aws-security-automation

Collection of scripts and resources for DevSecOps, Security Automation, and Automated Incident Response Remediation

1. IAM Access Denied Responder
   This example solution will set up an automated response to an access denied event that occurs within a CloudTrail event, a Failed authentication attempt to the AWS console, or a Client.UnauthorizedOperation event occurs.
   
   The template is designed to allow you to easily add your own responses and your own messaging integrations. Additional responses can be generated by subscribing to the sec-ir-AccessDeniedTopic. We have provided code to publish to slack and chime. If you wish to pubish to additionalk channels you can add an additional subscription to the sec-ir-SecurityMessages topic.
2. EC2 Auto Clean Room Forensics
   This example solution will take an instance ID from an SNS topic and through a series of AWS Lambda functions co-ordinated by AWS Step Functions will automatically notify, isolate and run basic forensics on the identified instance.
3. CloudTrailRemediation
   Lambda function to automatically restart CloudTrail trail when stopped using AWS CloudTrail API StopLogging is issued. The script is built using a framework that has placeholders for *Priority Action *Alerting *Forensics **Countermeasures *LoggingThis script will be featured in an upcoming blog about AIRR – Automatic Incident Response Remediation. This file will be updated with the correct link once published.
4. force-user-mfa
   Demo script to automatically create a virtual MFA token and assign it to any IAM users created in the account. Once created, the user will be able to fetch their own seed values using the AWS CLI. The script has a function for sending the seed value using for example SNS but please use caution and don’t send it over any unencrypted channels. When using the self service functionality the seed number is stored encrypted using Parameter Store and deliver over TLS.Once the user have the seed value they can simply paste it into any password manager that support TOTP tokens and start using MFA. There is no need for syncing since this is done server side by the Lambda function. Example software for phones without any preferences are Google Authenticator or 1password. Please search for suitable software for your team.

Download && Use

Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Share on Facebook

Post on X

Save