zoph-io / aws-security-survival-kit Goto Github PK

Alarm on IMDSv1 Instances RunInstances

  "metadataOptions": {
      "state": "pending",
      "httpTokens": "optional",
      "httpPutResponseHopLimit": 1,
      "httpEndpoint": "enabled",
      "httpProtocolIpv4": "enabled",
      "httpProtocolIpv6": "disabled",
      "instanceMetadataTags": "disabled"
  },

Provided by @christophelimpalair : https://github.com/4n6ir/expediate

The project sounds similar to what we are doing, sadly archived by the author (@jblukach / @4n6ir).

New detections based on this paper

Work on a better CloudWatch Dashboarding capability.

The idea is to be able to enable/disable some of the basic features of this kit.

For example, you don't want to enable the alerting when someone is triggering sts get-caller-identity to avoid alert fatigue.

https://aws.amazon.com/blogs/mt/enable-management-of-your-amazon-ec2-instances-in-aws-systems-manager-using-default-host-management-configuration/

Consolidate in a CW Dashboard some useful metrics and findings like the CloudWatch Insight logs of "AccessDenied" to easily find and understand what is going wrong.

I am not the best at navigating CloudTrail, but I am usually able to find things. However, after installing this excellent set of cloudfront scripts, I am getting notifications every so often that there is an unauthorized api call and I can't find them. Any assistance? Thank you again for creating this kit.

• Better naming of assets with a assk prefix everywhere #18
• Feature flag / cherry-pick of alerting
• Better Dashboarding Capabilities (Observability)
• Full Integration with AWS ChatBot (Teams + Slack)
• New detections based on this paper

Add the native support of Slack and Microsoft Teams using AWS Chatbot.

https://aws.amazon.com/chatbot/

Hi,

The CTLogGroupName variable needs to point to an already existing Log Group created in CloudWatch. If the log group is not created the following errors are reported in CloudFormation:

If the log group is created, the kit works like a charm!
Can you add in the cloud formation template also the log group creation? I recommend to put 1 week retention not to have surprise costs, or have the retention defined as a variable in your Makefile.

Thanks for the work!

Create a version which supports multi-account setups (AWS Organizations).

It should:

1. Support sending all alerts to a centralized SNS topic (maybe in a Security Account). This can be managed separate from this stack.
2. Ensure that documentation is clear on how to use CF StackSets to deploy not only across multiple accounts in the ORG, but also which stacks should be deployed across all regions that are in use, and which should be deployed to just US-EAST-1.

Rationale:

• AWS Best Practice recommends the use of multiple accounts with Organizations to seperate workloads and different environments (DEV, PROD)

Please consider defining a license, I would like to use this in line with your wishes. Thanks.

From "Ideas for later" #14

I'll grab this one @z0ph and separating so we can tie PR to issue without closing the ideas list