AWS Deletion Tracking: Automate Alerts with Lambda and CloudTrail

Want real-time alerts when someone deletes resources in your AWS cloud? This article shows you how to build an automated system using AWS Lambda and CloudTrail for instant notifications and improved security.

Understanding the Core AWS Services

Let's quickly break down the key AWS services that form the backbone of our deletion tracking system:

• AWS Lambda: This serverless compute service lets you run code without managing servers. It's perfect for event-driven tasks, like processing CloudTrail logs.
• AWS CloudTrail: This service monitors and records all actions taken in your AWS account, providing a detailed audit trail for security and compliance. Captures event name with delete keywords like "DeleteLambda". Understanding CloudTrail enables governance and compliance.

Architecture Overview: Connecting the Pieces

Before diving into the code, let's visualize how everything works together. First, ensure CloudTrail logging is enabled and configured to deliver logs to an S3 bucket. Second, grant your Lambda function the necessary IAM permissions to read from this S3 bucket.

Step-by-Step: The Python Code Breakdown

This Python script automates the process of identifying and reporting deletion events from AWS.

import json
import boto3
import gzip
import io

def get_deleted_events(records):
    deletion_events = []
    for record in records:
        if record.get("eventName") and "Delete" in record["eventName"]:
            deletion_events.append(record)
    return deletion_events

def lambda_handler(event, context):
    s3_client = boto3.client("s3")
    for record in event["Records"]:
        bucket_name = record["s3"]["bucket"]["name"]
        object_key = record["s3"]["object"]["key"]
        response = s3_client.get_object(Bucket=bucket_name, Key=object_key)
        with gzip.GzipFile(fileobj=io.BytesIO(response["Body"].read()), mode='rb') as file:
            cloudtrail_logs = json.loads(file.read().decode("utf-8"))
        deletion_events = get_deleted_events(cloudtrail_logs.get("Records", []))
        if deletion_events:
            print(f"Found {len(deletion_events)} deletion event(s):")
            for event in deletion_events:
                print(json.dumps(event, indent=2))
        else:
            print("No deletion events found in this log file.")
    return {"statusCode": 200, "body": "Processed CloudTrail logs."}

The code works in the following way:

1. get_deleted_events(records) Function: This function takes a list of CloudTrail records and filters out those containing "Delete" in the eventName, indicating a deletion event.
2. lambda_handler(event, context) Function: This is the main function that gets executed when the Lambda function is triggered. It iterates through S3 records within the event, retrieves CloudTrail logs, and invokes the get_deleted_events function. It then prints the details of each deletion event.

Getting Started: Testing the Code

To test this function, you want to simulate an S3 event triggering. Configure Lambda with the following JSON:

{
  "Records": [
    {
      "s3": {
        "bucket": {
          "name": "<Your bucket name>"
        },
        "object": {
          "key": "<the object that ends .json.gz inside the folder>"
        }
      }
    }
  ]
}

Update the code to match your S3 bucket configuration. And remember to enable the proper IAM role permissions to the Lambda function.

Example: Tracking a Lambda Function Deletion

To test the code, delete a Lambda function in your AWS account. Then, locate the corresponding CloudTrail log in your S3 bucket. Use the S3 bucket and file location to create the testing payload. Executing the lambda function will now show the deletion event for the Lambda function.

Enhancements and Scalability Options

Scale your AWS deletion tracking system with these tips:

• Multi-Object Processing: Update the code to process multiple S3 objects in a single Lambda execution.
• AWS-Native Services: Use AWS Config, AWS CloudTrail Lake, or AWS Security Hub for scalable, automated deletion tracking.
• Amazon SNS or SES Integration: Notify specific users or teams about deletion events via email or SMS by integrating with Amazon SNS or SES.

Advantages of Automated Deletion Tracking

Leveraging AWS Lambda and CloudTrail offers:

• Increased Visibility: Gain immediate insight into resource deletions within your AWS environment.
• Improved Auditability: Maintain a comprehensive record of deletion events for compliance and security purposes.
• Enhanced Security Awareness: Proactively identify and respond to potentially unauthorized or accidental deletions.

Track resource deletions and keep your AWS environment secure.