zoph-io / aws-security-survival-kit

Bare minimum AWS Security Alerting and Configuration
https://bio.link/zoph
GNU General Public License v3.0
460 stars 39 forks source link
alerting aws observability security

🚑 AWS Security Survival Kit

:brain: Rationale

This AWS Security Survival Kit (ASSK) sets up a basic proactive monitoring and alerting environment on common suspicious activities in your AWS Account.

We know that CloudTrail is the bare minimum service to activate on a newly created AWS Account to track all activities on your AWS account. It helps, but this will not alert you to suspicious activities by itself. You still have to check periodically if something has gone wrong in multiple services and the console.

With these CloudFormation templates, you will bring proactive security monitoring and alerting to your AWS account. It's complementary to the GuardDuty service as there are no built-in alerts on GuardDuty.

✅ Secure by Default

This kit will also enable the following default security configuration to your AWS Account.

  1. EBS Volumes Default Encryption (Region level)
  2. S3 Block Public Access (Account level)
  3. Block AMI Public Sharing (Region level) - from 2023-10-20
  4. Block Snapshot Public Sharing (Region level) - from 2023-11-09
  5. Enable IMDSv2 by Default for new Instances (Region Level) - from 2024-03-25

💾 Suspicious Activities

Using this kit, you will deploy EventBridge (CloudWatch Event) Rules and CloudWatch Metric Filters and Alarms on select suspicious activities. It comes with a CloudWatch Dashboard to give you more insights about what is ringing 🔔

The following suspicious activities are currently supported:

  1. Root User activities
  2. CloudTrail changes (StopLogging, DeleteTrail, UpdateTrail)
  3. AWS Personal Health Dashboard Events
  4. IAM Users Changes (Create, Delete, Update, CreateAccessKey, etc..)
  5. MFA Monitoring (CreateVirtualMFADevice DeactivateMFADevice DeleteVirtualMFADevice, etc..)
  6. Unauthorized Operations (Access Denied, UnauthorizedOperation)
  7. Failed AWS Console login authentication (ConsoleLoginFailures)
  8. EBS Snapshots Exfiltration (ModifySnapshotAttribute, SharedSnapshotCopyInitiated SharedSnapshotVolumeCreated)
  9. AMI Exfiltration (ModifyImageAttribute)
  10. Who Am I Calls (GetCallerIdentity)
  11. IMDSv1 RunInstances (RunInstances && optional http tokens)
  12. CloudShell Exfiltration (GetFileDownloadUrls)

:keyboard: Usage

Parameters

Setup the correct parameters in the Makefile, then run the following command:

$ make deploy

📫 Notifications

You will receive alerts by emails sent by SNS Topic

Email Notification

:robot: ChatOps

Setup AWS Chatbot for best experience to get notified directly on Slack.

Slack Alerts Slack Alerts

📈 Dashboard

ASSK comes with a CloudWatch Dashboard, please don't hesitate to adjust to your needs.

dashboard

:man_technologist: Credits

🌧️ Other CSP Initiatives