Active Notes from AWS re:Invent 2015 | (SEC308) Wrangling Security Events in The Cloud – Try this at home

These are active notes from AWS re:Invent 2015 | (SEC308) Wrangling Security Events in The Cloud. I’m re-watching the video and following along with the steps discussed in the talk and implementing them as a learning exercise.

Updates <2015-10-24 Sat>
Add bits about using CloudFormation, Templates, and CloudWatch alarms

1 Do These Things

1.1 DONE Sign up a free-tier AWS account

I set up an AWS Free Tier account to follow along and re-implement the exercises described as a learning process. https://aws.amazon.com/free/

1.2 DONE Do initial setup of non-root users using IAM

Consider this: https://alestic.com/2014/09/aws-root-password/

I did the following (basic steps, not step-by-step):

  • Created two users
    • DOWNLOAD AND SAVE THE CREDENTIALS
  • Assigned admin access policy to one of them
  • set passwords for both
  • enable access to billing for account
  • enable MFA on root account
  • Create a “users” group, assign one user to the group (for now the group “users” has admin acccess)

1.3 DONE Turn On CloudTrail

… to be continued …

1.4 DONE Stand up a wordpress blog stack with cloudformation

  • select default wordpress template
  • generate keypairs if needed
  • Fill out parameters
  • launch

1.5 DONE Turn on CloudWatchLogs

Video at 8:12 Cloud Watch Logs

1.6 DONE Using an AWS CloudFormation Template to Create CloudWatch Alarms

Do this: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/use-cloudformation-template-to-create-cloudwatch-alarms.html

to set up alerting for:

The example template defines metric filters that monitor creation and deletion of, or updates to, security groups, network ACLs, internet gateways, Amazon EC2 instances, and IAM policies. For each filter, the template describes a corresponding alarm that enables to you to receive email notifications when a call to one of the APIs being monitored by the filter is made.

See https://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json for details.

This will send notifications (email, SNS, whatever) when specific events related to an account occur.

1.7 DONE Create versioned files in S3

  • Go to S3 in the console
  • Create a folder
  • Versioning
  • upload a file
  • upload a modified version of the file

1.8 DONE Install, configure and test the aws command line tools

sudo pip install awscli
complete -C aws_completer
aws configure
#    AWS Access Key ID: foo
# AWS Secret Access Key: bar
# Default region name [us-west-2]: us-east-1
# Default output format [None]:
   george@octo github.com $ aws iam list-users 
{
    "Users": [
        {
            "UserName": "george", 
            "PasswordLastUsed": "2015-10-25T08:27:03Z", 
            "CreateDate": "2015-10-14T22:21:17Z", 
            "UserId": "xxxAIPTQ2UR42GYKHUyyy", 
            "Path": "/", 
            "Arn": "arn:aws:iam::zzz852060zzz:user/george"
        }, 
        {
            "UserName": "gmj", 
            "Path": "/", 
            "CreateDate": "2015-10-14T22:21:17Z", 
            "UserId": "xxxAIOW2BLABYLSLBOyyy", 
            "Arn": "arn:aws:iam::zzz852060zzz:user/gmj"
        }
    ]
}

1.9 DONE list objects in a bucket, versions, and copy an older version to the current name

I’ve created an S3 bucket called port111.com-org and placed a signle file, george.org, in it. Versioning is turned on for the bucket. The commands below list the objects in the bucket, list the versions (output omitted) and copy a specific version of george.org to bar.org

george@octo github.com $ aws s3api list-objects --bucket port111.com-org
{
    "CommonPrefixes": [], 
    "Contents": [
        {
            "LastModified": "2015-10-24T12:32:57.000Z", 
            "ETag": "\"8b911a67d3bc10d617e7b0295e95b70d\"", 
            "StorageClass": "STANDARD", 
            "Key": "george.org", 
            "Owner": {
                "DisplayName": "gmj", 
                "ID": "b640606004e307d81b7227699470f08f3ca828698f7e3875173115b886ec9224"
            }, 
            "Size": 57061
        }
    ]
}
george@octo github.com $ aws s3api list-object-versions --bucket port111.com-org
.
.
.


$ aws s3api copy-object --bucket port111.com-org --copy-source port111.com-org/george.org?versionId=UoFiJ.2kprX7K8myCVgCZf3CJr2k0O2P --key bar.org
{
    "CopySourceVersionId": "UoFiJ.2kprX7K8myCVgCZf3CJr2k0O2P", 
    "CopyObjectResult": {
        "LastModified": "2015-10-25T09:45:16.000Z", 
        "ETag": "\"83f36e9186453794c3c20f3f6125b797\""
    }, 
    "VersionId": "uXbcrYX20otfsat7705EwxtXv6DTxfhE"
}

1.10 DONE Look at cli s3api options

Looks like the s3api is exposed via the cli

   $ aws s3api [TAB-TO-COMPLETE]
abort-multipart-upload                  delete-object                           get-bucket-request-payment              list-object-versions                    put-bucket-tagging 
complete-multipart-upload               delete-objects                          get-bucket-tagging                      list-parts                              put-bucket-versioning 
copy-object                             get-bucket-acl                          get-bucket-versioning                   put-bucket-acl                          put-bucket-website 
create-bucket                           get-bucket-cors                         get-bucket-website                      put-bucket-cors                         put-object 
create-multipart-upload                 get-bucket-lifecycle                    get-object                              put-bucket-lifecycle                    put-object-acl 
delete-bucket                           get-bucket-lifecycle-configuration      get-object-acl                          put-bucket-lifecycle-configuration      restore-object 
delete-bucket-cors                      get-bucket-location                     get-object-torrent                      put-bucket-logging                      upload-part 
delete-bucket-lifecycle                 get-bucket-logging                      head-bucket                             put-bucket-notification                 upload-part-copy 
delete-bucket-policy                    get-bucket-notification                 head-object                             put-bucket-notification-configuration   wait
delete-bucket-replication               get-bucket-notification-configuration   list-buckets                            put-bucket-policy                       
delete-bucket-tagging                   get-bucket-policy                       list-multipart-uploads                  put-bucket-replication                  
delete-bucket-website                   get-bucket-replication                  list-objects                            put-bucket-request-payment

1.11 DONE Test static web hosting hosting of this writeup

1.12 TODO Pick up here next

[[https://youtu.be/uc1Q0XCcCv4?t=1290%5D%5BVideo at 21:30] Anomaly Detection

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s