I am using this to forward findings to Slack and just got an email from AWS notifying us that AWS is EOL'ing Node 8.10

I have updated my stack to use 10.x and it seems to work fine, so it would be nice to update the Cloudformation template to make this still function.

The email from AWS:

We are contacting you as we have identified that your AWS Account currently has one or more Lambda functions using Node.js 8.10, which will reach its EOL at the end of 2019.

What’s happening?

The Node community has decided to end support for Node.js 8.x on December 31, 2019 [1]. From this date forward, Node.js 8.x will stop receiving bug fixes, security updates, and/or performance improvements. To ensure that your new and existing functions run on a supported and secure runtime, language runtimes that have reached their EOL are deprecated in AWS [2].

For Node.js 8.x, there will be 2 stages to the runtime deprecation process:

1. Disable Function Create – Beginning January 6, 2020, customers will no longer be able to create functions using Node.js 8.10

2. Disable Function Update – Beginning February 3, 2020, customers will no longer be able to update functions using Node.js 8.10

After this period, both function creation and updates will be disabled permanently. However, existing Node 8.x functions will still be available to process invocation events.

What do I need to do?

We encourage you to update all of your Node.js 8.10 functions to the newer available runtime version, Node.js 10.x[3]. You should test your functions for compatibility with the Node.js 10.x language version before applying changes to your production functions.

What if I have issues/What if I need help?

Please contact us through AWS Support [4] or the AWS Developer Forums [5] should you have any questions or concerns.

[1] https://github.com/nodejs/Release
[2] https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html
[3] https://aws.amazon.com/about-aws/whats-new/2019/05/aws_lambda_adds_support_for_node_js_v10/?nc1=h_ls
[4] https://aws.amazon.com/support
[5] https://forums.aws.amazon.com/forum.jspa?forumID=186

Icon path is not valid (sends to tomstickle - 404)

Filter GD-Slack alerts to receive only from specific aws accounts, instead of all accounts in master.

try this instead:
" const account = message.detail.accountId;\n",

AWS doesnot support nodejs16.x anymore and for nodejs18.x and above, this code doesnot work as earlier. Can you update runtime version as well as sample code?

Getting an error in Lambda so nothing is posting to slack.

Response
{
"errorType": "TypeError",
"errorMessage": "Cannot read properties of undefined (reading 'type')",
"trace": [
"TypeError: Cannot read properties of undefined (reading 'type')",
" at processEvent (/var/task/index.js:47:36)",
" at Runtime.exports.handler (/var/task/index.js:119:9)",
" at Runtime.handleOnceNonStreaming (file:///var/runtime/index.mjs:1085:29)"
]
}

Is this really necessary or is there a more restrictive permission set that could accomplish the same?

"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" It seems to me that GuardDuty doesn't need to do anything with the VPC. It should just receive the guard duty message as JSON and then post it on to slack. Thoughts?

Hi,
I found out, that gd2s posts notifications to slack for events other than findings, e.g. when somone moves findings to the archive in the AWS GuardDuty GUI.

Regards,
Phil

Deployed this as a cloudformation template with the necessary variables. However, when firing test GuardDuty alerts I get the following:

2021-12-08T22:57:06.856Z	3eb11653-unique-identifier-string-123	ERROR	Uncaught Exception 	{
    "errorType": "Error",
    "errorMessage": "connect ECONNREFUSED 127.0.0.1:443",
    "code": "ECONNREFUSED",
    "errno": "ECONNREFUSED",
    "syscall": "connect",
    "address": "127.0.0.1",
    "port": 443,
    "stack": [
        "Error: connect ECONNREFUSED 127.0.0.1:443",
        "    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)"
    ]
}

I have successfully deployed this stack in our test account but before I do the same in prod i would like to perform a test.

How can I do that?

How to generate fake GuardDuty alerts or trigger this lambda manually?

When a GuardDuty Event occurs that does not have a severity, such as when you archive a finding, this guardduty-to-slack Lambda generates a junk notification to Slack, which looks like the below.

GuardDutyAPP  11:13
Finding in us-west-2 for Acct: XXXXXXXXXXXX
undefined
undefined
Severity
High
Region
us-west-2
Last Seen
<!date^NaN^{date} at {time} | undefined>

I've implemented a fix for this in my local copy & will submit a PR.

Regardless of using Medium or High in the minSeverityLevel variable. I continue to get Severity low notifications in Slack.

CloudFormation does not currently support the ZipFile (embedded code) method with Node8.10. Only Node, Node4 and Node6.10.

I think many people who will be using this will be worried about PCI compliance.

Re this doc: https://aws-quickstart.github.io/quickstart-compliance-pci-fsbp-remediation/

[PCI.Lambda.1] AWS Lambda functions should prohibit public access.

[PCI.Lambda.2] AWS Lambda functions should be in a VPC.

I think many people would find it super helpful if you add an option to set the Lambda up in a VPC.

I try to add some functions in lambda processEvent.
For example,
tags
actionType
domain
RemoteIpDetails
etc.