Slack Shared Channel Notifications

One-Click Least Privilege. Zero Disruption.

© 2025 Sonrai Security. All rights reserved.

Overview

Extend your current ChatOps integration by adding a Slack channel where team members can observe and monitor permission escalations, without being directly involved in approval chains.

This feature allows you to customize when and where real-time permission request notifications are posted, making it easy for the right people to monitor what is happening within your organization.

---

Planning and Preparation

important

Prerequisite: Shared notifications in Slack require the Sonrai Slack app to be installed and configured before starting.

Some key considerations to keep in mind when subscribing to notifications within a Slack channel:

• Private Channels - To receive notifications in private channels, the Sonrai app must be added to the channel using the @Sonrai command before trying to subscribe to notifications.
• Who Can Update Subscriptions? - Only approvers at the specified scope can subscribe or unsubscribe to notifications within a channel.
• Available Subscriptions - If you don't specify a scope when trying to subscribe, or aren't an approver at the scope that is specified, then the Slack app will warn that you must specify a scope where you are an approver and provide a list of available scopes to use.
• Unsubscribe All - Scope is an optional field when unsubscribing from notifications, but if no scope is provided then that channel will be unsubscribed from ALL scopes where the user running the unsubscribe command is an approver.
• Scope Identifiers - When specifying a scope, you must use the AWS scope identifier instead of the friendly name for that scope, because AWS doesn't enforce unique friendly names. (When the Sonrai app reports results, it uses friendly names for improved readability.)

tip

You can subscribe to notifications in existing channels, but creating a new Slack channel that is dedicated for this task may prevent existing channels from being overwhelmed by notifications. Think carefully about the scope you will be subscribing to and the volume of messages expected before adding this to active channels.

---

Subscribe to Notifications

To subscribe, simply open the Slack channel where you want notifications to be reported and run the following command: /sonrai subscribe scope.

In this command, scope determines what level of notifications are received and can be one of the following values:

• root scope/management account ID - monitor activity for all related OUs and accounts
• OU ID - monitor activity for all accounts within the specified OU
• individual account ID - monitor activity only the specified account

For example:

/sonrai subscribe aws/r-abcd/ou-abcd-12345678

tip

Unsure what scopes are available to you? Leave out the scope when trying to subscribe, and your Sonrai bot will return an error message that includes a list of available Sonrai scopes where you are an approver.

The Sonrai app will check permissions for the user running this command, and then return a confirmation once the subscription is successfully created.

---

Unsubscribe from Notifications

To remove an existing subscription, enter a channel where you are receiving Sonrai notifications and run the following command: /sonrai unsubscribe [scope] where scope is an optional value that specifies which level of notifications should be cancelled.

For example:

/sonrai unsubscribe aws/r-abcd/ou-abcd-12345678/ou-abcd-98765432

The Sonrai app will attempt to remove the subscription for the specified scope, and then return a confirmation once done.

In the case where no scope identifier is provided, then notifications will be removed for all scopes where you are an approver.

---

Frequently Asked Questions

Q: Can multiple channels be configured to receive notifications?

A: Yes! You can subscribe to notifications from different channels, using the same or different scopes, to customize what your team members receive.

Q: How can I check what channels/scopes have existing subscriptions?

A: Run this Graphql query to see the list of channels you’re subscribed to:

GraphQL: Check for existing notification subscriptions

query chatopsMonitoringIntegrations {
  IntegrationRegistrations(
    where: {
      name: { op: ILIKE, value: "chatops-monitor%" }
      type: { value: "Notification" }
    }
  ) {
    items {
      id
      name
      type
      description
      platformMetadata
    }
  }
}

The JSON response will include both the platform and channel where notifications are being sent, as well as what scope was used for that subscription. Expand the following section to see a detailed example.

Sample JSON response

{
  "data": {
    "IntegrationRegistrations": {
      "items": [
        {
          "id": "097aa552-a8b2-4438-be37-51833c1cfa24",
          "name": "chatops-monitor_slack_[key]_all-shared-channel-name_aws/r-abcd",
          "type": "Notification",
          "description": "ChatOps Monitoring: Slack channel #shared-channel-name for scope aws/r-abcd",
          "platformMetadata": {
            "key": "[key]",
            "name": "",
            "type": "chatops_monitoring",
            "scope": "aws/r-abcd",
            "filters": [
              {
                "scope": "aws/r-abcd",
                "eventName": "jit.*"
              },
              {
                "scope": "aws/r-abcd",
                "eventName": "pond.*"
              }
            ],
            "platform": "slack",
            "channel_id": "A01BCDEFGHI",
            "channel_name": "shared-channel-name"
          }
        }
      ]
    }
  },
  "extensions": {}
}

Q: What are some common errors I might encounter when configuring my notification channels?

A:

What Did You Try?	Resulting Error
Subscribe to a scope that doesn't exist.
Subscribe to a scope where you aren't an approver.
Remove a subscription that doesn't exist.