Skip to content

cruxstack/aws-guardduty-slack-integration-go

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
fixtures
fixtures
 
 
.editorconfig
.editorconfig
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

aws-guardduty-integration-slack

AWS Lambda function that listens to Amazon GuardDuty findings via Amazon EventBridge and publishes clean, threaded messages to Slack. Ideal when you need near-real-time alerts that SOC teams can triage directly inside Slack without extra tooling.

Features

  • native eventbridge trigger – GuardDuty events invoke the function directly
  • rich slack threads – each finding opens a thread with severity, region, account and a “view in console” button
  • severity awareness – low/medium/high/critical color-coding follows AWS docs
  • config-driven – all behavior controlled by environment variables

Deployment

Prerequisites

  • AWS account with GuardDuty enabled in at least one region
  • Slack App with a Bot Token (chat:write scope) installed in your workspace
  • Go ≥ 1.24
  • AWS CLI configured for the deployment account

Steps

git clone https://github.com/cruxstack/aws-guardduty-integration-slack.git
cd aws-guardduty-integration-slack

# build static Linux binary for lambda
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o bootstrap

# package
zip deployment.zip bootstrap

Required Environment Variables

name example purpose
APP_SLACK_TOKEN xoxb-… slack bot token (store in secrets manager)
APP_SLACK_CHANNEL C000XXXXXXX channel id to post findings
APP_AWS_CONSOLE_URL https://us-east-1.console.aws.amazon.com base console url (optional; defaults to region-specific uri)
APP_DEBUG_ENABLED true verbose logging & event dump

Create Lambda Function

  1. IAM role
    • AWSLambdaBasicExecutionRole managed policy
    • no additional AWS API permissions are required
  2. Lambda config
    • Runtime: al2023provided.al2023 (provided.al2 also works)
    • Handler: bootstrap
    • Architecture: x86_64 or arm64
    • Upload deployment.zip
    • Set environment variables above
  3. EventBridge rule 
    {
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"]
}
    Target: the Lambda function.
  4. Slack App
    • Add chat:write and chat:write.public
    • Custom bot avatar: upload GuardDuty logo in the Slack App App Icon section.

Local Developemnt

Test with Samples

cp .env.example .env # edit the values
go run .

The sample runner replays fixtures/samples.json and posts to Slack exactly as the live Lambda would.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v0.1.1 Latest
Oct 9, 2025
+ 1 release

Packages

No packages published

Languages