Notify when user logs in to AWS console from a new device

[defvol]

It's a industry-wide practice to send an email to a user when a login is made from a unknown device.

A PoC would consist of a lambda function that parses console.login events and matches the user-agent against a database.

Additional parameters for notifying a slack channel or super-admins group could be useful too.

cc: @ianshward @zmully

[defvol]

Started w some basic layout here https://github.com/mapbox/patrol-rules-aws/commit/5a60a327ee308d239a0d3490070f31626a47aeca

[ianshward]

Looking :ok_hand: @rodowi. In case you hadn't seen it yet, once you add S3 store, you can add the IAM permissions needed for that via the statements property in the rule. This is discussed briefly in the [rule spec](https://github.com/mapbox/lambda-cfn/blob/master/RULE-SPEC.md and there's an example of it in this security-group auditing rule PR https://github.com/mapbox/patrol-rules-aws/pull/50/files#diff-9d1601b3d15acbe65755888f9e351821R13

[defvol]

awesome!

in this case, we would want to s3 permissions on a specific bucket, could this be a Ref to one of the Parameters defined before:

see deviceHistory:

  name: 'loginFromNewDevice',
  sourcePath: 'rules/loginFromNewDevice.js',
  parameters: {
    deviceHistory: {
      Type: 'String',
      Description: 'ARN of S3 bucket for storing a list of known devices'
    }
  },
  statements: [
    {
      Effect: 'Allow',
      Action: [
        's3:GetObject'
      ],
      Resource: { 'Ref': 'deviceHistory' }
    }
  ],

[ianshward]

Resource: { 'Ref': 'deviceHistory' }

I believe that will work. Here's the relevant code in lambda-cfn which handles interpreting the statements https://github.com/mapbox/lambda-cfn/blob/2dc4d70924fa50cf2369705aee7b4c4b75ddfcc6/lib/lambda-cfn.js#L928-L954

[ianshward]

@zmully will deviceHistory get namespaced (prefixed) with loginFromNewDevice ?