Integrating CloudWatch events into Slack via Lambda and SNS

Brett Gillett


Slack is an essential tool at Curious Orbit. We use it to communicate internally - whether we’re looking for project updates from Asana, figuring out who is on vacation, or even who is at the front door. We also use it for all our AWS Managed Support customers as a way to provide technical support and keep our customers up-to-date with what is happening in their AWS account.

Before building this solution we used the Simple Notification Service (SNS) to send emails to customers when CloudWatch detected something out of the ordinary occurring in their AWS account - maybe a root login, or someone logging in without a multi-factor authentication (MFA) token associated to their IAM account. While email notifications from SNS worked as expected, if I’m honest the emails are ugly and from time-to-time would get lost in the shuffle of very busy inboxes.

By leveraging SNS, Lambda and DynamoDB we’re able to integrate alarms from CloudWatch into the private channels we use for each of our customers and customize the messages to make them much easier to understand and actionable.

Here’s how it works:

Integrating CloudWatch events with Slack

During the on-boarding of a new AWS Managed Services customer, we use CloudFormation to deploy a series of CloudWatch alarms and an SNS topic into their AWS accounts. The SNS topic is subscribed to a Lambda function within our centralized AWS support account which uses DynamoDB for event enrichment, Slack channel information, and logging. We also use AWS Secrets Manager to store the Slack API token the Lambda function uses to push messages to Slack via the API.

While it’s very much still a work in progress, I think it illustrates quite well how Lambda can act as the ‘glue’ within AWS to build cost-effective, scalable solutions.