This AWS Security Survival Kit (ASSK) sets up a basic proactive monitoring and alerting environment on common suspicious activities in your AWS Account.
We know that CloudTrail is the bare minimum service to activate on a newly created AWS Account to track all activities on your AWS account. It helps, but this will not alert you to suspicious activities by itself. You still have to check periodically if something has gone wrong in multiple services and the console.
With these CloudFormation templates, you will bring proactive security monitoring and alerting to your AWS account. It's complementary to the GuardDuty service as there are no built-in alerts on GuardDuty.
This kit will also enable the following default security configuration to your AWS Account.
- EBS Volumes Default Encryption (Region level)
- S3 Block Public Access (Account level)
- Block AMI Public Sharing (Region level) - from 2023-10-20
- Block Snapshot Public Sharing (Region level) - from 2023-11-09
- Enable IMDSv2 by Default for new Instances (Region Level) - from 2024-03-25
Using this kit, you will deploy EventBridge (CloudWatch Event) Rules and CloudWatch Metric Filters and Alarms on select suspicious activities. It comes with a CloudWatch Dashboard to give you more insights about what is ringing 🔔
The following suspicious activities are currently supported:
- Root User activities
- CloudTrail changes (
StopLogging
,DeleteTrail
,UpdateTrail
) - AWS Personal Health Dashboard Events
- IAM Users Changes (
Create
,Delete
,Update
,CreateAccessKey
, etc..) - MFA Monitoring (
CreateVirtualMFADevice
DeactivateMFADevice
DeleteVirtualMFADevice
, etc..) - Unauthorized Operations (
Access Denied
,UnauthorizedOperation
) - Failed AWS Console login authentication (
ConsoleLoginFailures
) - EBS Snapshots Exfiltration (
ModifySnapshotAttribute
,SharedSnapshotCopyInitiated
SharedSnapshotVolumeCreated
) - AMI Exfiltration (
ModifyImageAttribute
) - Who Am I Calls (
GetCallerIdentity
) - IMDSv1 RunInstances (
RunInstances
&&optional
http tokens) - CloudShell Exfiltration (
GetFileDownloadUrls
)
AlarmRecipient
: Recipient for the alerts (e.g.: [email protected])Project
: Name of the Project (e.g.: aws-security-survival-kit)Description
: Description of the Project (e.g.: Bare minimum ...)LocalAWSRegion
: Region where your workloads and CloudTrail are located (e.g.:eu-west-1
)CTLogGroupName
: Cloudtrail CloudWatch LogGroup name
Setup the correct parameters in the Makefile
, then run the following command:
$ make deploy
You will receive alerts by emails sent by SNS Topic
Setup AWS Chatbot for best experience to get notified directly on Slack.
ASSK comes with a CloudWatch Dashboard, please don't hesitate to adjust to your needs.
- 🏴☠️ AWS Security Boutique: zoph.io
- 💌 AWS Security Digest Newsletter
- 🐦 X/Twitter: zoph
- Microsoft Azure from folks @O3 Cyber