AWS Deletion Tracking: Automate Alerts with Lambda & CloudTrail

Want to know immediately when resources are deleted in your AWS cloud? This article unveils a simple yet powerful method for tracking deletion events using AWS Lambda and CloudTrail, ensuring proactive security and compliance. We'll guide you through the setup and code, enabling real-time awareness of resource removal in your AWS environment.

Why Track AWS Deletion Events?

• Security: Instantly detect unauthorized or accidental resource deletions.
• Compliance: Maintain an audit trail of all deletion activities for regulatory requirements.
• Cost Optimization: Identify and address unintentional removal of cost-saving resources.
• Faster Incident Response: Improve reaction time to critical services being taken offline.

Understanding the Core AWS Services

Before diving into the code, let's understand each technologies:

• AWS Lambda: A serverless compute service that lets you run code without provisioning or managing servers. It's the engine driving our deletion event notification system.
• AWS CloudTrail: A service that records AWS API calls for your account, delivering detailed logs to an S3 bucket. We'll tap into these logs to identify deletion events.

Architecture: How It All Works

The solution works like this:

1. CloudTrail logs actions within your AWS environment and stores the logs in an S3 bucket.
2. When a new log file is added to the S3 bucket, it triggers a Lambda function.
3. The Lambda function analyzes the CloudTrail logs for deletion events.
4. If a deletion event is found, the Lambda function can trigger notifications via services like SNS or SES, and logs the event to CloudWatch.

Ensure CloudTrail logging is enabled and delivering logs to an S3 bucket. Also, verify that your Lambda function's IAM role has the necessary permissions to read from the S3 bucket.

The Code: AWS Lambda Function for Deletion Detection

Here's the Python code for the Lambda function:

import json
import boto3
import gzip
import io

def get_deleted_events(records):
    deletion_events = []
    for record in records:
        if record.get("eventName") and "Delete" in record["eventName"]:
            deletion_events.append(record)
    return deletion_events

def lambda_handler(event, context):
    s3_client = boto3.client("s3")
    for record in event["Records"]:
        bucket_name = record["s3"]["bucket"]["name"]
        object_key = record["s3"]["object"]["key"]
        response = s3_client.get_object(Bucket=bucket_name, Key=object_key)
        with gzip.GzipFile(fileobj=io.BytesIO(response["Body"].read()), mode='rb') as file:
            cloudtrail_logs = json.loads(file.read().decode("utf-8"))
        deletion_events = get_deleted_events(cloudtrail_logs.get("Records", []))
        if deletion_events:
            print(f"Found {len(deletion_events)} deletion event(s):")
            for event in deletion_events:
                print(json.dumps(event, indent=2))
        else:
            print("No deletion events found in this log file.")
    return {"statusCode": 200, "body": "Processed CloudTrail logs."}

Explanation:

• The get_deleted_events function filters CloudTrail records for those containing "Delete" in the eventName.
• The lambda_handler function is triggered by new S3 objects (CloudTrail logs).
• It retrieves the log file, extracts deletion events, and prints them to CloudWatch Logs.

Testing and Deployment

To test your Lambda function, construct a test event that mimics an S3 event notification:

{
  "Records": [
    {
      "s3": {
        "bucket": {
          "name": "<Your bucket name>"
        },
        "object": {
          "key": "<the object that ends .json.gz inside the folder>"
        }
      }
    }
  ]
}

Replace placeholders with your actual S3 bucket name and CloudTrail log file key. You can trigger events by manually uploading an object ending with .json.gz into your S3 bucket. Or, delete a resource (like a Lambda function) and retrieve the latest CloudTrail log from S3.

Taking It Further: Enhancements

• Scale: Process multiple S3 objects per Lambda invocation.
• Notifications: Integrate with Amazon SNS or SES to send email or SMS alerts upon detecting deletion events.
• Advanced Analysis: Use AWS CloudTrail Lake or AWS Security Hub for more comprehensive auditing and security monitoring.
• Real-time Alerting: Configure a notification system to alert specific users if a resource critical to your application is deleted, using services like Amazon SNS.

Conclusion: Simple, Effective AWS Deletion Tracking

This AWS Lambda function offers a straightforward solution for tracking AWS deletion events using CloudTrail logs. By providing real-time visibility into resource removal activities, it empowers you to enhance security, maintain compliance, and optimize costs. This is achieved without relying on external platforms. You gain tighter control over your AWS environment and react quickly to any unexpected changes. With AWS Lambda and CloudTrail, deletion event monitoring becomes both effortless and effective.