in IAM Access Denied Responder/generate-security-messages/index.py [0:0]
def access_denied_handler(event, context):
if 'Records' in event:
record = event['Records'][0]
snsMessage = json.loads(record['Sns']['Message'])['detail']
useridentity = snsMessage['userIdentity']
else:
useridentity = event['detail']['userIdentity']
snsMessage = event['detail']
# format initial message
message = 'Access denied on event {0} occured in account {1} by {2}\n'.format(
snsMessage['eventName'],
useridentity['accountId'] if 'accountId' in useridentity else '<N/A>',
useridentity['userName'] if 'userName' in useridentity else '<N/A>'
)
message += 'Event source: {0}\n'.format(snsMessage['eventSource'])
message += 'Source agent: {0}\n'.format(snsMessage['sourceIPAddress'])
message += 'Useragent: {0}\n'.format(snsMessage['userAgent'])
if 'APIKey' in os.environ and os.environ['APIKey']:
sourceIPAddress = snsMessage['sourceIPAddress']
ip_geo_data = getIPGeoDetails(sourceIPAddress)
country = ip_geo_data['location']['country'] if 'location' in ip_geo_data else 'N/A'
region = ip_geo_data['location']['region'] if 'location' in ip_geo_data else 'N/A'
city = ip_geo_data['location']['city'] if 'location' in ip_geo_data else 'N/A'
ip_whois_data = getIPWhoisDetails(sourceIPAddress)
owner = ip_whois_data['WhoisRecord']['registrant']['organization'] if 'WhoisRecord' in ip_whois_data else 'N/A'
message += 'Location: {0}, {1}, {2}\n'.format(city, region, country)
message += 'Source IP owner: {0}\n'.format(owner)
# send message
client = boto3.client('sns')
client.publish(
TopicArn=os.environ['TopicTarget'],
Message=json.dumps({'TextMessage': message}),
)