🌙LunoGen

IAM Policy and Suspicious API Call Alerts

CloudTrail streams IAM changes and sensitive API calls (root login, access key creation, policy attach) to the agent, which flags anything suspicious and pings the security channel on WhatsApp.

Webhook + WhatsApp Groupiamcloudtrailsecurity

Conversation example

EventBridge: CloudTrail event AttachRolePolicy on role 'ci-deployer'
http_request → CloudTrail LookupEvents

IAM policy change detected. Pulling the event detail from CloudTrail...

whatsapp_web_send

IAM Policy Change — us-east-1 Action: AttachRolePolicy Role: ci-deployer Attached: arn:aws:iam::aws:policy/AdministratorAccess Actor: alex-k@lunogen.com (Console, MFA ✓) Source IP: 47.xx.xx.xx (matches Alex's known Berkeley IP) Time: 2026-04-12 14:18 UTC Risk assessment: HIGH — AdministratorAccess on a CI role is a blast-radius risk But: Alex is a trusted admin, MFA verified, known IP Posted to #security WhatsApp group with @alex-k tagged. If this was a mistake, reply 'revoke' and I'll detach the policy.

More AWS use cases

EC2 Instance State Change Alerts

Any EC2 instance that starts, stops, or terminates unexpectedly fires an EventBridge event. The agent reads it, adds context (who, why, tags), and posts to your #infra WhatsApp group.

Daily AWS Cost Tracker and Forecast

Every morning, the agent hits Cost Explorer for yesterday's spend by service, compares to the budget, forecasts end-of-month, and drops it on WhatsApp before the coffee is cold.

Lambda Function Error Notifications

CloudWatch Alarms on Lambda error metrics route through the agent. It groups related errors, pulls the latest stack trace from CloudWatch Logs, and pings on-call with the suspected cause.

S3 Bucket Public-Access Audit

The agent checks every S3 bucket policy and ACL daily. If a bucket becomes public — or if an existing policy changes — it fires an immediate WhatsApp alert with the diff.

CloudWatch Alarm Routing to On-Call

CloudWatch alarms hit an SNS topic subscribed to LunoGen. The agent checks the current on-call rotation, adds runbook links, and DMs the right engineer on WhatsApp — not just the #alerts channel.

Deploy this in minutes

Create a LunoGen agent, connect AWS, and start running this workflow from WhatsApp today.

Back to AWS