Skip to content

zoph-io/aws-security-survival-kit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
assets
assets
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
cfn-global.yml
cfn-global.yml
 
 
cfn-local.yml
cfn-local.yml
 
 

Repository files navigation

🚑 AWS Security Survival Kit

🧠 Rationale

The AWS Security Survival Kit (ASSK) helps you monitor and get alerts about suspicious activities in your AWS account.

While CloudTrail is essential for tracking AWS account activities, it doesn't provide automatic alerts. you need to manually check logs across multiple services and the console to spot issues.

This kit uses CloudFormation templates to set up proactive security monitoring and alerting. it works alongside GuardDuty to fill the gap of missing built-in alerts.

✅ Secure by default

This kit enables several important security configurations in your aws account by default:

  1. Automatic encryption for all ebs volumes (per region)
  2. Account-wide s3 block public access
  3. Prevention of public ami sharing (per region) - Annoncement
  4. Prevention of public snapshot sharing (per region) - Blogpost
  5. IMDSv2 requirement for new instances (per region) - Annoncement

💾 Suspicious Activities

Using this kit, you will deploy EventBridge (CloudWatch Event) Rules and CloudWatch Metric Filters and Alarms on following suspicious activities. It comes with CloudWatch Dashboards to give you more insights about what is ringing 🔔

The following suspicious activities are currently supported:

  1. Root User activities
  2. CloudTrail changes (StopLogging, DeleteTrail, UpdateTrail)
  3. AWS Personal Health Dashboard Events
  4. IAM Users Changes (Create, Delete, Update, CreateAccessKey, etc..)
  5. IAM Suspicious Activities (Attach*Policy) with AdministratorAccess Managed IAM Policy
  6. MFA Monitoring (CreateVirtualMFADevice DeactivateMFADevice DeleteVirtualMFADevice, etc..)
  7. Unauthorized Operations (Access Denied, UnauthorizedOperation)
  8. Failed AWS Console login authentication (ConsoleLoginFailures)
  9. EBS Snapshots Exfiltration (ModifySnapshotAttribute, SharedSnapshotCopyInitiated SharedSnapshotVolumeCreated)
  10. AMI Exfiltration (ModifyImageAttribute)
  11. Who Am I Calls (GetCallerIdentity)
  12. IMDSv1 RunInstances (RunInstances && optional http tokens)
  13. CloudShell Exfiltration (GetFileDownloadUrls)
  14. KMS Key Changes (DisableKey, ScheduleKeyDeletion, DeleteAlias, DisableKeyRotation)
  15. Security Group Changes (AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress, AuthorizeSecurityGroupEgress, RevokeSecurityGroupEgress)
  16. AWS Config Changes (StopConfigurationRecorder, DeleteConfigurationRecorder, DeleteConfigRule, DeleteEvaluationResults)

⌨️ Usage

Parameters

  • AlarmRecipient: Recipient for the alerts (e.g.: hello@zoph.io)
  • Project: Name of the Project (e.g.: aws-security-survival-kit)
  • Description: Description of the Project (e.g.: Bare minimum ...)
  • LocalAWSRegion: Region where your workloads and CloudTrail are located (e.g.: eu-west-1)
  • CTLogGroupName: Cloudtrail CloudWatch LogGroup name (Required)

Setup the correct parameters in the Makefile, then run the following command:

$ make deploy

📫 Notifications

You will receive alerts by emails sent by SNS Topic

Email Notification

🤖 ChatOps

Setup AWS Chatbot for best experience to get notified directly on Slack.

📈 Dashboards

ASSK comes with two CloudWatch Dashboards (Local and Global) to bring better visibility on suspicious activities on your AWS Account.

👨‍💻 Credits

🌧️ Other Initiatives

About

Bare minimum AWS Security Alerting and Configuration

bio.link/zoph

Topics

aws security alerting observability

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

468 stars

Watchers

19 watching

Forks

40 forks
Report repository

Contributors 5

Languages