π AWS Security Survival Kit
π§ Rationale
This AWS Security Survival Kit (ASSK) sets up a basic proactive monitoring and alerting environment on common suspicious activities in your AWS Account.
We know that CloudTrail is the bare minimum service to activate on a newly created AWS Account to track all activities on your AWS account. It helps, but this will not alert you to suspicious activities by itself. You still have to check periodically if something has gone wrong in multiple services and the console.
With these CloudFormation templates, you will bring proactive security monitoring and alerting to your AWS account. It's complementary to the GuardDuty service as there are no built-in alerts on GuardDuty.
πΎ Suspicious Activities
Using this kit, you will deploy EventBridge (CloudWatch Event) Rules and CloudWatch Metric Filters and Alarms on select suspicious activities. It comes with a CloudWatch Dashboard to give you more insights about what is ringing π
The following suspicious activities are currently supported:
- Root User activities
- CloudTrail changes (
StopLogging,DeleteTrail,UpdateTrail) - AWS Personal Health Dashboard Events
- IAM Users Changes (
Create,Delete,Update,CreateAccessKey, etc..) - MFA Monitoring (
CreateVirtualMFADeviceDeactivateMFADeviceDeleteVirtualMFADevice, etc..) - Unauthorized Operations (
Access Denied,UnauthorizedOperation) - Failed AWS Console login authentication (
ConsoleLoginFailures) - EBS Snapshots Exfiltration (
ModifySnapshotAttribute,SharedSnapshotCopyInitiatedSharedSnapshotVolumeCreated) - AMI Exfiltration (
ModifyImageAttribute) - Who Am I Calls (
GetCallerIdentity) - IMDSv1 RunInstances (
RunInstances&&optionalhttp tokens)
π€ ChatOps
Setup AWS Chatbot for best experience to get notified directly on Slack and MS Teams.
π Dashboard
ASSK comes with a CloudWatch Dashboard, please don't hesitate to adjust to your needs.
ποΈ Credits
- AWS Security Boutique: zoph.io
- π AWS Security Digest Newsletter
- Twitter: zoph
Top comments (0)