This project is part of the workshop Building Incident Response Playbooks for AWS. Follow the workshop directions for optimal use of this repository contents.
DO NOT DEPLOY THE CODE FROM THIS REPOSITORY IN AN EXISTING AWS ACCOUNT YOU CURRENTLY USE. CREATE A NEW SANDBOX ACCOUNT FOR THE PURPOSE OF THIS WORKSHOP.
- This is a sandbox environment for learning purposes only. You will take the learnings from building a playbook in this controlled environment and adapt to your own environment.
- GuardDuty, CloudTrail, VPC Flow, and DNS logs are the fundamental pillars for threat detection and incident response in AWS. Focus on learning how to interpret them based on the activity generated.
- This project builds an environment in an AWS Account facilitating the development of playbooks enhancing customer's capability to respond to security events.
- Amazon Athena provides analytical capabilities with pre-configured tables for querying AWS CloudTrail logs, Amazon VPC Flow logs, and Amazon Route53 VPC DNS logs centralized in An Amazon S3 Bucket.
- Includes two (2) sample playbook addressing the
IAM credential exposure, andEC2 crypto miningthreats, plus atemplatefor you to develop additional scenarios. - Includes Linux bash scripts to simulate the threats and practice the response laid out by the sample playbooks. Create your own scripts in Linux bash or other languages to support the development and testing of your own security event scenarios.
An AWS CDK application creates one stack named WorkshopStack containing the minimum environment required to support the development of Incident Response Playbooks. The components are listed in the next section.
- Amazon S3 Bucket centralizing all required log sources
- Amazon S3 Bucket for Athena queries results
- A VPC with public and private subnets, internet gateway, NAT gateway, and one EC2 instance
- CloudTrail trail logging management and data events streaming to S3 bucket
- VPC DNS logs enabled for VPC streaming to S3 bucket
- VPC Flow logs enabled for VPC streaming to S3 bucket
- Athena Workgroup
- Glue database and tables
- Security analyst IAM Role to run Athena queries
- Athena administrator IAM Role to configure Athena and Glue
- Security break glass IAM Role for containment, eradication, and recovery
- Security deploy IAM Role for CloudFormation deployment of SimulationStack
- IAM User Access Key for EC2 crypto mining simulation
- IAM User Access Key for IAM credential exposure simulation
- AWS GuardDuty for alerting (enabled manually)
- Clone this repository and choose between AWS CDK or AWS CloudFormation for deployment of stacks.
Preferred deployment method for those with little coding and AWS experience.
- Login to your AWS Account
- Go to the AWS CloudFormation console
- Create stack using cdk/cdk.out/WorkshopStack.yaml from the cloned repository
Refer to this page for getting started with AWS CloudFormation.
We recommend this method for those with excellent coding and AWS experience.
- Install
node.js 10.13.0or later - Install
Python 3.8or later - Configure a python virtual environment
- change directory to the root of the cloned repository
- run
python -m venv .venv - run
source .venv/bin/activate - run
python -m pip install -r stacks/requirements.txt
- Install AWS CLI v2
- Create IAM credentials with permission to deploy AWS resources using CloudFormation
- Configure IAM credentials
- run
aws configure - verify by running
aws sts get-caller-identity
- run
- Install AWS CDK
- change directory to the root of the cloned repository
- run
npm install -g aws-cdk - verify by running
cdk --versionto check version installed
- Deploy the AWS CDK app
- run
cdk bootstrap - run
cdk synth - run
cdk deploy
- run
Refer to this page for getting started with AWS CDK
Consider the costs involved in deploying this solution beyond what is included with AWS Free Tier, if applicable:
- Amazon Athena: https://aws.amazon.com/athena/pricing/
- Amazon S3: https://aws.amazon.com/s3/pricing/
- Amazon EC2: https://aws.amazon.com/ec2/pricing
- AWS CloudTrail: https://aws.amazon.com/cloudtrail/pricing/
- AWS Glue: https://aws.amazon.com/glue/pricing/
- AWS GuardDuty (manual install): https://docs.aws.amazon.com/guardduty/latest/ug/monitoring_costs.html
- AWS Customer Playbook Framework
- AWS re:invent 2020: Building your cloud incident response program
- AWS Incident Response Playbook Samples (process only)
- AWS Cloud Adoption Framework Security Perspective
- AWS Well-Architected labs - Security
- AWS Security Analytics Bootstrap
- AWS API Guides and Documentation
- CloudTrail User Guide
- Amazon VPC Flow Logs
- Amazon Route53 VPC DNS resolver logs