Send alerts from AWS Network Firewall to a Slack channel - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resourcesAdditional information

Send alerts from AWS Network Firewall to a Slack channel

Created by Venki Srivatsav (AWS) and Aromal Raj Jayarajan (AWS)

Summary

This pattern describes how to deploy a firewall by using Amazon Web Services (AWS) Network Firewall with the distributed deployment model and how to propagate the alerts generated by AWS Network Firewall to a configurable Slack channel. 

Compliance standards such as Payment Card Industry Data Security Standard (PCI DSS) require that you install and maintain a firewall to protect customer data. In the AWS Cloud, a virtual private cloud (VPC) is considered the same as a physical network in the context of these compliance requirements. You can use Network Firewall to monitor network traffic between VPCs and to protect your workloads that run in VPCs governed by a compliance standard. Network Firewall blocks access or generates alerts when it detects unauthorized access from other VPCs in the same account. However, Network Firewall supports a limited number of destinations for delivering the alerts. These destinations include Amazon Simple Storage Service (Amazon S3) buckets, Amazon CloudWatch log groups, and Amazon Data Firehose delivery streams. Any further action on these notifications requires offline analysis by using either Amazon Athena or Amazon Kinesis. 

This pattern provides a method for propagating alerts that are generated by Network Firewall to a configurable Slack channel for further action in near real time. You can also extend the functionality to other alerting mechanisms such as PagerDuty, Jira, and email. (Those customizations are outside the scope of this pattern.) 

Prerequisites and limitations

Prerequisites 

  • Slack channel (see Getting started in the Slack help center)

  • Required privileges to send a message to the channel

  • The Slack endpoint URL with an API token (select your app and choose an incoming webhook to see its URL; for more information, see Creating an Incoming Webhook in the Slack API documentation) 

  • An Amazon Elastic Compute Cloud (Amazon EC2) test instance in the workload subnets

  • Test rules in Network Firewall

  • Actual or simulated traffic to trigger the test rules

  • An S3 bucket to hold the source files to be deployed

Limitations 

  • Currently this solution supports only a single Classless Inter-Domain Routing (CIDR) range as a filter for source and destination IPs.

Architecture

Target technology stack

  • One VPC

  • Four subnets (two for the firewall and two for workloads) 

  • Internet gateway

  • Four route tables with rules 

  • S3 bucket used as an alert destination, configured with a bucket policy and event settings to run a Lambda function

  • Lambda function with an execution role, to send Slack notifications

  • AWS Secrets Manager secret for storing the Slack URL

  • Network firewall with alert configuration

  • Slack channel

All components except for the Slack channel are provisioned by the CloudFormation templates and the Lambda function that are provided with this pattern (see the Code section).

Target architecture 

This pattern sets up a decentralized network firewall with Slack integration. This architecture consists of a VPC with two Availability Zones. The VPC includes two protected subnets and two firewall subnets with network firewall endpoints. All traffic going into and out of the protected subnets can be monitored by creating firewall policies and rules. The network firewall is configured to place all alerts in an S3 bucket. This S3 bucket is configured to call a Lambda function when it receives a put event. The Lambda function fetches the configured Slack URL from Secrets Manager and sends the notification message to the Slack workspace.

Target architecture for a decentralized network firewall with Slack integration.

For more information about this architecture, see the AWS blog post Deployment models for AWS Network Firewall.

Tools

AWS services

  • AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for VPCs in the AWS Cloud. You can use Network Firewall to filter traffic at the perimeter of your VPC and protect your workloads on AWS.

  • AWS Secrets Manager is a service for credential storage and retrieval. Using Secrets Manager, you can replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This pattern uses Secrets Manager to store the Slack URL.

  • Amazon Simple Storage Service (Amazon S3) is an object storage service. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web. This pattern uses Amazon S3 to store the CloudFormation templates and Python script for the Lambda function. It also uses an S3 bucket as the network firewall alert destination.

  • AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. This pattern uses AWS CloudFormation to automatically deploy a distributed architecture for Firewall Manager.

Code 

The code for this pattern is available on GitHub, in the Network Firewall Slack Integration repository. In the src folder of the repository, you’ll find:

  • A set of CloudFormation files in YAML format. You use these templates to provision the components for this pattern.

  • A Python source file (slack-lambda.py) to create the Lambda function.

  • A .zip archive deployment package (slack-lambda.py.zip) to upload your Lambda function code.

To use these files, follow the instructions in the next section.

Epics

TaskDescriptionSkills required

Create an S3 bucket.

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose or create an S3 bucket to host the code. An S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. The S3 bucket name cannot include leading slashes. We recommend that you use a prefix to organize the code for this pattern.

For more information, see Creating a bucket in the Amazon S3 documentation. 

App developer, App owner, Cloud administrator

Upload the CloudFormation templates and Lambda code.

  1. Download the following files from the GitHub repository for this pattern:

    • base.yml

    • igw-ingress-route.yml

    • slack-lambda.py

    • slackLambda.yml

    • decentralized-deployment.yml

    • protected-subnet-route.yml

    • slack-lambda.py.zip

  2. Upload the files to the S3 bucket you created. 

App developer, App owner, Cloud administrator
TaskDescriptionSkills required

Launch the CloudFormation template.

Open the AWS CloudFormation console in the same AWS Region as your S3 bucket and deploy the template base.yml. This template creates the required AWS resources and Lambda functions for the alerts to be transmitted to the Slack channel.

For more information about deploying CloudFormation templates, see Creating a stack on the AWS CloudFormation console in the CloudFormation documentation.

App developer, App owner, Cloud administrator

Complete the parameters in the template.

Specify the stack name and configure the parameter values. For a list of parameters, their descriptions, and default values, see CloudFormation parameters in the Additional information section.

App developer, App owner, Cloud administrator

Create the stack.

  1. Review stack details and update values based on your environment requirements.

  2. Choose Create stack to deploy the template.

App developer, App owner, Cloud administrator
TaskDescriptionSkills required

Test the deployment.

Use the AWS CloudFormation console or the AWS Command Line Interface (AWS CLI) to verify that the resources listed in the Target technology stack section have been created.  

If the CloudFormation template fails to deploy successfully, check the values you provided for the pAvailabilityZone1 and  pAvailabilityZone2 parameters. These should be appropriate for the AWS Region you’re deploying the solution in. For a list of Availability Zones for each Region, see Regions and Zones in the Amazon EC2 documentation. 

App developer, App owner, Cloud administrator

Test functionality.

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. Create  an EC2 instance in one of the protected subnets. Choose an Amazon Linux 2 AMI (HVM) to use as an HTTPS server. For instructions, see Launch an instance in the Amazon EC2 documentation.

Note

Amazon Linux 2 is nearing end of support. For more information, see the Amazon Linux 2 FAQs.

3. Use the following user data to install a web server on the EC2 instance:

#!/bin/bash
yum install httpd -y
systemctl start httpd
systemctl stop firewalld
cd /var/www/html
echo "Hello!! this is a NFW alert test page, 200 OK" > index.html

4. Create the following network firewall rules:

Stateless rule:

Source: 0.0.0.0/0
Destination 10.0.3.65/32 (private IP of the EC2 instance)
Action: Forward

Stateful rule:

Protocol: HTTP
Source ip/port: Any / Any
Destination ip/port: Any /Any

5. Get the public IP of the web server you created in step 3.

6. Access the public IP in a browser. You should see the following message in the browser:

Hello!! this is a NFW alert test page, 200 OK

You will also get a notification in the Slack channel. The notification might be delayed, depending on the size of the message. For testing purposes, consider providing a CIDR filter that is not too narrow (for example, a CIDR value with /32 would be considered too narrow, and /8 would be too broad). For more information, see the Filter behavior section in Additional information.

App developer, App owner, Cloud administrator

Related resources

Additional information

CloudFormation parameters

Parameter

Description

Default or sample value

pVpcName

The name of the VPC to create.

Inspection

pVpcCidr

The CIDR range for the VPC to create.

10.0.0.0/16

pVpcInstanceTenancy

How EC2 instances are distributed across physical hardware. Options are default (shared tenancy) or dedicated (single tenancy).

default

pAvailabilityZone1

The first Availability Zone for the infrastructure. 

us-east-2a 

pAvailabilityZone2

The second Availability Zone for the infrastructure.

us-east-2b

pNetworkFirewallSubnet1Cidr

The CIDR range for the first firewall subnet (minimum /28).

10.0.1.0/24

pNetworkFirewallSubnet2Cidr

The CIDR range for the second firewall subnet (minimum /28).

10.0.2.0/24

pProtectedSubnet1Cidr

The CIDR range for the first protected (workload) subnet.

10.0.3.0/24

pProtectedSubnet2Cidr

The CIDR range for the second protected (workload) subnet.

10.0.4.0/24

pS3BucketName

The name of the existing S3 bucket where you uploaded the Lambda source code.

us-w2-yourname-lambda-functions

pS3KeyPrefix

The prefix of the S3 bucket where you uploaded the Lambda source code.

aod-test 

pAWSSecretName4Slack

The name of the secret that holds the Slack URL.

SlackEnpoint-Cfn

pSlackChannelName

The name of the Slack channel you created.

somename-notifications

pSlackUserName

Slack user name.

Slack User

pSecretKey

This can be any key. We recommend that you use the default.

webhookUrl

pWebHookUrl

The value of the Slack URL.

https://hooks.slack.com/services/T???9T??/A031885JRM7/9D4Y??????

pAlertS3Bucket

The name of the S3 bucket to be used as the network firewall alert destination. This bucket will be created for you.

us-w2-yourname-security-aod-alerts

pSecretTagName

The tag name for the secret.

AppName

pSecretTagValue

The tag value for the specified tag name.

LambdaSlackIntegration

pdestCidr

The filter for the destination CIDR range. For more information, see the next section, Filter behavior.

10.0.0.0/16

pdestCondition

A flag to indicate whether to exclude or include the destination match. For more information, see the next section. Valid values are include and exclude.

include

psrcCidr

The filter for the source CIDR range to alert. For more information, see the next section. 

118.2.0.0/16

psrcCondition

The flag to exclude or include the source match. For more information, see the next section.

include

Filter behavior

If you haven’t configured any filters in AWS Lambda, all generated alerts are sent to your Slack channel. The source and destination IPs of the generated alerts are matched against the CIDR ranges you configured when you deployed the CloudFormation template. If a match is found, the condition is applied. If either the source or the destination falls within the configured CIDR range and at least one of them is configured with the condition include, an alert is generated. The following tables provide examples of CIDR values, conditions, and results.

Configured CIDR

Alert IP

Configured

Alert

Source

10.0.0.0/16

10.0.0.25

include

Yes

Destination

100.0.0.0/16

202.0.0.13

include

Configured CIDR

Alert IP

Configured

Alert

Source

10.0.0.0/16

10.0.0.25

exclude

No

Destination

100.0.0.0/16

202.0.0.13

include

Configured CIDR

Alert IP

Configured

Alert

Source

10.0.0.0/16

10.0.0.25

include

Yes

Destination

100.0.0.0/16

100.0.0.13

include

Configured CIDR

Alert IP

Configured

Alert

Source

10.0.0.0/16

90.0.0.25

include

Yes

Destination

Null

202.0.0.13

include

Configured CIDR

Alert IP

Configured

Alert

Source

10.0.0.0/16

90.0.0.25

include

No

Destination

100.0.0.0/16

202.0.0.13

include