Skip to content

Latest commit

 

History

History
49 lines (35 loc) · 4.19 KB

index.md

File metadata and controls

49 lines (35 loc) · 4.19 KB

Overview

In this workshop you will learn how to implement automated remediations of findings submitted to AWS Security Hub leveraging an open source tool named Cloud Custodian, with no prior knowledge of either required.

However, this workshop is not intended to to provide a complete introduction to writing polices for Cloud Custodian, for that please refer to the Getting Started documentation or alternatively the introductory presentation on Cloud Custodian

The automated remediations in this workshop are implemented as AWS Lambda Functions which get invoked by Cloudwatch Events. The CloudWatch Events are generated by AWS Security Hub as a result of a Console user invoking a Custom Action, or when a finding is imported into Security Hub.

Your feedback is highly desired, please submit a new issue if you run into any problems, even if you figure it out yourself, please report the problem so we can attempt to make this workshop as error proof as possible.

  • Level: Intermediate
  • Duration: 1 - 2 hours
  • CSF Functions: Detect, Respond
  • CAF Components: Detective, Responsive
  • Prerequisites: AWS Account with an Admin IAM user/role with AWS CLI configured. If you are doing this Workshop as part of an AWS Event where Event Engine is being used, these will be supplied.

Scenario

You are a Security Engineer who has just been tasked with automating some of the common steps that Security Analysts take when responding to insecure configuration, discovered vulnerabilities, or actual attacks.

Architecture

For this Workshop you will view source files using Cloud 9 and invoke command lines via it's terminal window connected to an EC2 instance. The automated remediations in this workshop will be deployed by using that terminal window to invoke Cloud Custodian running within a docker container. Each module includes the execution of a Cloud Custodian policy, which is file written in a simple YAML based DSL which defines rules. Most of the policies result in Cloud Custodian dynamically generating and deploying a Lambda Function, then deploying a CloudWatch Event rule with an event filter and a trigger to invoke the same Lambda function it just deployed.

The cloudformation in this workshop sets up the following:

  1. AWS Cloud 9 Environment with associated ec2 instance.
  2. IAM policies, Role, and Instance-Profiles.
  3. An ec2 instance to be used as a test target.
  4. IAM user to demo ability to disable it's access keys.
  5. CloudWatch Log Groups

As part of the Workshop, Security Hub and Guard Duty will be enabled.

Presentation deck

Workshop Presentation Deck

Modules

This workshop is broken up into the following modules below:

  1. Environment Build and Configuration
  2. GuardDuty DNS Event on EC2 Instance
  3. Security Hub Custom Actions
  4. Vulnerability Event on EC2 Instance with Very Risky Configuration
  5. GuardDuty Event on IAMUser
  6. Remediate an Public EBS-Snapshot
  7. Cleanup of Resources -- not needed using an AWS Event provided account