Total Pageviews

Translate

August 22, 2019

AWS Security Automation - MFA Compliance (Audit, Report and Auto-Remediate) - Part 3

by 4hathacker  |  in AWS SecOps at  9:10 AM

Hi folks!!!

Hope everyone's good and eager to proceed. This is the last part of MFA Compliance setup in AWS.  Feel free to visit the previous post to follow along. 



So, let's dive deep into the architecture flow where we left off. I have modified some aspects to provide a better picture for how the flow will work.
Architecture Flow:

1. CloudWatch Scheduled Rule calls the Lambda after a pre-defined period (say 2 minutes) to check for the MFA Compliance.

2. Lambda will inspect the IAM users for MFA compliance.

3, 4. Non MFA users will get caught by Lambda.

5. Lambda will update the CloudWatch Logs Log Group associated with all the happenings inside of Lambda function.

6, 7. SNS will publish the incident to Security Team

Here, we have managed to introduce an extra step of remediation which says that, 
"If a NON COMPLIANT IAM-User is found, disable the user console login at the earliest."
R1, R2. Remediate the suspicious user console login by disabling it with the help of Lambda.

Lambda Code: 

The code logic is already explained in the previous post. Additional will be the remediation which uses delete_login_profile(malicious_username) function from Python Boto3 SDK.


Deployment Strategy:

As mentioned in the previous post, we will not follow the traditional manual approach to setup everything in AWS account. Instead, we look forward to operate this as IaaC - Infrastructure As A Code. It will be easy to manage the following setup with AWS IaaC i.e. CloudFormation

Let's create a template to get all the Resources accommodated. As we are clear with the architecture, note what all resources are required,

1. Lambda Function - "SecOpsRemediationUWM"


2. Role attached to Lambda Function - "SecOpsRemediationUWMRole"


3. Cloudwatch Scheduled Rule - "SecOpsRemediationUWMScheduleTarget"


4. Cloudwatch Rule Premission for Lambda Invocation - "SecOpsUWMInvokeLambdaPermission"


Final Deployment:

1. Create an SNS topic and confirm the Pending subscription with a valid email address. Feel free to visit here for any reference. Remember to update SNS Topic ARN in Lambda code.

2. Zip the Lambda code with the same name as the python file mentioned in the CloudFormation Lambda Handler.

3. Create an S3 bucket as "secopsremediationlambdas" and upload the zipped Lambda folder.

4. After upload run the command to create a CloudFormation Stack from the template created. (Refer the last command in below image.)



Compliance Testing:

We have created 4 users to test the scenario.


When deployment in CloudFormation will complete, you will see logs appearing in CloudWatch Logs LogGroup associated with our Lambda function. Notice that only the malicious user got disabled by our script and the Exception user remain unaltered. Also, the compliance check will take place in every 2 minutes (can be altered in CloudFormation Template) while the notification will be sent to Security Team only when the compliance will fail.



After completing this, please delete the CloudFormation Stack so that it won't cost for any AWS resources.



Scope Of Improvement:

1. Use of "logging" module to get well defined logs out of Lambda execution.
2. Try to complete the SNS setup within CloudFormation Stack itself.
3. Use DynamoDB to manage exceptions, if present in large number or dynamic in nature.

Security Constraints:

1. Do not attach complete EC2-Access/Admin-Access to final Lambda function going for prod deployment. See limited permissions defined by SecOpsRemediationUWMRole.
2. Test well before deploying Lambda function.
3. Utilize CloudFormation Change Sets for any future changes to this architecture.

We have seen AWS CloudFormation helped us to deploy the architecture with a reusable template. In the upcoming posts, we will learn about AWS Config and Compliance as a Code using AWS Lambdas and other related services.

1 comment:

  1. RECOVERY OF STOLEN FUNDS (SCAM FOCUS).
    BINARY OPTIONS, BITCOINS and LOAN SCAM.
    Things you need to know about The Global-KOS C.E.H RECOVERY COMPANY.
    (leroysteckler@gmail.com)
    ⏱️2MIN.
    Hiring a professional hacker has been one of the world most technical valued navigating information. High prolific information and Privileges comes rare as it has been understood that what people do not see, they will never know.
    This is The Global KOS hacking agency where every request concerning lost funds or hacking related issues are fixed within a short period of time.
    The crucial benefit of contacting The Global-KOS hackers is
    • ZERO TRACE: After a successful hack recovery is carried out by the Global-KOS, no active or passive attacks will be used to trace any of our hacks to our clients or our organization. One common practice that attackers employ to evade detection is to break into poorly secured systems and use those hijacked systems as proxies through which they can launch and route attacks. So in a nutshell, attackers effort on this platform are useless because our systems are protected with a vigorous firewall switching and a firm security system to prevent unauthorized bodies from tracking or modifying our network accessible resources. I.e the hacker and clients are 100% safe and anonymous.
    Secondly,
    ADVANTAGE TO CLIENTS:
    • REPEAT CLIENTS and SERVICES: E.g, after helping a client recover all money lost to fraudulent practices, most of this clients comes back requesting we provide the same service in disguise as a different person. We found a way to issue serial Numbers to each clients who seeks our help and services for identification purposes because we are not interested in your names nor location. But we urge that individuals shouldn't abuse this opportunities as we have provided value to you.
    However, on this platform of recovery, you will be assigned to a designated professional hacker who is systematically known for operating on a dark web protocol. The operation of these hackers is to potentially deploy a distinguished cyber security technique to retrieving back the victims stolen funds via the application of a diverse CM breacher which enables you to track the data location of a scammer and extract every data on the con database. This is achieved using the systematic courier tracking method.
    Which of the uneasy situation do you find yourself in right now?
    ✅(BITCOIN INVESTMENTS, BINARY OPTIONS OR LOAN SCAM?
    This shocking study points to one harsh reality we all face today. It saddens our mind when a client expresses annoyance or dissatisfaction of unethical behaviors of scammers. We have striven to make tenacious efforts to help those who are victims of this fleas get off their traumatic feeling of loss.
    The company is large enough to provide comprehensive range of services such as.
    • MOBILE PHONE HACKS.(Catching A Cheating Spouse)��
    • CREDIT SCORE UPGRADE,
    • PENETRATION OF WEBSITES AND DATABASE.
    • UNLOCKING FROZEN CRYPTO WALLET��
    • EMAIL HACKS
    • HACKING A FRAUDULENT WEBSITE.��
    • UBER FREE PAYMENT LICENCE.��

    For prolific services and info,
    Contact:
    ✉️Email: theglobalkos@gmail.com
    leroysteckler@gmail.com
    ®Global KOS™
    2020.

    ReplyDelete

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.