Streamlining Email Notifications with AWS Lambda, Python, and SES

Terraforming Scheduled Lambda Functions to send email using Python and AWS SES

Akhilesh Mishra
KPMG UK Engineering
5 min readDec 2, 2023

--

What I will be covering in this blog post

In the last blog post, I configured AWS SSO with Okta using Terraform. While setting up the single sign-on for AWS with Okta, I created a service user account and used the access key and secret to provision the Okta application.

Leaving the secret keys idle for a long time poses a security risk and should be rotated regularly.

To address this, I will be creating an AWS lambda that will send me a reminder email whenever the access key is about to expire(let's say 90 days is the expiration date).

I will manually rotate the keys and update the Okta application with the new key.

As of now, the public API endpoint to update the keys in the Okta Saml app is not available. Once it is available, I will add the code to automatically update the keys in the Okta app with new keys using Python, boto3, and Okta APIs.

Photo by Barefoot Communications on Unsplash

Getting started

I will use Terraform to deploy an AWS Lambda function, a Python script that will utilize boto3, and the AWS Simple Email Service (SES) to send an email whenever the key is about to expire.

What is Lamda, and where are used best

It is a serverless computing service provided by AWS, and it runs a piece of code when some event occurs. AWS lambda allows you to focus on the functionality without worrying about provisioning/managing compute resources.

Use cases

  • For event-driven processing: Lambda functions can be triggered by events such as file uploads to S3, changes to DynamoDB tables, or updates to an SNS topic.
  • To build microservices: Each microservice can be implemented as a separate Lambda function, allowing for independent development, deployment, and scaling.
  • For data processing: Commonly used for processing/transforming data.
  • Scheduled Tasks: This is useful for periodic reports and data cleanup tasks.
  • Real-time processing: It can be triggered in response to new file uploads to S3, allowing for real-time data processing.

Getting started with AWS Lambda

We will be using Terraform to provision the lambda function. You can find the Terraform code for the lambda function here.

  • IAM role
  • IAM policy attachment that will enable Lambda function to send email via AWS SES. This will allow the Lambda function to list the access key details, and send emails using SES.

Let's write the Python code for our lambda function. Before we get to the code, we need to create the folder structure.

mkdir -p functions/key-rotatation-lambda
touch functions/key-rotatation-lambda/main.py

Paste the code below in the main.py. Here is the Python code for it.

Let me explain what the above code does.

It retrieves the details of access keys for a specified IAM user, identifies keys approaching expiration, and generates an email body with a reminder for key rotation.

If there are expired keys, it sends a reminder email to the mentioned emails using the AWS SES service.

  • We used Boto3 clients for AWS Simple Email Service (SES) and Identity and Access Management (IAM).
  • We use the osmodule to access environment variables.
  • The email module is part of the Python standard library and is used for working with email messages.

AWS provides boto3 preinstalled in the computing environment for Lambda hence we do not need to provide dependencies.

In the next blog post, I will show you how to define dependencies in the lambda function. I will also show how to utilize Lambda layers to manage dependencies and share the set of dependencies across multiple lambda functions.

Now we are good to write terraform code for creating Lambda function

You can find the code for the lambda function here.

  • Create the code archive.
  • Lambda function

source_code_hash ensures that the code archive file used in the lambda function gets updated while applying Terraform whenever Python code changes.

handler is the function entry point. It’s syntax is <python_code_file.python_function>

You can use environment variables to adjust your lambda behavior without updating the code.

Lambda trigger

Lambda functions can be triggered by changes to DynamoDB update, s3 bucket upload, publishing messages to SQS, Amazon Kinesis streams, and cloud watch events (Also known as EventBridge)

In this example, I will use CloudWatch Events to schedule automated actions that self-trigger at specified intervals using rate or cron expressions.

That is all for this blog post, see you on the next one.

You can find the complete code used in this blog post in my public Github repo.

If you enjoyed the writing leave your claps 👏 to recommend this article so that others can see it.

--

--

Akhilesh Mishra
KPMG UK Engineering

Self taught DevOps engineer with expertise in multi-cloud, and various DevOps tools. Open for mentorship - https://topmate.io/akhilesh_mishra