Hi folks!!!
In the previous article, we have discussed about AWS GuardDuty and found the way to send out the security incident notifications to IT Security Team.
In this article, we will follow the same approach and use AWS Lambda Functions with previously created AWS CloudWatch Rule to collect/record the GuardDuty Findings with CloudWatch.
Lets create a lambda function GDFCollector which will automatically record the GuardDuty Findings in a CloudWatch Logs LogGroup.
Task A. Create a role for Lambda (GDFLambda) such that the Lambda function can create a CloudWatch Logs LogGroup and write the logs.
1. Go to 'Services' -> IAM -> Policies -> CreatePolicy -> JSON.
2. In the editor window, define the policy as given in the image below.
Hit 'ReviewPolicy' and define the name of policy as GDFLambdaPolicy and description as 'To provide Lambda the access to write in CloudWatch Logs LogGroup'.
3.1. Now go to AWS IAM -> Roles -> Create Role. Attach Trusted Entity as Lambda.
3.3. No need to attach any tags and proceed.
Task B. Create the Lambda (GDFLambda) for automation of record writing.
1. Go to 'Services' and Click on 'Lambda' within the 'Compute' heading.
2. Create a new Lambda function - GDFLambda.
Name - GDFLambda
Runtime - Python3.6
Role - Choose an existing role
ExistingRole - GDFLambdaRole
3.1. From the previous article, we have created a CloudWatch events rule i.e. GDFReporter. Feel free to go to the previous post if you are following from this article.
3.2. Go to CloudWatch -> Rules -> GDFReporter -> Actions -> Edit. Add GDF Lambda as Target and Update the rule.
Task C. Writing Lambda Function. There are different aspects to keep in mind while writing Lambda function. Till now the trigger event and trust permissions are done.
But, writing a Lambda function to write in CloudWatch Logs Log Group is an interesting task. I have used Python Boto3 SDK for the same. My independent parts of code focus on,
1. Getting the complete event from trigger.
2. Finding the current date in terms of day, month and year. This will help in creating Log Group Name to save records for each date separately.
3. Getting the LogStream Name if existing, else creating new LogStream and then insertion of Logs with SequenceNumber check.
Now, to check the Lambda Function if working properly, just create sample findings in AWS GuardDuty as discussed in the previous article and you can observe the records coming in the CloudWatch Logs LogGroup with appropriate stream name of current date.
This is how we can automatically save the GuardDutyFindings in AWS logs. Although, its a way to stream any kind of event logs to CloudWatch Logs Log Group but there are certain limitations. For example, whatever we have done is valid only for one AWS region. So, it might be the case if you have multiple apps in multiple regions and all these steps one has to follow for each and every region with multiple Lambda functions to capture GuardDutyFindings.
This can be done easily with CloudFormation which is IaaC - Infrastructure as a Code for AWS. There can be any other option also. Feel free to try this and think about the same.
In the previous article, we have discussed about AWS GuardDuty and found the way to send out the security incident notifications to IT Security Team.
In this article, we will follow the same approach and use AWS Lambda Functions with previously created AWS CloudWatch Rule to collect/record the GuardDuty Findings with CloudWatch.
Lets create a lambda function GDFCollector which will automatically record the GuardDuty Findings in a CloudWatch Logs LogGroup.
Task A. Create a role for Lambda (GDFLambda) such that the Lambda function can create a CloudWatch Logs LogGroup and write the logs.
1. Go to 'Services' -> IAM -> Policies -> CreatePolicy -> JSON.
2. In the editor window, define the policy as given in the image below.
Hit 'ReviewPolicy' and define the name of policy as GDFLambdaPolicy and description as 'To provide Lambda the access to write in CloudWatch Logs LogGroup'.
3.1. Now go to AWS IAM -> Roles -> Create Role. Attach Trusted Entity as Lambda.
3.2. Attach policy created in the previous step.
3.3. No need to attach any tags and proceed.
Task B. Create the Lambda (GDFLambda) for automation of record writing.
1. Go to 'Services' and Click on 'Lambda' within the 'Compute' heading.
2. Create a new Lambda function - GDFLambda.
Name - GDFLambda
Runtime - Python3.6
Role - Choose an existing role
ExistingRole - GDFLambdaRole
3.1. From the previous article, we have created a CloudWatch events rule i.e. GDFReporter. Feel free to go to the previous post if you are following from this article.
3.2. Go to CloudWatch -> Rules -> GDFReporter -> Actions -> Edit. Add GDF Lambda as Target and Update the rule.
Task C. Writing Lambda Function. There are different aspects to keep in mind while writing Lambda function. Till now the trigger event and trust permissions are done.
But, writing a Lambda function to write in CloudWatch Logs Log Group is an interesting task. I have used Python Boto3 SDK for the same. My independent parts of code focus on,
1. Getting the complete event from trigger.
2. Finding the current date in terms of day, month and year. This will help in creating Log Group Name to save records for each date separately.
3. Getting the LogStream Name if existing, else creating new LogStream and then insertion of Logs with SequenceNumber check.
Now, to check the Lambda Function if working properly, just create sample findings in AWS GuardDuty as discussed in the previous article and you can observe the records coming in the CloudWatch Logs LogGroup with appropriate stream name of current date.
This is how we can automatically save the GuardDutyFindings in AWS logs. Although, its a way to stream any kind of event logs to CloudWatch Logs Log Group but there are certain limitations. For example, whatever we have done is valid only for one AWS region. So, it might be the case if you have multiple apps in multiple regions and all these steps one has to follow for each and every region with multiple Lambda functions to capture GuardDutyFindings.
This can be done easily with CloudFormation which is IaaC - Infrastructure as a Code for AWS. There can be any other option also. Feel free to try this and think about the same.
0 comments: