from panther_oss_helpers import increment_counter, set_key_expiration, reset_counter
# Filter to only analyze AccessDenied calls
if event.get('errorCode') != 'AccessDenied':
# Create our counter key, which should be fairly unique
key = '{}-AccessDeniedCounter'.format(event['userIdentity'].get('arn'))
# Increment the counter, and then check the current value
hourly_error_count = increment_counter(key)
if hourly_error_count == 1:
set_key_expiration(time.time() + 3600)
elif failure_hourly_count >= 10:
# If it exceeds our threshold, reset and then return an alert