WHY GARTNER’S “CONTEXT MESH” CHANGES EVERYTHING AI CONNECTIVITY: THE ROAD AHEAD DON’T MISS API + AI SUMMIT 2026 SEPT 30 – OCT 1
We're Entering the Age of AI Connectivity [Read more](/blog/news/the-age-of-ai-connectivity)Read moreProducts & Agents:
[Engineering](/blog/engineering)Engineering
November 13, 2019
3 min read

# Configuring AWS GuardDuty with Lambda for Slack Notifications

Dennis Kelly

At Kong, we leverage many tools to protect our services and customers. [Terraform](https://www.terraform.io)Terraform from [HashiCorp](https://www.hashicorp.com)HashiCorp allows us to automate the process with Infrastructure as Code (IaC). Another important tool is [Amazon Web Services (AWS) GuardDuty](https://aws.amazon.com/guardduty)Amazon Web Services (AWS) GuardDuty, a continuous monitoring service for security threat detection in your AWS accounts. It analyzes events from CloudTrail, VPC Flow Logs and DNS logs using machine learning, anomaly detection and known threats to provide security intelligence in the form of GuardDuty alerts or *findings*. Multiple *member* AWS accounts can be aggregated into a *master* account to centrally manage alerts across an entire organization. It provides an enterprise with comprehensive threat detection, stronger security through automation and centralized management at scale.

GuardDuty allows us to automatically send notifications to [CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html)CloudWatch Events. We use this to notify the security team on Slack by configuring a [CloudWatch Event Rule](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html)CloudWatch Event Rule on GuardDuty findings that triggers a [Lambda](https://aws.amazon.com/lambda)Lambda serverless function written in [Go](https://golang.org)Go called *GuardDuty2Slack*. This post will walk you through the process and code used to join member accounts to an organization and send GuardDuty findings as Slack notifications. The complete example set of code is available [here](https://github.com/DennoVonDiesel/tf/tree/master/example/guardduty)here.

## What is GuardDuty?

GuardDuty is a regional service, so member accounts need to be invited for every region they use. Some accounts may not use the same regions as others. While there are more sophisticated ways to manage this, for the simplicity of this post, the following directory structure will be used:

[accounts/](https://github.com/DennoVonDiesel/tf/tree/master/example/guardduty/accounts)accounts/Terraform snippets for GuardDuty member accounts[global/](https://github.com/DennoVonDiesel/tf/tree/master/example/guardduty/global)global/Terraform applied at a global level (IAM roles and policies)[lambda/](https://github.com/DennoVonDiesel/tf/tree/master/example/guardduty/lambda)lambda/Terraform Lambda module and Go function for notifications[us-west-1/](https://github.com/DennoVonDiesel/tf/tree/master/example/guardduty/us-west-1)us-west-1/Terraform applied at a regional level (in this example us-west-1)

In the global directory, the file [iam.tf](https://github.com/DennoVonDiesel/tf/blob/master/example/guardduty/global/iam.tf)iam.tf is used to create an IAM role, *GuardDuty2Slack*, that can be assumed by the Lambda service with basic Lambda execution permissions:

data "aws_iam_policy_document" "lambda" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
     type        = "Service"
     identifiers = ["lambda.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "lambda" {
  name               = "GuardDuty2Slack"
  assume_role_policy = "${data.aws_iam_policy_document.lambda.json}"

  tags {
    Name        = "GuardDuty2Slack"
    Environment = "Prod"
    Department  = "Engineering"
    Team        = "Cloud"
    Product     = "Cloud"
    Service     = "Guard Duty"
    Owner       = "cloud@my.domain"
  }
}

resource "aws_iam_policy_attachment" "lambda" {
  name  = "GuardDuty2Slack"
  roles = ["${aws_iam_role.lambda.id}"]

  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

The Terraform in the global directory will need to be executed first - a bootstrapping process - so the IAM role will be available when setting up each region. In the Lambda module, [main.tf](https://github.com/DennoVonDiesel/tf/blob/master/example/guardduty/lambda/main.tf)main.tf, the IAM role is imported as a data source and associated with the function:

data "aws_iam_role" "lambda" {
  name = "GuardDuty2Slack"
}

resource "aws_lambda_function" "lambda" {
  function_name = "GuardDuty2Slack"

  filename         = "${data.archive_file.lambda.output_path}"
  source_code_hash = "${data.archive_file.lambda.output_base64sha256}"
  handler          = "main"
  runtime          = "go1.x"

  role = "${data.aws_iam_role.lambda.arn}"

  tags {
    Name        = "GuardDuty2Slack"
    Environment = "Prod"
    Department  = "Engineering"
    Team        = "Cloud"
    Product     = "Cloud"
    Service     = "Guard Duty"
    Owner       = "cloud@my.domain"
  }
}

The [event pattern](https://github.com/DennoVonDiesel/tf/blob/master/example/guardduty/lambda/event-pattern.json)event pattern for GuardDuty findings are associated with an event rule, which is used to trigger the Lambda function:

resource "aws_cloudwatch_event_rule" "lambda" {
  name          = "GuardDuty2Slack"
  description   = "AWS GuardDuty Finding Events"

  event_pattern = "${file("${path.module}/event-pattern.json")}"

  tags {
    Name        = "GuardDuty2Slack"
    Environment = "Prod"
    Department  = "Engineering"
    Team        = "Cloud"
    Product     = "Cloud"
    Service     = "Guard Duty"
    Owner       = "cloud@my.domain"
  }
}

resource "aws_cloudwatch_event_target" "lambda" {
  target_id = "GuardDuty2Slack"
  rule      = "${aws_cloudwatch_event_rule.lambda.name}"
  arn       = "${aws_lambda_function.lambda.arn}"
}

The event rule will also need permissions to invoke the function:

resource "aws_lambda_permission" "lambda" {
  statement_id  = "GuardDuty2Slack-cloudwatch-event-rule"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.lambda.function_name}"
  principal     = "events.amazonaws.com"
  source_arn    = "${aws_cloudwatch_event_rule.lambda.arn}"
}

The configuration of the function is stored in [main.yml](https://github.com/DennoVonDiesel/tf/blob/master/example/guardduty/lambda/main.yml)main.yml. It defines the colors associated with GuardDuty severity levels, the default/fall-back webhook and per account settings:

# https://www.color-hex.com/color-palette/33993
colors:
  low: "#fdc500"     # Yellow
  medium: "#fd8c00"  # Orange
  high: "#dc0000"    # Red

# Format of GuardDuty finding URL
url: "https://console.aws.amazon.com/guardduty/home?region=%s#/findings?macros=current&fId=%s"

# Default webhook for unconfigured accounts
webhook: https://hooks.slack.com/services/XXXXXXXXX/XXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXX

# Account specific settings
accounts:
  111111111111:
      name: member1
      severity: medium
      webhook: https://hooks.slack.com/services/XXXXXXXXX/XXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXX

To setup a region directory, first add the account to the accounts directory. Using the example of an AWS account named *member1* with an ID of *111111111111*, create accounts/member1.tf:

resource "aws_guardduty_member" "member1" {
  detector_id        = "${aws_guardduty_detector.master.id}"
  account_id         = "111111111111"
  email              = "member1@my.domain"
  invite             = true
  invitation_message = "GuardDuty Invite from Master"
}

When applied via Terraform, an email invitation from AWS will be sent allowing an administrator to login, enable GuardDuty and accept the invitation for the master account to be the GuardDuty administrator of the member account.

We can use the same [main.tf](https://github.com/DennoVonDiesel/tf/blob/master/example/guardduty/main.tf)main.tf from the top-level directory for each region directory:

provider "aws" {
  region  = "${var.region}"
  profile = "master"
}

terraform {
  backend "s3" {}
}

resource "aws_guardduty_detector" "master" {
  enable = true
}

module "lambda" {
  source = "../lambda"
}

In the region directory, you will need the files *backend.conf *to configure the terraform state and *variables.tf* with the region (i.e. us-west-1). In the region directory, you can link *main.tf* and accounts desired:

$ cd us-west-1
$ ln -s ../main.tf
$ ln -s ../accounts/member1.tf

To deploy the member account invitations in accounts.tf and the Lambda function:

$ terraform init -backend-config=backend.conf
$ terraform apply

Iterate this process for each region (*i.e. us-east-1, us-west-2, eu-north-1*).

With notifications configured and sent, it is important to understand finding severity levels, types and remediation. For further information, please visit [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html)https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html

**Topics**
- [API Security](/blog/tag/api-security)API Security- [AWS](/blog/tag/aws)AWS- [Cloud](/blog/tag/cloud)Cloud
Dennis Kelly

Recommended posts

# APISecOps Tutorial: Delivering APIs Securely Together with Kong Konnect and Red Hat OpenShift Service on AWS (ROSA)

[Engineering](/blog)Engineering

Red Hat OpenShift is the industry's leading enterprise Kubernetes platform that runs ubiquitously across on-prem, and the cloud. With Red Hat OpenShift Service on AWS (ROSA) , a managed Red Hat OpenShift platform that runs natively on AWS, it is

Danny Freese
[](https://konghq.com/blog/engineering/apisecops-tutorial)

## Ready to see Kong in action?

Get a personalized walkthrough of Kong's platform tailored to your architecture, use cases, and scale requirements.

[Get a Demo](/contact-sales)Get a Demo