Skip to content

pmatra/AWS-Guarduty-Lambda-Quarantine-Instance

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
iam_role_to_modify_instances.json
iam_role_to_modify_instances.json
 
 
policy.json
policy.json
 
 
quarantine-instance.py
quarantine-instance.py
 
 

Repository files navigation

Neto, Marcello Zillo; Santana, Gustavo A. A.; Sapata, Fernando; Munoz, Mauricio; Moraes, Alexandre M. S. P.; Morais, Thiago; Goldfarb, Dario Lucas. AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 309). Wiley. Kindle Edition.

As you can see in Figure 8.4, GuardDuty produces a finding that an instance is communicating with an IP address that is an entry node for the TOR Anonymization network. With a simple Amazon CloudWatch Events rule that looks for the UnauthorizedAccess:EC2/TorClient event and triggers an AWS Lambda function that isolates the compromised instance, we can automatically contain the threat. As you can see in Example 8.2, the Python code sets the variable “security_group_id” to a value received as a parameter from the AWS Lambda Function, an environment variable called QUARANTINE_SG, which contains the identifier of the security group that closes all outgoing access to the instance and allows incoming traffic only from the Incident Forensics IP address. Therefore, the code is changing the security groups for that Amazon EC2 instance.

Neto, Marcello Zillo; Santana, Gustavo A. A.; Sapata, Fernando; Munoz, Mauricio; Moraes, Alexandre M. S. P.; Morais, Thiago; Goldfarb, Dario Lucas. AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 310). Wiley. Kindle Edition.

As you can see in Figure 8.5, the security group is passed as a parameter to the AWS Lambda function. This security group allows the instance to be reached through the network only by the Forensics workstation's IP address and implicitly denies access for outgoing communications. FIGURE 8.5 AWS Lambda environment variable pointing to the Forensics security group For the AWS Lambda function to be able to change security groups and write its logs to Amazon CloudWatch logs, it needs an execution role granting the proper permissions. Therefore, you need to create a role including the AWS managed policy AWSLambdaBasicExecutionRole and add a policy for granting access to write Amazon CloudWatch logs such as the AWS managed policy CloudWatchLogsFullAccess (or one more specific for production) as well as a custom policy that allows changing the security group of Amazon EC2 instances.

Neto, Marcello Zillo; Santana, Gustavo A. A.; Sapata, Fernando; Munoz, Mauricio; Moraes, Alexandre M. S. P.; Morais, Thiago; Goldfarb, Dario Lucas. AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 310). Wiley. Kindle Edition.

You can see in the JSON policy in Example 8.3 that the ability to describe instances and modify instance attributes is given to the role that uses the AWS Lambda function while running. With such security automation in place, the initial security group will be replaced with the Forensics security group once a TOR Client is detected, just minutes after it is discovered.

Neto, Marcello Zillo; Santana, Gustavo A. A.; Sapata, Fernando; Munoz, Mauricio; Moraes, Alexandre M. S. P.; Morais, Thiago; Goldfarb, Dario Lucas. AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 311). Wiley. Kindle Edition.

In Exercise 8.1, you will configure an automation to react to a TOR Client detection. This will allow you to gain hands-on experience with event-driven security and see a quick way to isolate potential connections to malicious actors using command-and-control tools leveraging the TOR network to protect their identity.

Neto, Marcello Zillo; Santana, Gustavo A. A.; Sapata, Fernando; Munoz, Mauricio; Moraes, Alexandre M. S. P.; Morais, Thiago; Goldfarb, Dario Lucas. AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 311). Wiley. Kindle Edition.

EXERCISE 8.1 Isolate Instances Using a TOR Anonymization Network In this exercise, you will configure an automation to react to a TOR Client detection by Amazon GuardDuty. The automation will isolate the instance by changing the security group to an Incident-Forensics security group that allows access only from a specified IP address (used by that group). Log in as an admin user in a sandbox or nonproduction account. Create a security group called Incident-Forensics that allows inbound SSH only from the IP of the forensics team (optionally, it could be the IP address of a virtual desktop preinstalled with forensics tools in Amazon WorkSpaces), without allowing any outbound access. Create an instance and configure a security group that allows RDP (or SSH if you chose to use a Linux instance). Connect to the instance using RDP/SSH. Download and install TOR Browser within the instance (www.torproject.org/download). Configure an Amazon CloudWatch Events rule to trigger an AWS Lambda function upon finding UnauthorizedAccess:EC2/TorClient. Write the code to change the security group to the Incident-Forensics security group. Create a role that can be assumed by AWS Lambda with the permissions to change security groups and add it as an execution role. Open the TOR Client on the instance. Review the finding on Amazon GuardDuty (wait 10–20 minutes). Verify that the security group was changed and that any connection was terminated.

Neto, Marcello Zillo; Santana, Gustavo A. A.; Sapata, Fernando; Munoz, Mauricio; Moraes, Alexandre M. S. P.; Morais, Thiago; Goldfarb, Dario Lucas. AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 312). Wiley. Kindle Edition.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages