Prerequisites
This tutorial assumes that you have some familiarity with the Lambda, AWS Chatbot, and CloudWatch consoles.
For more information, see the following topics:
• Getting started with AWS Lambda in the AWS Lambda Developer Guide.
• Setting up AWS Chatbot in the AWS Chatbot Administrator Guide.
• Getting Set Up with CloudWatch in the Amazon CloudWatch User Guide.
The AWS Region that you select while setting up these consoles should be the same Region you specify in your Slack channel when your first AWS Command Line Interface (AWS CLI) command in Step 5:
Invoke a Lambda function from Slack (p. 38).
Step 1: Create a Lambda function
In this procedure you create a Lambda function in the console and test it.
To create a Lambda function
1. Sign in to the AWS Management Console and open the Lambda console at console.aws.amazon.com/lambda.
2. Choose Create function.
3. Choose Author From Scratch.
4. In Function Name, enter: myHelloWorld 5. Choose Create Function.
6. Copy and paste the following example code into index.js.
exports.handler = async (event) => { const response = 'Hello World!' return response;
};
7. Choose Deploy and confirm your changes have been deployed by viewing the label next to the Deploy button.
8. Choose Test.
9. In Event Name, enter: myHelloWorld 10. Choose Create.
11. Choose Test and then verify that the Execution results tab displays Response: "Hello World!"
12. Choose Save.
Step 2: Create an SNS topic
Step 2: Create an SNS topic
CloudWatch uses Amazon SNS to send notifications. First, you create an SNS topic and subscribe to it using your email. Later in the tutorial you use this SNS topic to configure AWS Chatbot.
To create an SNS topic
1. Open the Amazon SNS console.
2. In the left navigation pane, choose Topics.
3. Choose Create Topic.
4. Create a topic with the following settings:
a. Type – Standard
b. Name – myHelloWorldNotifications c. Display name – myHelloWorld
5. Choose Create topic.
6. Choose Create subscription.
7. Create a subscription with the following settings:
a. Protocol – Email
b. Endpoint – Your email address
8. Confirm subscription to the SNS by checking your email and choosing the link.
Step 3: Configure a CloudWatch alarm
A CloudWatch alarm monitors your Lambda function and sends a notification if an error occurs.
To create a CloudWatch alarm 1. Open the CloudWatch console.
2. Choose Alarms.
3. Choose Create alarm.
4. Choose Select metric.
5. Choose Lambda.
6. Choose By Function Name.
7. Choose myHelloWorld errors.
8. Change the following settings:
a. Period – 1 minute
b. Whenever Errors is Greater than 0
c. Send notifications to – myHelloWorldNotifications d. Alarm name – myHelloWorld-alarm
e. Alarm description – Lambda myHelloWorld alarm 9. Choose Create alarm.
Step 4: Configure a Slack client for AWS Chatbot
You can configure a Slack client using AWS Chatbot to to run different commands in Slack using the AWS CLI. In this tutorial you use AWS CLI to invoke your Lambda function from Slack.
Step 5: Invoke a Lambda function from Slack
To create a Slack client
1. Open the AWS Chatbot console.
2. Under Configure a Chat client choose Slack, and then choose Configure.
Important
When you choose Configure, you are momentarily navigated away from the AWS Chatbot console.
3. In the upper right corner, choose the dropdown list, and then choose the Slack workspace that you want to use with AWS Chatbot.
NoteThere's no limit to the number of workspaces that you can set up for AWS Chatbot, but you must set up each workspace one at a time.
4. Choose Allow.
5. Choose Configure new channel.
6. Under Configuration details, for Name, enter myHelloWorld.
7. Under Channel type, choose Private.
a. Navigate to Slack and create a private channel by choosing the + button to the right of Channels.
b. Choose Create a channel.
c. Name the channel myHelloWorld.
d. Choose to make the channel private.
e. Choose Create.
f. When prompted to add people, choose x.
g. Navigate back to the AWS Chatbot console and enter the private channel ID.
8. Define the IAM permissions that the chatbot uses for messaging your Slack chat room as shown following:
a. For Role name, enter myHelloWorldRole.
b. For Policy Templates, select Read-only command permissions and Lambda-invoke command permissions.
9. In the SNS topics section, choose the appropriate AWS Region under Region.
10. Under Topics, select the myHelloWorldNotifcations topic.
11. Choose Configure.
Step 5: Invoke a Lambda function from Slack
After you configure a chatbot in AWS Chatbot, you can invoke Lambda functions from Slack using AWS CLI syntax. To interact with AWS Chatbot in Slack, enter @aws followed by an AWS CLI command. For more information, see Running AWS CLI commands from Slack channels (p. 22) in the AWS Chatbot Administrator Guide.
To invoke a Lambda function
1. Invite AWS Chatbot to your channel by doing the following in Slack:
a. Enter @AWS.
b. Choose Invite to Channel.
TipYou only have to invite AWS Chatbot to the channel once.
Step 6: Test the CloudWatch alarm
If AWS is not listed as a valid member of the channel, you need to add the AWS Chatbot app to the Slack workspace. For more information, see the Getting started guide for AWS Chatbot (p. 5).
2. Enter the following command in Slack:
@aws lambda invoke --function-name myHelloWorld --region <your region>
Important
Replace <your region> with the same AWS Region you set while using the Lambda, CloudWatch, and AWS Chatbot consoles. You only need to specify the AWS Region in the channel once when you type your first AWS CLI command in Slack.
TipAWS Chatbot also supports certain simplified AWS CLI syntaxes. For example, the simplified version of the previous command is shown following:
@aws invoke myHelloWorld --region <your region>
3. Choose Yes.
4. The following output is shown:
ExecutedVersion: $LATEST Payload: \"Hello World\"
StatusCode: 200
Troubleshooting
If you try to run your Lambda function in Slack and you encounter errors referring to the following permissions, revisit step 8 of the Step 4: Configure a Slack client for AWS Chatbot (p. 37) procedure and verify that you have the correct permissions assigned to your role:
• Lambda-invoke command permissions
• Read-only command permissions
Step 6: Test the CloudWatch alarm
In this step, you update the myHelloWorld function so that it returns an error, which triggers the CloudWatch alarm. By testing the alarm you can confirm that it's configured correctly and that you can view CloudWatch alarms in Slack (in addition to logs).
To test the CloudWatch alarm
1. Open the Lambda console Functions page.
2. Choose myHelloWorld.
3. Copy and paste the following example code into the Lambda function code:
exports.handler = async (event) => { throw new Error('this is an error');
};
4. Choose Deploy and confirm your changes have been deployed by viewing the label next to the Deploy button.
5. Return to your Slack channel and then enter the following command:
Step 7: Clean up resources
@aws invoke myHelloWorld
6. An error appears in your output, and you receive a CloudWatch alarm notification in Slack and an email. It might take a few minutes for you to receive the notifications.
7. To view logs, choose Show logs or Show error logs.
Troubleshooting
If you don't receive a notification in Slack or an email from CloudWatch, navigate to the CloudWatch console and on the left of the screen. Under Alarms, choose In alarm to confirm that your alarm has triggered. Your alarm name should appear on this page if it has been triggered successfully.
Step 7: Clean up resources
You can remove any resources created for this tutorial that you don't want to keep by navigating to the specific service’s console and deleting the resource. Removing unwanted or unused resources is beneficial because it lowers overall costs to you.
To delete the Lambda function 1. Open the Lambda console.
2. Choose myHelloWordFunction.
3. Choose Actions and then choose delete.
To delete the CloudWatch alarm 1. Open the CloudWatch console.
2. In the left navigation pane, choose Insufficient.
3. Choose myHelloWorld-alarm by selecting the check box.
4. Choose Actions and then choose delete.
To delete the AWS Chatbot configuration 1. Open the AWS Chatbot console.
2. Choose Slack.
3. Choose the radio button next to the channel you created and then choose Delete.
Monitoring with CloudWatch
Monitoring AWS Chatbot
Monitoring is an important part of maintaining the availability of AWS Chatbot and your other AWS solutions. AWS provides the following monitoring tools to watch AWS Chatbot, report when something is wrong, and take automatic actions when appropriate:
• Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time.
You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the Amazon CloudWatch User Guide.
• Amazon CloudWatch Logs enables you to monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the Amazon CloudWatch Logs User Guide.
• AWS CloudTrail captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the AWS CloudTrail User Guide.
Monitoring AWS Chatbot with Amazon CloudWatch
You can monitor AWS Chatbot using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical
information and gain a better perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the Amazon CloudWatch User Guide.
Enabling CloudWatch Metrics
Amazon CloudWatch metrics are enabled by default.
Available metrics and dimensions
The metrics and dimensions that AWS Chatbot sends to Amazon CloudWatch are listed below.
The AWS/Chatbot namespace includes the following metrics.
NoteTo get AWS Chatbot metrics, you must specify US East (N. Virginia) for the Region.
Metric Description
EventsThrottled The number of throttled notifications.
Events may be throttled if the number of events received exceeds 10 per second.
Units: Count
EventsProcessed The number of event notifications received by AWS Chatbot.
Viewing AWS Chatbot metrics
Metric Description
Units: Count
UnsupportedEvents The number of unsupported events or messages attempted.
For a full list of AWS services supported by AWS Chatbot, see Using AWS Chatbot with other AWS services (p. 15).
Units: Count
MessageDeliverySuccessThe number of messages successfully delivered to the chat client.
Units: Count
MessageDeliveryFailureThe number of messages that failed to deliver to the chat client.
Units: Count
AWS Chatbot sends the following dimensions to CloudWatch.
Dimension Description
ConfigurationName This dimension filters the data you request by the name of your configuration.
Viewing AWS Chatbot metrics
You can view metrics in the CloudWatch console, which provides a fine-grained and customizable display of your resources, as well as the number of running tasks in a service.
Viewing AWS Chatbot metrics in the CloudWatch console
AWS Chatbot metrics can be viewed in the CloudWatch console. The CloudWatch console provides a detailed view of AWS Chatbot metrics, and you can tailor the views to suit your needs. For more information about CloudWatch, see the Amazon CloudWatch User Guide.
To view metrics in the CloudWatch console
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2. In the Metrics section in the left navigation, choose AWS Chatbot.
3. Choose the metrics to view.
Accessing Amazon CloudWatch Logs for AWS Chatbot
AWS provides event logging with Amazon CloudWatch Logs. With CloudWatch Logs for AWS Chatbot, you can see all the events handled by AWS Chatbot. You can also see details of any error that may have prevented a notification from appearing in your Amazon Chime or Slack chat room.
Enabling CloudWatch Logs
Possible errors that you can see with CloudWatch Logs include lack of permissions, unsupported events, and events throttled by the chat client. For more information about these errors, see Troubleshooting (p. 69).
AWS Chatbot also provides an audit log of commands executed by AWS Chatbot in CloudWatch Logs. With CloudWatch Logs' audit log events for AWS Chatbot, you can see an audit log of executed commands and their chat workspace ID, channel ID, and channel user ID attributes. The audit log events in CloudWatch Logs are always enabled and can't be disabled.
AWS Chatbot always logs audit events for command execution to CloudWatch Logs. You can choose to enable logging for all events, or only for errors.
NoteThere is an additional charge for using CloudWatch Logs. For more details, see Amazon CloudWatch Pricing.
Enabling CloudWatch Logs
You can enable CloudWatch Logs during the setup flow of your Amazon Chime or Slack channel configuration. For existing channels, you can edit the configuration to enable logging.
To enable CloudWatch Logs for a new configuration
1. On the Configure channel page, during the setup flow, under Configuration details, choose Send logs to CloudWatch.
2. Choose either All events or Errors only.
3. Continue the setup flow, then choose Configure channel.
To enable CloudWatch Logs for an existing configuration
1. In the AWS Chatbot console, under Configured clients, navigate to the chat client you want to edit.
2. From the list of existing configurations, choose the configuration you want to edit, then choose Edit.
3. On the Edit page, choose Send logs to CloudWatch.
4. Choose either All events or Errors only.
5. Choose Save.
Viewing CloudWatch Logs
Your AWS Chatbot logs will be sent to CloudWatch under a designated CloudWatch Logs group for your configuration. The group name is /aws/chatbot/configuration-name. To learn more about log groups and other CloudWatch concepts such as log events and log streams, see Amazon CloudWatch Logs Concepts in the Amazon CloudWatch Logs User Guide.
You can view your logs in the Amazon CloudWatch console. Note that you must specify US East (N.
Virginia) for the Region. For more information, see View Log Data Sent to CloudWatch Logs in the Amazon CloudWatch Logs User Guide.
Logging AWS Chatbot API calls with AWS CloudTrail
AWS Chatbot integrates several events with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Chatbot. CloudTrail captures API calls for AWS Chatbot
Logging AWS Chatbot API information in CloudTrail
as events. The calls captured include calls from the AWS Chatbot console and code calls to the AWS Chatbot API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Chatbot. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to AWS Chatbot, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see Viewing Events with CloudTrail Event History.
To learn more about CloudTrail, including how to configure and enable it, see the AWS CloudTrail User Guide.
When you create a trail, you can enable continuous delivery of AWS Chatbot events to an Amazon S3 bucket that you specify. The trail logs events from all Regions in the AWS partition for that service and delivers the log files to that Amazon S3 bucket. You can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following topics in the AWS CloudTrail User Guide:
• Overview for Creating a Trail
• CloudTrail Supported Services and Integrations
• Configuring Amazon SNS Notifications for CloudTrail
• Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple Accounts
Logging AWS Chatbot API information in CloudTrail
AWS Chatbot supports logging of the following actions as events in CloudTrail log files:
• DescribeSlackWorkspaces
• DescribeSlackChannels
• RedeemSlackOAuthCode
• GetSlackOAuthParameters
Every event log entry contains information about who generated the request. The identity information helps you determine the following:
• Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
• Whether the request was made with temporary security credentials for a role or for a federated user.
• Whether the request was made by another AWS service.
For more information, see the CloudTrail userIdentity Element.
Logging other AWS API information in CloudTrail
When you use commands in AWS Chatbot that call APIs from other AWS services, those APIs are logged in CloudTrail as well.
When you run a command that involves another AWS service, AWS Chatbot assumes an IAM role in your account to invoke AWS APIs on your behalf. These APIs appear in your CloudTrail events, and they are associated with the role that was configured for your AWS Chatbot configuration with a session name that includes chatbot, such as chatbot-session.
Because AWS Chatbot is a global service, it may process your events in a different AWS Region. An API call is logged in the region where the resource behind that API call exists. For example, if you run
Example: AWS Chatbot log file entries
a lambda list-functions command in AWS Chatbot, CloudTrail will log two APIs: AssumeRole and ListFunctions. The AssumeRole call is logged in the region AWS Chatbot processed it in, and the ListFunctions call is logged in the region the function exists in.
Example: AWS Chatbot log file entries
CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, user identification, and more. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following example shows a CloudTrail log entry for the AWS Chatbot DescribeSlackChannels action.
{
"eventVersion": "1.05", "userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:jdoe",
"arn": "arn:aws:sts::111122223333:assumed-role/user/jdoe", "accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": {
"eventTime": "2019-08-01T23:16:02Z", "eventSource": "chatbot.amazonaws.com", "eventName": "DescribeSlackChannels", "awsRegion": "us-east-2",
"sourceIPAddress": "10.24.34.3",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.590
Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation",
"requestParameters": {
"SlackTeamId": "XXXXXXXX", "MaxResults": 1000
},
"responseElements": null,
"requestID": "543db7ab-b4b2-11e9-8925-d139e92a1fe8", "eventID": "5b2805a5-3e06-4437-a7a2-b5fdb5cbb4e2", "readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
The following example shows a CloudTrail log entry for a DescribeSlackWorkspaces action.
{
Example: AWS Chatbot log file entries
"eventVersion": "1.05", "userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:jdoe",
"arn": "arn:aws:sts::111122223333:assumed-role/user/jdoe", "accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-08-07T16:11:27Z"
},
"sessionIssuer": { "type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/user", "accountId": "111122223333",
"userName": "jdoe"
} } },
"eventTime": "2019-08-07T17:46:26Z", "eventSource": "chatbot.amazonaws.com", "eventName": "DescribeSlackWorkspaces", "awsRegion": "us-east-2",
"sourceIPAddress": "10.24.34.3",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.590
Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation",
"requestParameters": null, "responseElements": null,
"requestID": "476570da-b93b-11e9-af41-a744734236af", "eventID": "3f061095-b488-43d4-becc-f8652d459ac5", "readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
Data protection in AWS Chatbot
Data protection in AWS Chatbot