Normalize Security Hub ASFF, Inspector v2, and CloudWatch alarm JSON into a consistent shape. Auto-unwraps SNS and EventBridge envelopes. Use when an AWS ale...
Security Analysis
high confidenceThis is a transparent local AWS alert parser, with review-worthy but disclosed considerations around webhook spoofing, raw alert data, skipped alarms, and the jq dependency.
The scripts and documentation coherently match the stated purpose of normalizing AWS alert JSON locally. Users should notice that normalized output preserves the full raw alert payload and that some CloudWatch alarm patterns are intentionally skipped.
Instructions are mostly scoped to parsing, but they also describe optional handoff to incident-triage and instruct callers to drop skip-sentinel events. These behaviors are disclosed and purpose-aligned, but should be reviewed for the user's incident workflow.
There is no install spec and no external package install, but the scripts require jq even though the registry requirements list no required binaries.
The parser scripts run locally and make no external API calls. Optional webhook deployment exposes an agent-facing endpoint and the documentation correctly warns about token and SNS-signature limitations.
No persistence, background worker, or credential-reading behavior appears in the scripts. Optional webhook/AWS setup uses a shared bearer token and SNS subscription permissions, which are expected for that integration path.
Guidance
This skill appears safe and purpose-aligned for local AWS alert normalization. Before production webhook use, install jq, review the skipped CloudWatch alarm patterns, protect the webhook token, use the documented SNS-signature/authentication mitigation, and strip the raw payload before posting alerts to broad or public channels.
Latest Release
v0.1.1
Set proper display name (AWS Alert Handler, not auto-title-cased).
More by @ggettert
Published by @ggettert on ClawHub
