There are 2 mechanisms at work:

  1. A Slack app. You will create this app and install it in any of your channels. The app will send new message events to the function.
  2. A serverless function that receives the events from the slack app, scans them for secrets and sends metadata to us.


Create a Slack app

Go to Slack apps config and create a new Slack app.

Start CloudFormation Stack Setup

Launch stack

In the installer you'll need to supply some parameters.
In your Slack app's settings page -> Basic Information -> App Credentials you'll find these 4 tokens:

  • Slack client id
  • Slack client secret
  • Slack signing secret
  • Slack verification token
    Copy these to the relevant CloudFormation installer fields
    Note that if you activate remediation (set it to any other than "Not active") -- you must supply the SlackUserToken parameter. This can be found in the Install App page under "User OAuth token" after you install the app to the workspace (step 4).

Slack App Manifest

Go to the "App Manifest" page and set it to the following:

  name: spectral-slackbot
    display_name: spectral-slackbot
    always_online: false
      - files:write
      - chat:write
      - channels:history
      - channels:read
      - chat:write
      - files:read
      - groups:history
      - groups:read
      - team:read
      - users.profile:read
      - incoming-webhook
    request_url: https://SLACKBOT_LAMBDA_DOMAIN/prod/slack/events
      - file_change
      - file_created
      - file_shared
      - message.channels
      - message.groups
  org_deploy_enabled: false
  socket_mode_enabled: false
  token_rotation_enabled: false
  • After deploying the lambda in the next sections we will come back to this manifest and update the new lambda domain in settings.event_subscriptions.request_url
  • Note that private chats (and multiparty private chats) are not supported currently.

Install the App

Install the Slack app to your workspace (Install app) and copy the Bot user OAuth token to the SlackAuthToken in the AWS installer. If you want to activate remediation copy the "User OAuth token" to the SlackUserToken parameter.

Complete CloudFormation Stack Setup

In the Cloudformation installer, mark "I acknowledge that AWS CloudFormation might create IAM resources with custom names" and click on "Create Stack".

Copy the Function URL to the Slack App

In the Slack app configuration, go to App manifest page and fill in the lambda domain under settings.event_subscriptions.request_url (you can find it if you go to the created lambda function, click on "Configuration" tab, then in the API Gateway trigger, click on "details")
Make sure to copy the whole url including /slack/events

That's it 💪

Now the channels you add your new Slack app to are monitored.

Take it for a spin

Invite the Slack app to any public channel in your slack workspace you want to keep track of by mentioning the Slack app in the desired channel or clicking the channel header -> integrations tab -> Add an app. Try sending a secret (like AKIA4HK52OLF2AAN9KWV) to that channel.