Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

Join the 2025 Lambda hackathon! Register now

Remove unexpected BYOIPV6 route advertisements

Created with SnapAmazon CloudTrailAmazon EventBridgeAWS Lambdarule triggered

Use Amazon EventBridge and AWS Lambda to respond to AdvertiseByoipCidr events and validate if the address space should be advertised.

This sample project demonstrates how to use Amazon EventBridge and AWS Lambda to respond to AWS CloudTrail events. In this example, any AdvertiseByoipCidr call triggers a Lambda function to run and validate whether or not the address space is expected to be advertised by checking for the address space in a list of allowed CIDRs in a DynamoDB table.
If the address space is not permitted to be advertised, the Lambda will publish a message to a SNS Topic to notify an administrator that an unexpected CIDR was advertised and will automatically remove the advertisement of the CIDR.
This pattern deploys an EventBridge rule, a Lambda function, a DynamoDB table and a SNS topic.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Removes public route advertisements for CIDR ranges not permitted to be advertised.

Parameters:
  NotificationEmail:
    Type: String
    Description: "Email where notifications should be sent when route advertisements have been blocked."
    AllowedPattern: '[^@]+@[^@]+\.[^@]+'

Resources:
  SubmitFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: src/function.py
      Description: "Removes public route advertisements for CIDR ranges not permitted to be advertised."
      Handler: function.lambda_handler
      PackageType: "Zip"
      Tracing: Active
      Runtime: "python3.12"
      Environment:
        Variables:
          DynamoDBTable: !Ref DynamoDBTable
          SNSTopic: !Ref SNSTopic
      Policies:
        - DynamoDBReadPolicy: 
            TableName: !Ref DynamoDBTable
        - SNSPublishMessagePolicy:
            TopicName: !GetAtt SNSTopic.TopicName
        - Version: '2012-10-17' 
          Statement:
            - Effect: Allow
              Action:
                - ec2:WithdrawByoipCidr
              Resource: '*'
      Events:
        AdvertiseByoipEvent:
          Type: EventBridgeRule
          Properties:
            Pattern:
              source: 
                - aws.ec2
              detail-type: 
                - AWS API Call via CloudTrail
              detail:
                eventSource: 
                  - ec2.amazonaws.com
                eventName: 
                  - AdvertiseByoipCidr

  DynamoDBTable:
    Type: AWS::Serverless::SimpleTable
    Properties:
      PrimaryKey:
        Name: id
        Type: String
        

  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Endpoint: !Ref NotificationEmail
          Protocol: email

< Back to all patterns


GitHub icon Visit the GitHub repo for this pattern.

Download

git clone https://github.com/aws-samples/serverless-patterns/ cd serverless-patterns/cloudtrail-eventbridge-lambda-dynamodb-sam

Deploy

sam deploy

Testing

See the GitHub repo for detailed testing instructions.

Cleanup

Delete the stack: sam delete.

Additional resources

John Dwyer

Presented by John Dwyer

I am a Senior Solutions Architect on the Worldwide Public Sector team at AWS. I help customers build and architect serverless applications at scale.

Follow on LinkedIn