Summary Prerequisites and limitations Architecture Tools Epics Related resources Additional information

Send alerts from AWS Network Firewall to a Slack channel

Created by Venki Srivatsav (AWS) and Aromal Raj Jayarajan (AWS)

Code repository: NfwSlackIntegration	Environment: PoC or pilot	Technologies: Security, identity, compliance; Networking
AWS services: AWS Lambda; AWS Network Firewall; Amazon S3

Summary

This pattern describes how to deploy a firewall by using Amazon Web Services (AWS) Network Firewall with the distributed deployment model and how to propagate the alerts generated by AWS Network Firewall to a configurable Slack channel.

Compliance standards such as Payment Card Industry Data Security Standard (PCI DSS) require that you install and maintain a firewall to protect customer data. In the AWS Cloud, a virtual private cloud (VPC) is considered the same as a physical network in the context of these compliance requirements. You can use Network Firewall to monitor network traffic between VPCs and to protect your workloads that run in VPCs governed by a compliance standard. Network Firewall blocks access or generates alerts when it detects unauthorized access from other VPCs in the same account. However, Network Firewall supports a limited number of destinations for delivering the alerts. These destinations include Amazon Simple Storage Service (Amazon S3) buckets, Amazon CloudWatch log groups, and Amazon Data Firehose delivery streams. Any further action on these notifications requires offline analysis by using either Amazon Athena or Amazon Kinesis.

This pattern provides a method for propagating alerts that are generated by Network Firewall to a configurable Slack channel for further action in near real time. You can also extend the functionality to other alerting mechanisms such as PagerDuty, Jira, and email. (Those customizations are outside the scope of this pattern.)

Prerequisites and limitations

Prerequisites

Slack channel (see Getting started in the Slack help center)
Required privileges to send a message to the channel
The Slack endpoint URL with an API token (select your app and choose an incoming webhook to see its URL; for more information, see Creating an Incoming Webhook in the Slack API documentation)
An Amazon Elastic Compute Cloud (Amazon EC2) test instance in the workload subnets
Test rules in Network Firewall
Actual or simulated traffic to trigger the test rules
An S3 bucket to hold the source files to be deployed

Limitations

Currently this solution supports only a single Classless Inter-Domain Routing (CIDR) range as a filter for source and destination IPs.

Architecture

Target technology stack

One VPC
Four subnets (two for the firewall and two for workloads)
Internet gateway
Four route tables with rules
S3 bucket used as an alert destination, configured with a bucket policy and event settings to run a Lambda function
Lambda function with an execution role, to send Slack notifications
AWS Secrets Manager secret for storing the Slack URL
Network firewall with alert configuration
Slack channel

All components except for the Slack channel are provisioned by the CloudFormation templates and the Lambda function that are provided with this pattern (see the Code section).

Target architecture

This pattern sets up a decentralized network firewall with Slack integration. This architecture consists of a VPC with two Availability Zones. The VPC includes two protected subnets and two firewall subnets with network firewall endpoints. All traffic going into and out of the protected subnets can be monitored by creating firewall policies and rules. The network firewall is configured to place all alerts in an S3 bucket. This S3 bucket is configured to call a Lambda function when it receives a put event. The Lambda function fetches the configured Slack URL from Secrets Manager and sends the notification message to the Slack workspace.

For more information about this architecture, see the AWS blog post Deployment models for AWS Network Firewall.

Tools

AWS services

AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for VPCs in the AWS Cloud. You can use Network Firewall to filter traffic at the perimeter of your VPC and protect your workloads on AWS.
AWS Secrets Manager is a service for credential storage and retrieval. Using Secrets Manager, you can replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This pattern uses Secrets Manager to store the Slack URL.
Amazon Simple Storage Service (Amazon S3) is an object storage service. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web. This pattern uses Amazon S3 to store the CloudFormation templates and Python script for the Lambda function. It also uses an S3 bucket as the network firewall alert destination.
AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. This pattern uses AWS CloudFormation to automatically deploy a distributed architecture for Firewall Manager.

Code

The code for this pattern is available on GitHub, in the Network Firewall Slack Integration repository. In the src folder of the repository, you’ll find:

A set of CloudFormation files in YAML format. You use these templates to provision the components for this pattern.
A Python source file (slack-lambda.py) to create the Lambda function.
A .zip archive deployment package (slack-lambda.py.zip) to upload your Lambda function code.

To use these files, follow the instructions in the next section.

Epics

Task	Description	Skills required
Create an S3 bucket.	Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/. Choose or create an S3 bucket to host the code. An S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. The S3 bucket name cannot include leading slashes. We recommend that you use a prefix to organize the code for this pattern. For more information, see Creating a bucket in the Amazon S3 documentation.	App developer, App owner, Cloud administrator
Upload the CloudFormation templates and Lambda code.	Download the following files from the GitHub repository for this pattern: `base.yml` `igw-ingress-route.yml` `slack-lambda.py` `slackLambda.yml` `decentralized-deployment.yml` `protected-subnet-route.yml` `slack-lambda.py.zip` Upload the files to the S3 bucket you created.	App developer, App owner, Cloud administrator

Task Description Skills required

Task	Description	Skills required
Launch the CloudFormation template.	Open the AWS CloudFormation console in the same AWS Region as your S3 bucket and deploy the template `base.yml`. This template creates the required AWS resources and Lambda functions for the alerts to be transmitted to the Slack channel. For more information about deploying CloudFormation templates, see Creating a stack on the AWS CloudFormation console in the CloudFormation documentation.	App developer, App owner, Cloud administrator
Complete the parameters in the template.	Specify the stack name and configure the parameter values. For a list of parameters, their descriptions, and default values, see CloudFormation parameters in the Additional information section.	App developer, App owner, Cloud administrator
Create the stack.	Review stack details and update values based on your environment requirements. Choose Create stack to deploy the template.	App developer, App owner, Cloud administrator

Launch the CloudFormation template.

Open the AWS CloudFormation console in the same AWS Region as your S3 bucket and deploy the template base.yml. This template creates the required AWS resources and Lambda functions for the alerts to be transmitted to the Slack channel.

For more information about deploying CloudFormation templates, see Creating a stack on the AWS CloudFormation console in the CloudFormation documentation.

App developer, App owner, Cloud administrator

Complete the parameters in the template.

Specify the stack name and configure the parameter values. For a list of parameters, their descriptions, and default values, see CloudFormation parameters in the Additional information section.

App developer, App owner, Cloud administrator

Create the stack.

Review stack details and update values based on your environment requirements.
Choose Create stack to deploy the template.

App developer, App owner, Cloud administrator

Task Description Skills required

Task	Description	Skills required
Test the deployment.	Use the AWS CloudFormation console or the AWS Command Line Interface (AWS CLI) to verify that the resources listed in the Target technology stack section have been created. If the CloudFormation template fails to deploy successfully, check the values you provided for the `pAvailabilityZone1` and `pAvailabilityZone2` parameters. These should be appropriate for the AWS Region you’re deploying the solution in. For a list of Availability Zones for each Region, see Regions and Zones in the Amazon EC2 documentation.	App developer, App owner, Cloud administrator
Test functionality.	1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. Create an EC2 instance in one of the protected subnets. Choose an Amazon Linux 2 AMI (HVM) to use as an HTTPS server. For instructions, see Launch an instance in the Amazon EC2 documentation. Note: Amazon Linux 2 is nearing end of support. For more information, see the Amazon Linux 2 FAQs. 3. Use the following user data to install a web server on the EC2 instance: `#!/bin/bash yum install httpd -y systemctl start httpd systemctl stop firewalld cd /var/www/html echo "Hello!! this is a NFW alert test page, 200 OK" > index.html` 4. Create the following network firewall rules: Stateless rule: `Source: 0.0.0.0/0 Destination 10.0.3.65/32 (private IP of the EC2 instance) Action: Forward` Stateful rule: `Protocol: HTTP Source ip/port: Any / Any Destination ip/port: Any /Any` 5. Get the public IP of the web server you created in step 3. 6. Access the public IP in a browser. You should see the following message in the browser: `Hello!! this is a NFW alert test page, 200 OK` You will also get a notification in the Slack channel. The notification might be delayed, depending on the size of the message. For testing purposes, consider providing a CIDR filter that is not too narrow (for example, a CIDR value with /32 would be considered too narrow, and /8 would be too broad). For more information, see the Filter behavior section in Additional information.	App developer, App owner, Cloud administrator

Test the deployment.

Use the AWS CloudFormation console or the AWS Command Line Interface (AWS CLI) to verify that the resources listed in the Target technology stack section have been created.

If the CloudFormation template fails to deploy successfully, check the values you provided for the pAvailabilityZone1 and pAvailabilityZone2 parameters. These should be appropriate for the AWS Region you’re deploying the solution in. For a list of Availability Zones for each Region, see Regions and Zones in the Amazon EC2 documentation.

App developer, App owner, Cloud administrator

Test functionality.

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. Create an EC2 instance in one of the protected subnets. Choose an Amazon Linux 2 AMI (HVM) to use as an HTTPS server. For instructions, see Launch an instance in the Amazon EC2 documentation.

Note: Amazon Linux 2 is nearing end of support. For more information, see the Amazon Linux 2 FAQs.

3. Use the following user data to install a web server on the EC2 instance:


#!/bin/bash
yum install httpd -y
systemctl start httpd
systemctl stop firewalld
cd /var/www/html
echo "Hello!! this is a NFW alert test page, 200 OK" > index.html

4. Create the following network firewall rules:

Stateless rule:


Source: 0.0.0.0/0
Destination 10.0.3.65/32 (private IP of the EC2 instance)
Action: Forward

Stateful rule:


Protocol: HTTP
Source ip/port: Any / Any
Destination ip/port: Any /Any

5. Get the public IP of the web server you created in step 3.

6. Access the public IP in a browser. You should see the following message in the browser:


Hello!! this is a NFW alert test page, 200 OK

You will also get a notification in the Slack channel. The notification might be delayed, depending on the size of the message. For testing purposes, consider providing a CIDR filter that is not too narrow (for example, a CIDR value with /32 would be considered too narrow, and /8 would be too broad). For more information, see the Filter behavior section in Additional information.

App developer, App owner, Cloud administrator

Related resources

Deployment models for AWS Network Firewall (AWS blog post)
AWS Network Firewall policies (AWS documentation)
Network Firewall Slack Integration (GitHub repository)
Create a Slack workspace (Slack help center)

Additional information

CloudFormation parameters

Parameter	Description	Default or sample value
`pVpcName`	The name of the VPC to create.	Inspection
`pVpcCidr`	The CIDR range for the VPC to create.	10.0.0.0/16
`pVpcInstanceTenancy`	How EC2 instances are distributed across physical hardware. Options are `default` (shared tenancy) or `dedicated` (single tenancy).	default
`pAvailabilityZone1`	The first Availability Zone for the infrastructure.	us-east-2a
`pAvailabilityZone2`	The second Availability Zone for the infrastructure.	us-east-2b
`pNetworkFirewallSubnet1Cidr`	The CIDR range for the first firewall subnet (minimum /28).	10.0.1.0/24
`pNetworkFirewallSubnet2Cidr`	The CIDR range for the second firewall subnet (minimum /28).	10.0.2.0/24
`pProtectedSubnet1Cidr`	The CIDR range for the first protected (workload) subnet.	10.0.3.0/24
`pProtectedSubnet2Cidr`	The CIDR range for the second protected (workload) subnet.	10.0.4.0/24
`pS3BucketName`	The name of the existing S3 bucket where you uploaded the Lambda source code.	us-w2-yourname-lambda-functions
`pS3KeyPrefix`	The prefix of the S3 bucket where you uploaded the Lambda source code.	aod-test
`pAWSSecretName4Slack`	The name of the secret that holds the Slack URL.	SlackEnpoint-Cfn
`pSlackChannelName`	The name of the Slack channel you created.	somename-notifications
`pSlackUserName`	Slack user name.	Slack User
`pSecretKey`	This can be any key. We recommend that you use the default.	webhookUrl
`pWebHookUrl`	The value of the Slack URL.	https://hooks.slack.com/services/T???9T??/A031885JRM7/9D4Y??????
`pAlertS3Bucket`	The name of the S3 bucket to be used as the network firewall alert destination. This bucket will be created for you.	us-w2-yourname-security-aod-alerts
`pSecretTagName`	The tag name for the secret.	AppName
`pSecretTagValue`	The tag value for the specified tag name.	LambdaSlackIntegration
`pdestCidr`	The filter for the destination CIDR range. For more information, see the next section, Filter behavior.	10.0.0.0/16
`pdestCondition`	A flag to indicate whether to exclude or include the destination match. For more information, see the next section. Valid values are `include` and `exclude`.	include
`psrcCidr`	The filter for the source CIDR range to alert. For more information, see the next section.	118.2.0.0/16
`psrcCondition`	The flag to exclude or include the source match. For more information, see the next section.	include

Filter behavior

If you haven’t configured any filters in AWS Lambda, all generated alerts are sent to your Slack channel. The source and destination IPs of the generated alerts are matched against the CIDR ranges you configured when you deployed the CloudFormation template. If a match is found, the condition is applied. If either the source or the destination falls within the configured CIDR range and at least one of them is configured with the condition include, an alert is generated. The following tables provide examples of CIDR values, conditions, and results.

	Configured CIDR	Alert IP	Configured	Alert
Source	10.0.0.0/16	10.0.0.25	include	Yes
Destination	100.0.0.0/16	202.0.0.13	include	Yes

	Configured CIDR	Alert IP	Configured	Alert
Source	10.0.0.0/16	10.0.0.25	exclude	No
Destination	100.0.0.0/16	202.0.0.13	include	No

	Configured CIDR	Alert IP	Configured	Alert
Source	10.0.0.0/16	10.0.0.25	include	Yes
Destination	100.0.0.0/16	100.0.0.13	include	Yes

	Configured CIDR	Alert IP	Configured	Alert
Source	10.0.0.0/16	90.0.0.25	include	Yes
Destination	Null	202.0.0.13	include	Yes

	Configured CIDR	Alert IP	Configured	Alert
Source	10.0.0.0/16	90.0.0.25	include	No
Destination	100.0.0.0/16	202.0.0.13	include	No

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Scan Git repositories for sensitive information

Simplify private certificate management by using AWS Private CA and AWS RAM