c7n-mailer: How to Integrate with Slack & Splunk
3 min read
New cloudtamer.io is now Kion! New name. Expanded capabilities. Same outstanding customer service. Learn More
Last updated on October 26th, 2021 at 11:14am
In our 2.18 release, we announced the general availability of our continuous compliance functionality. Continuous compliance brings the power of the leading open-source policy engine, Cloud Custodian, to cloudtamer.io. We believe pairing Cloud Custodian with cloudtamer.io’s multi-cloud support to visualize, manage, and provide easy remediation for findings is a cloud security game-changer.
But our initial release only scratches the surface of what this powerful engine can do! In this blog post, we go over some of the additional integrations available to better manage your cloud security posture within AWS.
Cloud Custodian includes c7n-mailer, a robust implementation for sending notifications to various tools within your organization. At cloudtamer.io, we are a Splunk partner and big consumers of Slack, and c7n-mailer supports both of these solutions. Let's take a look at how you can use c7n-mailer to send notice of compliance violations to these solutions.
The c7n-mailer Slack integration is easy to set up and configure.
First, you need to create a Simple Queue Service (SQS) queue in AWS; we recommend creating it in the account in which cloudtamer.io is installed. The SQS queue needs to have a queue policy that allows any account in the organization to write to it. You’ll also need to create an IAM role with permissions to this queue that c7n-mailer can use for the Lambda function it creates.
Local to your desktop, you need to install c7n-mailer (pip3 install c7n-mailer). Once installed, create the following:
The mailer.yml file must have two entries:
The slack.j2 file is a jinja template that c7n-mailer will use for formatting your Slack message. Jinja is a versatile python templating language that’s easy to pick up.
Once your mailer.yml file and slack.j2 file are configured, you should be able to run:
c7n-mailer --config mailer.yml --update-lambda -t ./templates/
locally against the account in which cloudtamer.io is installed.
In Slack, you’ll need to configure either a slack token or a webhook as the integration point. Following the c7n-mailer documentation, we’re going to use an incoming webhook.
Finally, your policy will need to be updated. In addition to the cloudtamer.io webhook action, you’ll need a Slack notification action.
The Splunk integration is very similar to the Slack integration, leveraging the same c7n-mailer utility that’s part of Cloud Custodian. In addition, you’ll need to create an SQS queue to which AWS accounts in the organization can write compliance violations, as well as an IAM role that Lambda can leverage with permissions to this queue.
Within Splunk, you’ll need to create an HTTP event collector (HEC). The process for creating an HEC varies based on Splunk version; you can find instructions for your particular version in the Splunk documentation.
Once your HEC is created and you have verified it works, the next step is to set up your configuration file. The steps to follow are very similar to those we used for our Slack integration: create a yml-based configuration that you deploy by running the c7n-mailer utility.
The configuration file for Splunk is a little different. You’ll need to include a queue URL and role just like our previous integration. In addition, you’ll need to include the Splunk HEC URL and HEC token.
Finally, you’ll need to alter your compliance checks to include a notification action that sends your violations to Splunk.
Both of these integrations are really easy to do out of the box. Cloud Custodian includes thorough documentation around these, and other, features of c7n-mailer.
Going forward, in keeping with our driving principle that “we make people’s lives in the cloud easier”, we’re looking to natively integrate the capabilities of c7n-mailer into cloudtamer.io. Stay tuned!