aws-samples multi-environment-chatops-bot-for-controltower

Set up a ChatOps notifications service within your AWS environment in 5 minutes using EventBridge, Lambda, and Python

aws chatops

From where I sit, Slack with AWS Chatbot feels like a major risk factor that largely goes unacknowledged by the folks responsible for managing risk appropriately. If that’s you, you might want to look a little more closely into your company’s ChatOps guardrails. Chat PG AWS Chatbot has a deep dive into how to configure Chatbot permissions, which approximately nobody reads or implements. Users can be assigned roles, they can change roles, they can assume roles, and at least some of these roles we’re talking about are IAM roles.

When we trigger AWS CLI commands , it gets processed by the AWS Chatbot to trigger the required services. If teams are using either of these two for collaboration, they can easily setup monitoring and alerts using Chatbot on AWS. 2.10 Once you see the successful output of the CloudFormation script “chatops-lex-bot-xyz-cicd”, everything is ready to continue.

Summaries are also displayed in push notifications from Slack and Microsoft Teams. To communicate with AWS APIs, you either need a NAT gateway or VPC endpoints. S3 and DynamoDB are special because they support gateway endpoints.

aws chatops

DevOps teams can receive real-time notifications that help them monitor their systems from within Slack. That means they can address situations before they become full-blown issues, aws chatops whether it’s a budget deviation, a system overload or a security event. The most important alerts from CloudWatch Alarms can be displayed as rich messages with graphs.


Now that we have the basic infrastructure components deployed, lets move on to setup the other components and complete the alerting setup. It’s even easier to set permissions for individual chat rooms and channels, determining who can take these actions through AWS Identity Access Management. AWS Chatbot comes loaded with pre-configured permissions templates, which of course can be customized to fit your organization. In Slack, this powerful integration is designed to streamline ChatOps, making it easier for teams to manage just about every operational activity, whether it’s monitoring, system management or CI/CD workflows.

There are a bunch of permissions that AWS flat-out will not support via Chatbot, no matter how poorly you misconfigure the thing. With the magic of ChatOps, I fear that among the profound secrets Slack holds is full root access to your company’s AWS accounts. Hence would like to share some details about ChatOps and AWS Chatbot(AWS Tool for ChatOps) and its use-cases in this blog. 5.3 Choose to deploy and re-install the Slack App to your workspace and then access the ChatBot Application within your Slack workspace. If everything is successful, you can see a working Serverless ChatBot as shown below.

Teams can set which AWS services send notifications where so developers aren’t bombarded with unnecessary information. 2.8 Then, the script will trigger an aws cloudformation package command, that will use the uploaded zip file, reference it and generate a ready CloudFormation yml file for deployment. The output of the generated package-file (devops-packaged.yml) will be stored locally and used to executed the aws cloudformation deploy command. To explain how AWS chatbot works and how it can be setup, I have built a simple process setup which will help demonstrate the same. Below image will show the whole process architecture and its components. Here I am building a simple data transfer ETL process where data is being loaded into a DynamoDB table from a data file in S3 bucket.

Keep it in-house: Leveraging private files for image blocks with Slack’s Block Kit

Marbot is a ChatOps tool to configure AWS monitoring, escalate alerts, and solve incidents. This blog post looks at alternatives that cover similar functionality available for Slack and Microsoft Teams. Folks are rarely as diligent as we (and, belatedly, they) wish they were when it comes to security. All the mentioned uses cases utilises the Cloudwatch Events/alarms to trigger the SNS topic and in turn calls the AWS Chatbot for the notifications and Commands that can viewed and triggered from chat clients. 2.11 Before we continue, confirm the output of the AWS CloudFormation called “chatops-lex-bot-xyz-cicd”.

The second scenario with AWS Chatbot is to trigger commands from the Chat Client. Before proceeding make sure you have your own Slack workspace where you have admin access. This image will explain how the status message from the Glue job will land into the Slack channel. Recently I started reading about Chatops and it really intrigued me to learn more about it.

aws chatops

On top of that, we are gladful for the feedback from our early customers. If we specially look at AWS services , the AWS has a tool called AWS Chatbot which helps to enable ChatOps in its environment. This should give you a general idea about the demo process which I will be setting up next to demonstrate setting up of AWS chatbot. 3.3 Please specify a mailbox that you have access in order to approve new ChatOps (e.g. Account vending) vending requests as a manual approver step. Great, so now you’ve got your Lambda function sorted. This rule will simply watch for certain events and route this to an AWS target we choose.

It’s roughly here that, as they say, our troubles begin. People treat chat as if it were ephemeral, with messages gone soon after they’re sent — but this isn’t Snapchat we’re talking about here. All of your Slack messages live not in some ephemeral database like an early version of MongoDB, but rather as rows in MySQL. Slack’s security team is excellent, because it pretty darn well has to be. If it isn’t, your deepest chat secrets are but a SQL query away. Now that the setup is complete, lets test the Chatbot and verify if the Glue job is sending out alert to the Slack channel.

Slack provides us with the ability to make use of incoming Webhooks, these Webhooks enable us to post messages from our applications into Slack. You can adjust the source not to send the events in the first place (such as tweaking the EventBridge rule or CloudWacth alarm). Since the beginning, marbot has worked based on the push principle. You configure your AWS account in a way to send data to marbot. For example, a CloudWatch alarm pushes a message to SNS, which invokes marbot’s HTTPS endpoint. Never one to spy an ill-defined buzzword without enthusiastically launching a service into the category, AWS created a full-on service called, of course, AWS Chatbot.

Use JSON query language like JMESPath to customize query for AWS CLI command for filtering the output like client-side filtering. AWS may be using your data to train its AI models, and you may have unwittingly consented to it. Prepare to jump through a series of complex hoops to stop it.

Successfully packaged artifacts and wrote output template to file devops-packaged.yml. Start with building these 2 main components of the Architecture through an automated script. This will be split into “STEP 1”, and “STEP 2” in this walkthrough. The following architecture shows the overview of the solution which will be built with the code provided through Github. If you plan to use this in production or a real work environment, I would highly suggest taking a look at Slack’s Block Kit Builder — it’ll make your messages look more presentable. The code above simply serializes the JSON from the event into a String.

ChatOps is a collaborative model that connects people, tools, and processes into a transparent workflow. This flow connects the work needed, the work happening and work done in one central location. This level of transparency tightens the feedback loop, improves information sharing between teams, and ultimately enhances team collaboration. For example, if a developer creates a pull request in AWS CodeCommit — instead of that developer having to manually message his colleagues to review it. It would be nice to have a mechanism that detects this event (the pull request) and acts on it by sending a message to the relevant people on the pull request.

Chatops is becoming very popular now and it also provides the ease for teams to monitor operational tasks. This service will be of help to teams who use Slack or Chime as their collaboration tool as they don’t have to go out of the tool to get some operations view. This post provided the basic understanding and the workings of the same. If you have any questions or face any issues please reach out to me from the Contact page.

Make sure you change the following sections in Postman (Production-Confirm-API) and use the ApiApproval-apiID that has the /confirm path. You can import the JSON file into Postman and execute a RESTful test call to the API Gateway endpoint. To confirm, double check the AWS region you have specificed. Selecting a different region will change the language and content of In order to achieve this, you need to click the rules button on the left navigation pane within AWS whilst you’re in the EventBridge service. The overall architecture for this solution is quite simple.

Think of a scenario where if you want to list all buckets on your AWS account, just ask the bot on a chat and it shows you all buckets. If you work on a DevOps team, you already know that monitoring systems and responding to events require major context switching. In the course of a day—or a single notification—teams might need to cycle among Slack, email, text messages, chat rooms, phone calls, video conversations and the AWS console. Synthesizing the data from all those different sources isn’t just hard work; it’s inefficient.

  • S3 and DynamoDB are special because they support gateway endpoints.
  • DevOps teams can receive real-time notifications that help them monitor their systems from within Slack.
  • This will make sure that your AWS ChatBot and the account vending is scalable and fully functional before you release it to production and make it available to your end-users.
  • There are a bunch of permissions that AWS flat-out will not support via Chatbot, no matter how poorly you misconfigure the thing.

To top it all off, thanks to an intuitive setup wizard, AWS Chatbot only takes a few minutes to configure in your workspace. You simply go to the AWS console, authorize with Slack and add the Chatbot to your channel. (You can read step-by-step instructions on the AWS DevOps Blog here.) And that means your teams are well on their way to better communication and faster incident resolutions.


Then, you will combine all of this, integrating a ChatBot frontend where users can issue requests against the CCoE and Ops team to fulfill AWS services easily and transparently. As a result, you experience a more efficient process for vending AWS Accounts and Products and taking away the burden on your Cloud Operations team. Before we move to understanding Chatbot, lets first understand what Chatops is. Simply put Chatops is a collaboration model where teams can interact with systems and gain operational insights in a conversational manner. A typical scenario will be where teams are typing commands on a chat application and the bot is executing the commands on backend systems, all in a way of chatting with a bot. This has recently become very widely accepted because of the ease with which teams can interact with the systems.

You can foun additiona information about ai customer service and artificial intelligence and NLP. We can anticipate the format of the JSON in the event that’s being passed into the function by reading the AWS documentation. For example, if we’re looking to invoke a Lambda function based on an S3 event, then we can read the S3 docs and view how the JSON payload will look. We can then use this information to store the stuff we need into variables.

Adjusting these parameters allows you to manage false positives and tune the volume and type of findings on which you wish to be notified and take action. On top of that, we are using Lambda@Edge to resize images on the fly. AWS is responsible for the availability and scalability of all three services. Therefore, operating the infrastructure for our website is not too…

  • Although you can choose to create the Lambda in any of the supported languages e.g.
  • If you work on a DevOps team, you already know that monitoring systems and responding to events require major context switching.
  • You can use GitHub Actions to build, test, and deploy your source code whenever your GitHub Repository changes.
  • Summaries are also displayed in push notifications from Slack and Microsoft Teams.

The ETL part is handled by a Glue job which also transforms the data. This solution can be used and integrated with any of your favourite request portal or channel that allows to call a RESTFUL API endpoint, for you to offer AWS Account vending at scale for your enterprise. Event messages sent to that SNS topic will end up as alerts on the Slack channel. The Lambda which was created earlier should route the messages to the SNS topic. Make sure the SNS topic ARN is updated on the Lambda as the environment variable so it knows which SNS topic to send the message to.

When something does require your attention, Slack plus AWS Chatbot helps you move work forward more efficiently. In a Slack channel, you can receive a notification, retrieve diagnostic information, initiate workflows by invoking AWS Lambda functions, create AWS support cases or issue a command. For the purposes of this guide/demo we will be sending data to Slack.

It is composed of 3 parts —Lambda, Slack, and EventBridge. Many VPC designs make use of public and private subnets. You need a NAT gateway to communicate from a private subnet with the Internet. A VPC NAT gateway is a finite resource that can be exhausted. That’s why you need to add monitoring to be alerted if…

AWS Chatbot uses SNS to integrate with other AWS Services. The way it works, CloudWatch triggers an alarm that notifies the SNS topic, which activates Chatbot to notify the chat room. This solution allows for the configuration of the auto-remediation behaviour based on finding type and finding severity. In a similar manner you can define the minimum severity level (Low, Medium, High) that a finding must have before the solution will take action.

If you’re new to AWS you can access the Lambda service by searching “Lambda” in the search bar within the AWS management console. Once you’ve done this, you should create your Lambda function as shown in the image above. In this article, I won’t cover a specific Lambda for a specific event but I will provide you with a generic Lambda that you can play around with to match your specific requirements.

aws chatops

In this post I will go through the basics of this AWS managed service called ‘Chatbot’ and demonstrate how quickly you can setup an alerting mechanism to Slack, monitoring an AWS Glue ETL job. In the current DevOps world, teams rely on communication channels like chat rooms to interact with team members and the system they operate. This is done with the help of bots that help facilitate the interaction and deliver important notifications and are sometimes used to relay commands back to the server. With AWS Chatbot you can send notifications to chat client and also trigger commands from your chat client. The multi-environment pipeline is building 3 environments (Dev, Staging, Production) with different quality gates to push changes on this solution from a “Development Environment” up to a “Production environment”. This will make sure that your AWS ChatBot and the account vending is scalable and fully functional before you release it to production and make it available to your end-users.

aws chatops

This short guide highlights how quickly we can set up a serverless application within AWS that can provide value to teams immediately. After reading this article, you will have the ability to set up a rule within EventBridge that invokes a Lambda you’ve created based on a specific event within your AWS environment. You can use GitHub Actions to build, test, and deploy your source code whenever your GitHub Repository changes. It can be challenging to keep track of all the deployed changes when working in a team. You can use marbot to update your team whenever a Gi… About two months ago, we launched the beta of marbot for Microsoft Teams.

In some cases the CLI commands can be triggered from the Chatops to perform operations activities . 4.1 Use the Postman script under the /test folder postman-test.json, before you start integrating this solution with a Chat or Web- frontend such as Slack or a custom website in Production. 3.5 Now the script will identify if you have Control Tower deployed and if it can identify the Control Tower Account Factory Product. 2.7 The script will upload the source code to the S3 bucket specified, you should see a successful upload. All this happens securely from within the Slack channels you already use every day.

Know Before You Go – AWS re:Invent 2023 AWS Management Console Amazon Web Services – AWS Blog

Know Before You Go – AWS re:Invent 2023 AWS Management Console Amazon Web Services.

Posted: Thu, 09 Nov 2023 08:00:00 GMT [source]

You should find three outputs from the CloudFormation template. We will create a Lambda function — you can use any of the supported languages for your function e.g. We will then link this function to an event within our AWS environment by creating a rule in EventBridge. This rule will invoke our function whenever the rule is satisfied. For this guide, we will use Slack as the preferred destination for our notifications. Therefore, we will need to configure a few things in Slack.

Major tasks in the public Cloud go toward building a proper foundation (the so called LandingZone). The main goals of this foundation are providing not only an AWS Account access (with the right permissions), but also the correct Cloud Center of Excellence (CCoE) approved products and services. You will also learn how to utilize this Solution with Slack. But it can also be easily utilized with Chime/MS Teams or a normal Web-frontend, as the integration is channel-agnostig through an API Gateway integration layer.

Most of the AWS Control Tower customers use the AWS Control Tower Account Factory (a Service Catalog product), and the ServiceCatalog service to vend standardized AWS Services and Products into AWS Accounts. ChatOps is a collaboration model that interconnects a process with people, tools, and automation. It combines a Bot that can fulfill service requests (the work needed) and be augmented by Ops and Engineering staff in order to allow approval processes or corrections in the case of exception request.

It really fascinated me to see how easy it is now to setup alerting and be notified about operational stuff. While I was learning more, I thought why not explore the same on AWS and thats when I bumped onto AWS Chatbot. For a proper cleanup, you can just go into AWS CloudFormation and choose the deployed Stacks and choose to “delete Stack”. If you incur issues while deleting, see below troubleshooting solutions for a fix. Also make sure you delete your integration Apps (e.g. Slack) for a full cleanup. 5.2 Choose the “From an app manifest” to create a new Slack App and paste the sample code from the /test folder slack-app-manifest.yml .

Some people might ask why they should use this approach instead of AWS Chatbot. Whilst AWS Chatbot can do the above, it is restricted to Slack and Chime. Whereas the process above can post to any endpoint, whether it be teams, discord, slack, etc. Additionally, we can capture a vast range of events from nearly every service within the AWS Environment via EventBridge. That completes the short demonstration of how Chatbot works and how to setup one. Hope I was able to help you understand the basics of this very useful service.

Leave a Reply

Your email address will not be published. Required fields are marked *