is designed to allow you to easily add your own responses and your own messaging integrations. Additional responses can be generated by subscribing to the sec-ir-AccessDeniedTopic. We have provided code to publish to slack and chime. If you wish to pubish to additionalk channels you can add an additional subscription to the sec-ir-SecurityMessages topic.

Launching the template

Ensure that a trail for CloudTrail events to CloudWatch exists
Bundle each module for uploading into S3. General instructions are available in the AWS documentation.
- Ensure you create an archive of the files in the folder, not of the folder itself
- For publish-security-messages, The Chime and Slack integrations provided depend on the requests module and ensure any custom integration dependencies are also included
- generate-security-messages has no dependencies unless you add custom responses
Upload the bundles to an S3 bucket
Launch the AccessDeniedRespones.yaml Cloudformation template and fill in the paramaters as per each description

PreviousCloudTrail & Athena NextForce-MFA for IAM Users

Last updated 6 years ago