Snotra Lambda

Continuous AWS Testing with Snotra, Lambda, Cloud Watch EventBridge and S3.

I have recently pushed a change to Snotra, my AWS auditing tool, which enables it be deployed as an AWS Lamda function.

This post will explain how to deploy Snotra as a Lamba Function, schedule regular scans via a Cloud Watch Events and save the results to S3.

Create and Test Lambda Function

Create a Python lambda function

Download Snotra Zip file from source on GitHub

Upload source zip file to Lambda

Once it has uploaded the file structure will look like this

We need to move Snotra to the Snotra root directory, your file structure should then look like this

If you want Snotra to scan the local AWS account you will need to give the Lambda role the required permissions. Find the role assocaited with your new Lambda function in IAM and assign the following AWS managed policies:

  • ReadOnlyAccess
  • SecurityAudit
  • ViewOnlyAccess

Create an S3 bucket to hold the results and update line 112 in the lambda function with the bucket name.

Give the Lambda role the required permissions in order to put files into the bucket.

Create an inline policy with the following JSON definition, updating the bucket name as required for your environment:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::snotra-results/*"
        }
    ]
}

Configure the handler in the Lambda's runtime settings

Under configuration > General configuration configure a suitable timeout, I use 9 minutes

now we are ready to test the Lambda by creating a test event, use the following JSON to scan the local AWS account.

{
"role_arn": "",
"session_name": "test"
}

Create event

Execute test

If all goes well then the output should looks something like this

And the results should end up in S3

Cross Account Scanning

To scan other AWS accounts you need a cross account role in the target account and allow the lambda to assume it

Create a role in the target account with the following AWS managed policies:

  • ReadOnlyAccess
  • SecurityAudit
  • ViewOnlyAccess

Use the following JSON to Configure the cross account trust policy updating your account ID

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:root",
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Add an inline IAM policy to the Lambda functions role with the following JSON definition, giving it permissions to assume the role in the target account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::000000000000:role/snotra"
        }
    ]
}

Create new test event for cross account scan

Kick off a test, if all goes well the output should look something like this

And the results should end up in S3

CloudWatch event

Now we are going to configure a Cloud Watch event to trigger the Lamba on a schedule

Go to CloudWatch EventBridge > Rules > Create Rule

Give the rule a relevant name and description and select the schedule rule type

Configure your event schedule as required

Select AWS Lambda Invoke as the target

Select your Snotra Lambda function and use the following JSON payload as we did before for the test events

{
  "role_arn": "arn:aws:iam::000000000000:role/snotra",
  "session_name": "shaun"
}

Click through the rest of the options and create the schedule

Everything is now configured, your schedule will trigger the lambda function, a scan will be run and the JSON results will be accumulated in the S3 bucket for ingestion and use with other tools and workflows.