Total Pageviews


September 4, 2019

AWS Security Automation - Public Ingress Compliance Auto-Remediation (AWS Config and Lambda) - Part 2

by 4hathacker  |  in AWS SecOps at  11:00 AM

Hi folks!!!

In the previous post, we discussed about SSH Compliance in EC2 Security Groups. Feel free to have a look at it here.

We saw, there were some limitations like, AWS Managed Rule is for SSH only, no sync between AWS Config and AWS Lambda and many more. In this post, we will try to resolve them  while implementing a setup for Custom Config Rule and few tweaks around AWS Lambda for Public Ingress remediation to all the ports instead of SSH only.
Public Ingress Compliance: If the access to instance via any port/protocol is restricted to public IP's of organization behind the firewall/proxy, this is COMPLIANT, else NON-COMPLAINT. 

Using AWS Config Custom Rules with AWS Lambda fucntion, we can check for the Public Ingress associated to the Security Groups in a regional aspect. Here the compliance check will be triggered only when there is a configuration change occurred. So, no need to configure AWS CloudWatch Scheduled Rule. The rule allowing "" or "::/0" for any port/protocol for ingress via EC2 Security Groups must be removed.


1. From "Services" drop down, select "Config" and go to AWS Config Console. Select "Rules" from the left pane.

2. From the Rules panel, select "Add rule" and then click on "Add custom rule".

3. In the panel appeared, add the "Name" and "Description" and then Click on "Create AWS Lambda function" with CTRL Key, which is present below the AWS Lambda function ARN* field.

4. Here, we will be following the same approach as earlier to create a Lambda function as "PublicIngressRemovalSecopsSGLambda" provided some basic information like, Name, Runtime, Execution role,  etc.

5. For execution role, we will be creating a new role with name as - "PIRSecOpsSGLambdaRole" with two policy templates viz. AWS Config Rules permissions and Amazon SNS publish policy. 

6. When the function is created, copy the ARN from the top left and go to the Config Console window. Paste the Lambda function here. Add trigger type as "Configuration changes", Scope as "Resources" and Resources as "EC2:SecurityGroup". Click "Save" at the bottom and proceed.

7. You can see the new rule with compliance as "Evaluating".

8. Now, go back to Lambda console, Click on SNS policy and select "Manage these permissions".

9. We will be adding an inline policy to our "PIRSecOpsSGLambdaRole" so click on add inline policy and write the policy as below. Click "Review" policy.

10. Add the name as "PIRSecopsLambdaSGPolicy" and hit "CreatePolicy".

11. You can see your policy is attached here.

"Lambda Core Logic (LCL)"

LCL-1. This is our "evaluate_compliance" function which will check around three cases:
a. If the resource is in APPLICABLE_RESOURCES, for example if you are monitoring a lot of resources via your custom config rules and you specifically want to filter "EC2:SecurityGroups" resources.
b. Check if the resource is present or deleted.
c. If not deleted, get the security group details and proceed to evaluate and remediate as we have done previously for both IPv4 and IPv6 check.

LCL-2. This is our "sns_publish" function which will report the security team about the remediation activity.

LCL-3. This is our main function - "lambda_handler" which acts as a controller here. The interesting part to note here is we will be putting the result after config evaluation to inform AWS Config. So, this Lambda function on its own is evaluating the compliance and then updating the AWS Config about the same.

Compliance Check:

1. To check if its working fine, create two security groups, 4hathackerSecOpsSG and 4hathackerSecOpsSG2 as below.

2. Post 5-6 mins, the Lambda will be automatically triggered by AWS Config, evaluate the compliance and update the security groups.

3. To analyze what happened in due course of time, check for the AWS CloudWatch Logs Log Group. It will show you how the modifications have been made by Lambda.


1. As compared to our previous, blog post where Lambda is being triggered every 2 mins this is much more efficient.

2. The sync of Lambda and AWS Config is functional here.

3. No dependency over AWS Config Managed rules. Write your own custom rule, do evaluation and update the AWS Config.

Scope Of Improvement:

1. Can use CloudFormation Templates to have an easy deployment approach.

2. Filter the ports/protocol as per your requirement. Here it is rigid for every port not allowing public ingress at all.

This is all about Security Groups and compliance management. There are a lot of things, one can try and learn for security groups compliance management. I found a visual guide for best practices from Internet2 Confluence site which is available here.

Feel free to have a look and Stay tuned for more exciting things related to AWS, Security,  and Automation...

Wondering if I will start writing with Python and Core Security... Please share your views about it in comments section...


    Things you need to know about The Global-KOS C.E.H RECOVERY COMPANY.
    Hiring a professional hacker has been one of the world most technical valued navigating information. High prolific information and Privileges comes rare as it has been understood that what people do not see, they will never know.
    This is The Global KOS hacking agency where every request concerning lost funds or hacking related issues are fixed within a short period of time.
    The crucial benefit of contacting The Global-KOS hackers is
    • ZERO TRACE: After a successful hack recovery is carried out by the Global-KOS, no active or passive attacks will be used to trace any of our hacks to our clients or our organization. One common practice that attackers employ to evade detection is to break into poorly secured systems and use those hijacked systems as proxies through which they can launch and route attacks. So in a nutshell, attackers effort on this platform are useless because our systems are protected with a vigorous firewall switching and a firm security system to prevent unauthorized bodies from tracking or modifying our network accessible resources. I.e the hacker and clients are 100% safe and anonymous.
    • REPEAT CLIENTS and SERVICES: E.g, after helping a client recover all money lost to fraudulent practices, most of this clients comes back requesting we provide the same service in disguise as a different person. We found a way to issue serial Numbers to each clients who seeks our help and services for identification purposes because we are not interested in your names nor location. But we urge that individuals shouldn't abuse this opportunities as we have provided value to you.
    However, on this platform of recovery, you will be assigned to a designated professional hacker who is systematically known for operating on a dark web protocol. The operation of these hackers is to potentially deploy a distinguished cyber security technique to retrieving back the victims stolen funds via the application of a diverse CM breacher which enables you to track the data location of a scammer and extract every data on the con database. This is achieved using the systematic courier tracking method.
    Which of the uneasy situation do you find yourself in right now?
    This shocking study points to one harsh reality we all face today. It saddens our mind when a client expresses annoyance or dissatisfaction of unethical behaviors of scammers. We have striven to make tenacious efforts to help those who are victims of this fleas get off their traumatic feeling of loss.
    The company is large enough to provide comprehensive range of services such as.
    • MOBILE PHONE HACKS.(Catching A Cheating Spouse)��

    For prolific services and info,
    ®Global KOS™

  2. Please everyone should be careful and stop being fooled by all these brokers and account managers, they scammed me over $ 140,000 of my investment capital, they kept on requesting for extra funds before a withdrawal request can be accepted and processed, in the end, I lost all my money. All efforts to reach out to their customer support desk had declined, I found it very hard to move on. God so kind I followed a broadcast that teaches on how scammed victims can recover their fund, I contacted the email provided for consultation, I got feedback after some hours and I was asked to provide all legal details concerning my investment, I did exactly what they instructed me to do without delay, to my greatest surprise I was able to recover my money back including my profit which my capital generated. I said I will not hold this to myself but share it to the public so that all scammed victims can get their funds back, you can as well hire him today by Email: or whatsapp +31685248506 Telegramm:  +31685248506

  3. A revolution in banking has been brought about by the digital era, with cryptocurrencies like Bitcoin taking center stage. But there are also risks associated with this emerging field, the most frightening of which being the possibility of losing digital assets. This is when Osecybersailing and it's team steps in like a shining knight, equipped with the formidable weapon of Bitcoin recovery. My valuable Bitcoin was stolen via a technical error, leaving me hopeless. My dreams were almost dashed by the cold reality of irreversible blockchain transactions. However, there was a ray of hope that emerged from the shadows when I came across Osecybersailing and it's team. Equipped with state-of-the-art equipment and years of experience, their team of professionals painstakingly navigated the blockchain maze, following even the smallest digital traces of my misplaced funds. The fact that my Bitcoin appeared, safe and sound, back in my wallet in a very short amount of time was a credit to their commitment and competence. It restored my faith in the security and reliability of the crypto ecosystem. But my testimony is more than just a celebration of Osecybersailing technical abilities. It also serves as a rallying cry for ethical cryptocurrency stewardship.
    If you find yourself lost in the depths of lost Bitcoin, facebook Account and Whatsapp hacking to check if your partner is cheating, then let Osecybersailing and it's team guide you towards the light of redemption.
    Facebook page: Osecybersailing
    Telegram: osecybersailing


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.