Active Notes from AWS re:Invent 2015 | (SEC308) Wrangling Security Events in The Cloud – Try this at home

These are active notes from AWS re:Invent 2015 | (SEC308) Wrangling Security Events in The Cloud. I’m re-watching the video and following along with the steps discussed in the talk and implementing them as a learning exercise.

Updates <2015-10-24 Sat>
Add bits about using CloudFormation, Templates, and CloudWatch alarms

1 Do These Things

1.1 DONE Sign up a free-tier AWS account

I set up an AWS Free Tier account to follow along and re-implement the exercises described as a learning process. https://aws.amazon.com/free/

1.2 DONE Do initial setup of non-root users using IAM

Consider this: https://alestic.com/2014/09/aws-root-password/

I did the following (basic steps, not step-by-step):

  • Created two users
    • DOWNLOAD AND SAVE THE CREDENTIALS
  • Assigned admin access policy to one of them
  • set passwords for both
  • enable access to billing for account
  • enable MFA on root account
  • Create a “users” group, assign one user to the group (for now the group “users” has admin acccess)

1.3 DONE Turn On CloudTrail

… to be continued …

1.4 DONE Stand up a wordpress blog stack with cloudformation

  • select default wordpress template
  • generate keypairs if needed
  • Fill out parameters
  • launch

1.5 DONE Turn on CloudWatchLogs

Video at 8:12 Cloud Watch Logs

1.6 DONE Using an AWS CloudFormation Template to Create CloudWatch Alarms

Do this: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/use-cloudformation-template-to-create-cloudwatch-alarms.html

to set up alerting for:

The example template defines metric filters that monitor creation and deletion of, or updates to, security groups, network ACLs, internet gateways, Amazon EC2 instances, and IAM policies. For each filter, the template describes a corresponding alarm that enables to you to receive email notifications when a call to one of the APIs being monitored by the filter is made.

See https://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json for details.

This will send notifications (email, SNS, whatever) when specific events related to an account occur.

1.7 DONE Create versioned files in S3

  • Go to S3 in the console
  • Create a folder
  • Versioning
  • upload a file
  • upload a modified version of the file

1.8 DONE Install, configure and test the aws command line tools

sudo pip install awscli
complete -C aws_completer
aws configure
#    AWS Access Key ID: foo
# AWS Secret Access Key: bar
# Default region name [us-west-2]: us-east-1
# Default output format [None]:
   george@octo github.com $ aws iam list-users 
{
    "Users": [
        {
            "UserName": "george", 
            "PasswordLastUsed": "2015-10-25T08:27:03Z", 
            "CreateDate": "2015-10-14T22:21:17Z", 
            "UserId": "xxxAIPTQ2UR42GYKHUyyy", 
            "Path": "/", 
            "Arn": "arn:aws:iam::zzz852060zzz:user/george"
        }, 
        {
            "UserName": "gmj", 
            "Path": "/", 
            "CreateDate": "2015-10-14T22:21:17Z", 
            "UserId": "xxxAIOW2BLABYLSLBOyyy", 
            "Arn": "arn:aws:iam::zzz852060zzz:user/gmj"
        }
    ]
}

1.9 DONE list objects in a bucket, versions, and copy an older version to the current name

I’ve created an S3 bucket called port111.com-org and placed a signle file, george.org, in it. Versioning is turned on for the bucket. The commands below list the objects in the bucket, list the versions (output omitted) and copy a specific version of george.org to bar.org

george@octo github.com $ aws s3api list-objects --bucket port111.com-org
{
    "CommonPrefixes": [], 
    "Contents": [
        {
            "LastModified": "2015-10-24T12:32:57.000Z", 
            "ETag": "\"8b911a67d3bc10d617e7b0295e95b70d\"", 
            "StorageClass": "STANDARD", 
            "Key": "george.org", 
            "Owner": {
                "DisplayName": "gmj", 
                "ID": "b640606004e307d81b7227699470f08f3ca828698f7e3875173115b886ec9224"
            }, 
            "Size": 57061
        }
    ]
}
george@octo github.com $ aws s3api list-object-versions --bucket port111.com-org
.
.
.


$ aws s3api copy-object --bucket port111.com-org --copy-source port111.com-org/george.org?versionId=UoFiJ.2kprX7K8myCVgCZf3CJr2k0O2P --key bar.org
{
    "CopySourceVersionId": "UoFiJ.2kprX7K8myCVgCZf3CJr2k0O2P", 
    "CopyObjectResult": {
        "LastModified": "2015-10-25T09:45:16.000Z", 
        "ETag": "\"83f36e9186453794c3c20f3f6125b797\""
    }, 
    "VersionId": "uXbcrYX20otfsat7705EwxtXv6DTxfhE"
}

1.10 DONE Look at cli s3api options

Looks like the s3api is exposed via the cli

   $ aws s3api [TAB-TO-COMPLETE]
abort-multipart-upload                  delete-object                           get-bucket-request-payment              list-object-versions                    put-bucket-tagging 
complete-multipart-upload               delete-objects                          get-bucket-tagging                      list-parts                              put-bucket-versioning 
copy-object                             get-bucket-acl                          get-bucket-versioning                   put-bucket-acl                          put-bucket-website 
create-bucket                           get-bucket-cors                         get-bucket-website                      put-bucket-cors                         put-object 
create-multipart-upload                 get-bucket-lifecycle                    get-object                              put-bucket-lifecycle                    put-object-acl 
delete-bucket                           get-bucket-lifecycle-configuration      get-object-acl                          put-bucket-lifecycle-configuration      restore-object 
delete-bucket-cors                      get-bucket-location                     get-object-torrent                      put-bucket-logging                      upload-part 
delete-bucket-lifecycle                 get-bucket-logging                      head-bucket                             put-bucket-notification                 upload-part-copy 
delete-bucket-policy                    get-bucket-notification                 head-object                             put-bucket-notification-configuration   wait
delete-bucket-replication               get-bucket-notification-configuration   list-buckets                            put-bucket-policy                       
delete-bucket-tagging                   get-bucket-policy                       list-multipart-uploads                  put-bucket-replication                  
delete-bucket-website                   get-bucket-replication                  list-objects                            put-bucket-request-payment

1.11 DONE Test static web hosting hosting of this writeup

1.12 TODO Pick up here next

[[https://youtu.be/uc1Q0XCcCv4?t=1290%5D%5BVideo at 21:30] Anomaly Detection

[5/6] Write up some possible stuff to talk about during Emacs Chat 2015-10-14

SCHEDULED: <2015-10-10 Sat>

[2015-10-10 Sat 08:13]

The raw source for this file is here: https://github.com/eludom/.emacs.d/blob/master/project/emacs-project.org

What
Possible stuff to talk about during Emacs Chat 2015-10-14, mostly things I’ve done in/to my configs recently
Why
I think some of it might be interesting to others, I’m pretty sure I’ll get useful feedback, I’m not very good at talking extemporaneously, sometimes sharing things live creates problems (things you did not mean to share), org mode (and git) work pretty well to organize and share config snippits.
How
Mostly links to git commit/diffs of my emacs configs
When
Posted online now <2015-10-10 Sat>, possible fodder for discussion at 2015-10-14 emacs chat https://plus.google.com/u/0/events/cav8n9cv887nfjdtog483flar2c
Who
Anybody that shows up to the chat or cares to read this info.
Caveat
After ~36 years of using various emacsen I’m still a piker…

1 DONE org-babel-git-utils.org

What
Move all the things into .git. The actions listed below will currently do the following:

  • find all repos under BASEDIR
  • list the remotes (or lack of them) for each repo
  • Add .dir-locals.el to each repo for use with https://github.com/ryuslash/git-auto-commit-mode
  • Find recently modified files (last RECENT days) that are not in a git repo or not in a directory listed to be ignored (IGNOREDIRS)
  • List the need to push or pull repos (after git fetch --all)
Why
I’m moving my existence into git. I have hap-hazard repos of some of my stuff spread across github, aws code commit, bare repos on shared hosting, local backup drives and a lot of stuff that’s not in git that needs to be there). This will give me visibility and let me make decisions about where to commit stuff, what’s in now, what needs to be added, etc.
How
Org babel stuff calling git: https://github.com/eludom/org-babel-git-utils
When
Code on github now. Gitificatation of all the things in progress.
Who
Me.

2 DONE gmjShell function

What
function to start a shell on remote system when remote file open (tramp)
Why
I work on a lot of remote systems and need shells there quickly.
How
https://github.com/eludom/.emacs.d/commit/37139219b0e85dd6f157b3e0564b4166279cc58f#diff-6a73c0e841a9f9a9040d37f2f832b710
When
Done.
Who
Me.

3 DONE Move custom-set-variables out of ~/.emacs.d/init.el

what
Move custom-set-variables out of ~/.emacs.d/init.el
why
I want to share most of my emacs config, but custom-set-variables keeps saving things I don’t want in public git repos.
How

Put this in ~/.emacs.d/init.el (or wherever):

; because junk I don't want to share in git keeps showing up here
(setq custom-file "~/secrets/emacs-custom.el")
(load custom-file)
When
Now.
Who
Me.

4 DONE building Emacs from src with org babel

What
Build emacs from source using org babel
Why
Things are fixed in the latest source release.
How
Org babel version https://github.com/eludom/HOWTO/blob/master/emacsFromSrc.org of of Xah Lee’s http://ergoemacs.org/emacs/building_emacs_from_git_repository.html
When
As needed.
Who
Me.

5 IN-PROGRESS Pulling/installing latest org mode with babel

What
Install latest org mode from source.
Why
Because stuff is getting fixed and added all the time.
How
For now, this: https://github.com/eludom/HOWTO/blob/master/getLatestOrg.sh. In the future, an org babel version.
When
See “How”
Who
Me.

6 DONE git-autocommit

What
Make every save a git commit because, really, what changes should NOT be saved?
Why
Lightning talk from SF Emacs conference mentioned it. Thought it sounded like a good idea.
How
Do this:

  • Install git-auto-commit-mode
  • Add .dir-locals.el with this ((nil . ((eval git-auto-commit-mode 1)))) in it to directories you want to autocommit
  • Consider adding the following or similar to your .init.el (or org startup):

    (setq gac-automatically-push-p t)
    (setq gac-ask-for-summary-p t)
    (add-hook 'certain-hook 'git-auto-commit-mode)
    (setq enable-remote-dir-locals t)
    

    See How to Write a Git Commit Message for great advice on writing commit messages.

    In truth, after several days of using it, I’m not sure. I save far to often for trivial reasons (like 30 years of muscle memory and paranoia telling me I must hit ^X^S every few seconds).

    The git commit/log model seems to be geared around each commit being a minimally useful improvement that can be described briefly and thoughtfully. Autosave does not play into that model.

    The source is here https://github.com/ryuslash/git-auto-commit-mode and, tellingly, the commit history looks like it was done thoughtfully.

When
Every save.
Who
Me.