Congratulations, you have successfully launched the AWS CloudFormation sample.
" 372 | ]]}, 373 | "mode" : "000644", 374 | "owner" : "root", 375 | "group" : "root" 376 | }, 377 | 378 | "/etc/cfn/cfn-hup.conf" : { 379 | "content" : { "Fn::Join" : ["", [ 380 | "[main]\n", 381 | "stack=", { "Ref" : "AWS::StackId" }, "\n", 382 | "region=", { "Ref" : "AWS::Region" }, "\n" 383 | ]]}, 384 | "mode" : "000400", 385 | "owner" : "root", 386 | "group" : "root" 387 | }, 388 | 389 | "/etc/cfn/hooks.d/cfn-auto-reloader.conf" : { 390 | "content": { "Fn::Join" : ["", [ 391 | "[cfn-auto-reloader-hook]\n", 392 | "triggers=post.update\n", 393 | "path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init\n", 394 | "action=/opt/aws/bin/cfn-init -v ", 395 | " --stack ", { "Ref" : "AWS::StackName" }, 396 | " --resource WebServerInstance ", 397 | " --region ", { "Ref" : "AWS::Region" }, "\n", 398 | "runas=root\n" 399 | ]]} 400 | } 401 | }, 402 | 403 | "services" : { 404 | "sysvinit" : { 405 | "httpd" : { "enabled" : "true", "ensureRunning" : "true" }, 406 | "cfn-hup" : { "enabled" : "true", "ensureRunning" : "true", 407 | "files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-auto-reloader.conf"]} 408 | } 409 | } 410 | } 411 | } 412 | }, 413 | "Properties" : { 414 | "ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" }, 415 | { "Fn::FindInMap" : [ "AWSInstanceType2Arch", "t2.micro", "Arch" ] } ] }, 416 | "InstanceType" : "t2.micro", 417 | "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ], 418 | "NetworkInterfaces" : [{ 419 | "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], 420 | "AssociatePublicIpAddress" : "true", 421 | "DeviceIndex" : "0", 422 | "DeleteOnTermination" : "true", 423 | "SubnetId" : { "Ref" : "Subnet" } 424 | }], 425 | "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [ 426 | "#!/bin/bash -xe\n", 427 | "yum update -y aws-cfn-bootstrap\n", 428 | 429 | "/opt/aws/bin/cfn-init -v ", 430 | " --stack ", { "Ref" : "AWS::StackName" }, 431 | " --resource WebServerInstance ", 432 | " --region ", { "Ref" : "AWS::Region" }, "\n", 433 | 434 | "/opt/aws/bin/cfn-signal -e $? ", 435 | " --stack ", { "Ref" : "AWS::StackName" }, 436 | " --resource WebServerInstance ", 437 | " --region ", { "Ref" : "AWS::Region" }, "\n" 438 | ]]}} 439 | }, 440 | "CreationPolicy" : { 441 | "ResourceSignal" : { 442 | "Timeout" : "PT15M" 443 | } 444 | } 445 | }, 446 | "S3TestBucket": { 447 | "DeletionPolicy" : "Delete", 448 | "Type": "AWS::S3::Bucket", 449 | "Properties": { 450 | "BucketName" : { "Fn::Join" : ["", [ "securityautomationtestbucket", { "Ref": "AWS::Region" } , "-", {"Ref" : "AWS::AccountId"} ]] }, 451 | "VersioningConfiguration" : { 452 | "Status" : "Enabled" 453 | }, 454 | "Tags" : [ 455 | {"Key" : "Name", "Value" : "SecurityAutomationTestbucket" } 456 | ] 457 | } 458 | }, 459 | "CFNUser" : { 460 | "Type" : "AWS::IAM::User", 461 | "Properties" : { 462 | "LoginProfile": { 463 | "Password": "Lab1pass123!" 464 | } 465 | } 466 | }, 467 | 468 | "CFNUserGroup" : { 469 | "Type" : "AWS::IAM::Group" 470 | }, 471 | 472 | "CFNAdminGroup" : { 473 | "Type" : "AWS::IAM::Group" 474 | }, 475 | 476 | "Users" : { 477 | "Type" : "AWS::IAM::UserToGroupAddition", 478 | "Properties" : { 479 | "GroupName": { "Ref" : "CFNUserGroup" }, 480 | "Users" : [ { "Ref" : "CFNUser" } ] 481 | } 482 | }, 483 | 484 | "Admins" : { 485 | "Type" : "AWS::IAM::UserToGroupAddition", 486 | "Properties" : { 487 | "GroupName": { "Ref" : "CFNAdminGroup" }, 488 | "Users" : [ { "Ref" : "CFNUser" } ] 489 | } 490 | }, 491 | 492 | "CFNUserPolicies" : { 493 | "Type" : "AWS::IAM::Policy", 494 | "Properties" : { 495 | "PolicyName" : "CFNUsers", 496 | "PolicyDocument" : { 497 | "Statement": [{ 498 | "Effect" : "Allow", 499 | "Action" : [ 500 | "cloudformation:Describe*", 501 | "cloudformation:List*", 502 | "cloudformation:Get*" 503 | ], 504 | "Resource" : "*" 505 | }] 506 | }, 507 | "Groups" : [{ "Ref" : "CFNUserGroup" }] 508 | } 509 | }, 510 | 511 | "CFNAdminPolicies" : { 512 | "Type" : "AWS::IAM::Policy", 513 | "Properties" : { 514 | "PolicyName" : "CFNAdmins", 515 | "PolicyDocument" : { 516 | "Statement": [{ 517 | "Effect" : "Allow", 518 | "Action" : "cloudformation:*", 519 | "Resource" : "*" 520 | }] 521 | }, 522 | "Groups" : [{ "Ref" : "CFNAdminGroup" }] 523 | } 524 | }, 525 | 526 | "CFNKeys" : { 527 | "Type" : "AWS::IAM::AccessKey", 528 | "Properties" : { 529 | "UserName" : { "Ref": "CFNUser" } 530 | } 531 | } 532 | }, 533 | 534 | "Outputs" : { 535 | "URL" : { 536 | "Value" : { "Fn::Join" : [ "", ["http://", { "Fn::GetAtt" : ["WebServerInstance", "PublicIp"] }]]}, 537 | "Description" : "Newly created application URL" 538 | } 539 | } 540 | } 541 | -------------------------------------------------------------------------------- /SID402Workshop/1_MonitoringSecEvents/templates/AutomatingSecurityEvents_StudentPolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect":"Allow", 6 | "Action":[ 7 | "ec2:*", 8 | "cloudwatch:*", 9 | "events:*", 10 | "iam:AddRoleToInstanceProfile", 11 | "iam:CreateInstanceProfile", 12 | "iam:PassRole", 13 | "iam:List*", 14 | "iam:Get*", 15 | "iam:CreatePolicy", 16 | "s3:*", 17 | "sns:*", 18 | "logs:*", 19 | "lambda:*", 20 | "cloudtrail:*", 21 | "cloudformation:*" 22 | ], 23 | "Resource":"*" 24 | }, 25 | { 26 | "Sid": "LimitedAttachmentPermissions", 27 | "Effect": "Allow", 28 | "Action": [ 29 | "iam:DetachRolePolicy", 30 | "iam:AttachRolePolicy" 31 | ], 32 | "Resource": "*", 33 | "Condition": { 34 | "ArnEquals": { 35 | "iam:PolicyArn": [ 36 | "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess", 37 | "arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess" 38 | ] 39 | } 40 | } 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /SID402Workshop/1_MonitoringSecEvents/templates/CloudWatch_Alarms_for_CloudTrail_API_Activity.json: -------------------------------------------------------------------------------- 1 | { 2 | "AWSTemplateFormatVersion" : "2010-09-09", 3 | "Description" : "AWS CloudTrail API Activity Alarm Template for CloudWatch Logs", 4 | "Parameters" : { 5 | "LogGroupName" : { 6 | "Type" : "String", 7 | "Default" : "CloudTrail/DefaultLogGroup", 8 | "Description" : "Enter CloudWatch Logs log group name which is in the region where the stack is being launched. Default is CloudTrail/DefaultLogGroup" 9 | }, 10 | "Email" : { 11 | "Type" : "String", 12 | "Description" : "Email address to notify when an API activity has triggered an alarm" 13 | } 14 | }, 15 | "Resources" : { 16 | "SecurityGroupChangesMetricFilter": { 17 | "Type": "AWS::Logs::MetricFilter", 18 | "Properties": { 19 | "LogGroupName": { "Ref" : "LogGroupName" }, 20 | "FilterPattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }", 21 | "MetricTransformations": [ 22 | { 23 | "MetricNamespace": "CloudTrailMetrics", 24 | "MetricName": "SecurityGroupEventCount", 25 | "MetricValue": "1" 26 | } 27 | ] 28 | } 29 | }, 30 | "SecurityGroupChangesAlarm": { 31 | "Type": "AWS::CloudWatch::Alarm", 32 | "Properties": { 33 | "AlarmName" : "CloudTrailSecurityGroupChanges", 34 | "AlarmDescription" : "Alarms when an API call is made to create, update or delete a Security Group.", 35 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 36 | "MetricName" : "SecurityGroupEventCount", 37 | "Namespace" : "CloudTrailMetrics", 38 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 39 | "EvaluationPeriods" : "1", 40 | "TreatMissingData" : "notBreaching", 41 | "Period" : "60", 42 | "Statistic" : "Sum", 43 | "Threshold" : "1" 44 | } 45 | }, 46 | 47 | "NetworkAclChangesMetricFilter": { 48 | "Type": "AWS::Logs::MetricFilter", 49 | "Properties": { 50 | "LogGroupName": { "Ref" : "LogGroupName" }, 51 | "FilterPattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }", 52 | "MetricTransformations": [ 53 | { 54 | "MetricNamespace": "CloudTrailMetrics", 55 | "MetricName": "NetworkAclEventCount", 56 | "MetricValue": "1" 57 | } 58 | ] 59 | } 60 | }, 61 | "NetworkAclChangesAlarm": { 62 | "Type": "AWS::CloudWatch::Alarm", 63 | "Properties": { 64 | "AlarmName" : "CloudTrailNetworkAclChanges", 65 | "AlarmDescription" : "Alarms when an API call is made to create, update or delete a Network ACL.", 66 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 67 | "MetricName" : "NetworkAclEventCount", 68 | "Namespace" : "CloudTrailMetrics", 69 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 70 | "EvaluationPeriods" : "1", 71 | "TreatMissingData" : "notBreaching", 72 | "Period" : "60", 73 | "Statistic" : "Sum", 74 | "Threshold" : "1" 75 | } 76 | }, 77 | 78 | "GatewayChangesMetricFilter": { 79 | "Type": "AWS::Logs::MetricFilter", 80 | "Properties": { 81 | "LogGroupName": { "Ref" : "LogGroupName" }, 82 | "FilterPattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }", 83 | "MetricTransformations": [ 84 | { 85 | "MetricNamespace": "CloudTrailMetrics", 86 | "MetricName": "GatewayEventCount", 87 | "MetricValue": "1" 88 | } 89 | ] 90 | } 91 | }, 92 | "GatewayChangesAlarm": { 93 | "Type": "AWS::CloudWatch::Alarm", 94 | "Properties": { 95 | "AlarmName" : "CloudTrailGatewayChanges", 96 | "AlarmDescription" : "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway.", 97 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 98 | "MetricName" : "GatewayEventCount", 99 | "Namespace" : "CloudTrailMetrics", 100 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 101 | "EvaluationPeriods" : "1", 102 | "TreatMissingData" : "notBreaching", 103 | "Period" : "60", 104 | "Statistic" : "Sum", 105 | "Threshold" : "1" 106 | } 107 | }, 108 | 109 | "VpcChangesMetricFilter": { 110 | "Type": "AWS::Logs::MetricFilter", 111 | "Properties": { 112 | "LogGroupName": { "Ref" : "LogGroupName" }, 113 | "FilterPattern": "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", 114 | "MetricTransformations": [ 115 | { 116 | "MetricNamespace": "CloudTrailMetrics", 117 | "MetricName": "VpcEventCount", 118 | "MetricValue": "1" 119 | } 120 | ] 121 | } 122 | }, 123 | "VpcChangesAlarm": { 124 | "Type": "AWS::CloudWatch::Alarm", 125 | "Properties": { 126 | "AlarmName" : "CloudTrailVpcChanges", 127 | "AlarmDescription" : "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic.", 128 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 129 | "MetricName" : "VpcEventCount", 130 | "Namespace" : "CloudTrailMetrics", 131 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 132 | "EvaluationPeriods" : "1", 133 | "TreatMissingData" : "notBreaching", 134 | "Period" : "60", 135 | "Statistic" : "Sum", 136 | "Threshold" : "1" 137 | } 138 | }, 139 | 140 | "EC2InstanceChangesMetricFilter": { 141 | "Type": "AWS::Logs::MetricFilter", 142 | "Properties": { 143 | "LogGroupName": { "Ref" : "LogGroupName" }, 144 | "FilterPattern": "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }", 145 | "MetricTransformations": [ 146 | { 147 | "MetricNamespace": "CloudTrailMetrics", 148 | "MetricName": "EC2InstanceEventCount", 149 | "MetricValue": "1" 150 | } 151 | ] 152 | } 153 | }, 154 | "EC2InstanceChangesAlarm": { 155 | "Type": "AWS::CloudWatch::Alarm", 156 | "Properties": { 157 | "AlarmName" : "CloudTrailEC2InstanceChanges", 158 | "AlarmDescription" : "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance.", 159 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 160 | "MetricName" : "EC2InstanceEventCount", 161 | "Namespace" : "CloudTrailMetrics", 162 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 163 | "EvaluationPeriods" : "1", 164 | "TreatMissingData" : "notBreaching", 165 | "Period" : "60", 166 | "Statistic" : "Sum", 167 | "Threshold" : "1" 168 | } 169 | }, 170 | 171 | "EC2LargeInstanceChangesMetricFilter": { 172 | "Type": "AWS::Logs::MetricFilter", 173 | "Properties": { 174 | "LogGroupName": { "Ref" : "LogGroupName" }, 175 | "FilterPattern": "{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }", 176 | "MetricTransformations": [ 177 | { 178 | "MetricNamespace": "CloudTrailMetrics", 179 | "MetricName": "EC2LargeInstanceEventCount", 180 | "MetricValue": "1" 181 | } 182 | ] 183 | } 184 | }, 185 | "EC2LargeInstanceChangesAlarm": { 186 | "Type": "AWS::CloudWatch::Alarm", 187 | "Properties": { 188 | "AlarmName" : "CloudTrailEC2LargeInstanceChanges", 189 | "AlarmDescription" : "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x or 8x-large EC2 instance.", 190 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 191 | "MetricName" : "EC2LargeInstanceEventCount", 192 | "Namespace" : "CloudTrailMetrics", 193 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 194 | "EvaluationPeriods" : "1", 195 | "TreatMissingData" : "notBreaching", 196 | "Period" : "60", 197 | "Statistic" : "Sum", 198 | "Threshold" : "1" 199 | } 200 | }, 201 | 202 | "CloudTrailChangesMetricFilter": { 203 | "Type": "AWS::Logs::MetricFilter", 204 | "Properties": { 205 | "LogGroupName": { "Ref" : "LogGroupName" }, 206 | "FilterPattern": "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }", 207 | "MetricTransformations": [ 208 | { 209 | "MetricNamespace": "CloudTrailMetrics", 210 | "MetricName": "CloudTrailEventCount", 211 | "MetricValue": "1" 212 | } 213 | ] 214 | } 215 | }, 216 | "CloudTrailChangesAlarm": { 217 | "Type": "AWS::CloudWatch::Alarm", 218 | "Properties": { 219 | "AlarmName" : "CloudTrailChanges", 220 | "AlarmDescription" : "Alarms when an API call is made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail.", 221 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 222 | "MetricName" : "CloudTrailEventCount", 223 | "Namespace" : "CloudTrailMetrics", 224 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 225 | "EvaluationPeriods" : "1", 226 | "TreatMissingData" : "notBreaching", 227 | "Period" : "60", 228 | "Statistic" : "Sum", 229 | "Threshold" : "1" 230 | } 231 | }, 232 | 233 | 234 | "ConsoleSignInFailuresMetricFilter": { 235 | "Type": "AWS::Logs::MetricFilter", 236 | "Properties": { 237 | "LogGroupName": { "Ref" : "LogGroupName" }, 238 | "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }", 239 | "MetricTransformations": [ 240 | { 241 | "MetricNamespace": "CloudTrailMetrics", 242 | "MetricName": "ConsoleSignInFailureCount", 243 | "MetricValue": "1" 244 | } 245 | ] 246 | } 247 | }, 248 | "ConsoleSignInFailuresAlarm": { 249 | "Type": "AWS::CloudWatch::Alarm", 250 | "Properties": { 251 | "AlarmName" : "CloudTrailConsoleSignInFailures", 252 | "AlarmDescription" : "Alarms when an unauthenticated API call is made to sign into the console.", 253 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 254 | "MetricName" : "ConsoleSignInFailureCount", 255 | "Namespace" : "CloudTrailMetrics", 256 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 257 | "EvaluationPeriods" : "1", 258 | "TreatMissingData" : "notBreaching", 259 | "Period" : "60", 260 | "Statistic" : "Sum", 261 | "Threshold" : "3" 262 | } 263 | }, 264 | 265 | "AuthorizationFailuresMetricFilter": { 266 | "Type": "AWS::Logs::MetricFilter", 267 | "Properties": { 268 | "LogGroupName": { "Ref" : "LogGroupName" }, 269 | "FilterPattern": "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }", 270 | "MetricTransformations": [ 271 | { 272 | "MetricNamespace": "CloudTrailMetrics", 273 | "MetricName": "AuthorizationFailureCount", 274 | "MetricValue": "1" 275 | } 276 | ] 277 | } 278 | }, 279 | "AuthorizationFailuresAlarm": { 280 | "Type": "AWS::CloudWatch::Alarm", 281 | "Properties": { 282 | "AlarmName" : "CloudTrailAuthorizationFailures", 283 | "AlarmDescription" : "Alarms when an unauthorized API call is made.", 284 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 285 | "MetricName" : "AuthorizationFailureCount", 286 | "Namespace" : "CloudTrailMetrics", 287 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 288 | "EvaluationPeriods" : "1", 289 | "TreatMissingData" : "notBreaching", 290 | "Period" : "60", 291 | "Statistic" : "Sum", 292 | "Threshold" : "1" 293 | 294 | } 295 | }, 296 | 297 | "IAMPolicyChangesMetricFilter": { 298 | "Type": "AWS::Logs::MetricFilter", 299 | "Properties": { 300 | "LogGroupName": { "Ref" : "LogGroupName" }, 301 | "FilterPattern": "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}", 302 | "MetricTransformations": [ 303 | { 304 | "MetricNamespace": "CloudTrailMetrics", 305 | "MetricName": "IAMPolicyEventCount", 306 | "MetricValue": "1" 307 | } 308 | ] 309 | } 310 | }, 311 | "IAMPolicyChangesAlarm": { 312 | "Type": "AWS::CloudWatch::Alarm", 313 | "Properties": { 314 | "AlarmName" : "CloudTrailIAMPolicyChanges", 315 | "AlarmDescription" : "Alarms when an API call is made to change an IAM policy.", 316 | "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], 317 | "MetricName" : "IAMPolicyEventCount", 318 | "Namespace" : "CloudTrailMetrics", 319 | "ComparisonOperator" : "GreaterThanOrEqualToThreshold", 320 | "EvaluationPeriods" : "1", 321 | "TreatMissingData" : "notBreaching", 322 | "Period" : "60", 323 | "Statistic" : "Sum", 324 | "Threshold" : "1" 325 | } 326 | }, 327 | 328 | "AlarmNotificationTopic": { 329 | "Type": "AWS::SNS::Topic", 330 | "Properties": { 331 | "Subscription": [ 332 | { 333 | "Endpoint": { "Ref": "Email" }, 334 | "Protocol": "email" 335 | } 336 | ] 337 | } 338 | } 339 | } 340 | } 341 | -------------------------------------------------------------------------------- /SID402Workshop/2_ImplementSecWithIoT/README.md: -------------------------------------------------------------------------------- 1 | ## re:Invent 2017 - SID402 2 | 3 | # Module 2 - Implementing Security with AWS IoT 4 | 5 | ### Introduction 6 | 7 | The security enhancement project at IthaCorp is in full gear and you are continuing the process of implementing controls across the four CAF Security Perspective areas; **Directive**, **Preventative**, **Detective** and **Responsive**. Unexpectedly, you are approached by the business to support the launch of IthaCorp Telemachus, a new IoT Service offering that transforms traditional cities into "smart" cities by using IoT technology to improve efficiency through device instrumentation, analytics and automation. Your role is provide assistance with the security configuration of the AWS IoT resources. This is a critical service launch for the business so you get started immediately. 8 | 9 | In this module, you will set up an environment using the AWS IoT (Internet of Things) service. You will create a simulated device (a thing) and connect it to the AWS IoT service and watch traffic flow between the device and AWS IoT. You will then enhance the security of the communication between the device and AWS IoT and, in so doing, learn more about the various security features offered by the service. 10 | 11 | ### Architecture Overview 12 | 13 |  14 | 15 | *Note: Going forward, we will use the terms device and thing interchangeably.* 16 | 17 | ### Topics covered 18 | 19 | By the end of this module, you will be able to: 20 | 21 | * Create a test AWS IoT environment using AWS CloudFormation. The environment will contain an Amazon EC2 instance running a package named [Node-RED](https://en.wikipedia.org/wiki/Node-RED). Node-RED provides a web-based interface that allows you to create message flows (i.e. sequences of transmissions). Node-RED can send these message flows using the MQTT and TLS protocols, which are used by AWS IoT. In short, Node-RED lets you simulate an AWS IoT device (a thing). 22 | 23 | * Configure Node-RED to simuilate AWS IoT device (a thing) and then test communication with the AWS IoT service. 24 | 25 | * Adjust the security permissions within AWS IoT to more tightly restrict the communication to AWS IoT. 26 | 27 | ### Prerequisites 28 | 29 | This module assumes you have a general knowledge of AWS services and that you have an AWS account with an IAM user that has full administrative privileges. Additionally, only one person should do this module in a specific AWS account in a given region. If more than one person is using the same AWS account for this module at the same time, each must use a different AWS IoT region. 30 | 31 | ### 1. Choose a Region 32 | 33 | AWS IoT is located in many [regions](http://docs.aws.amazon.com/general/latest/gr/rande.html#iot_region) across the world. We will provide shortcuts for the regions we want you to use later in this lab. As noted above, if more than one person is doing the module in the same AWS account, each person should use a different region. Please use the same region throughout the lab. 34 | 35 | **Tip** The AWS region name is always listed in the upper-right corner of the AWS Management Console, in the navigation bar. 36 | 37 | ### 2. Build the Node-RED Environment 38 | 39 | Our modules will use AWS CloudFormation to provision a web-based environment with Node-RED. Node-RED allows you to simulate an IoT device including the sending and receiving of IoT messages using the MQTT protocol. The AWS CloudFormation template will create a complete environment consisting of an Amazon VPC and an Amazon EC2 instance on which Node-RED will be installed. 40 | 41 | - __2.1.__ Sign in to the AWS management console at:3.1. Define Device (expand for details) 67 |
68 |
69 |
70 | You will now define an IoT device. A device is recognized by AWS IoT through a certificate. You will create a certificate and attach it to the device. You will also attach a policy to the device that gives the device (thing) full access to AWS IoT. Later in this module, you will configure the Node-RED with this certificate which will cause AWS IoT to recognize Node-RED as an AWS IoT device.
71 |
72 | - __3.1.1.__ Make sure you are still working in the same AWS region in which you are building the AWS CloudFormation stack.
73 |
74 | - __3.1.2.__ Select the service **AWS IoT** from the AWS Console. If you see a **Get started** button, click that.
75 |
76 | - __3.1.3.__ From the menu on the left, select **Manage**, **Things** and the click the **Register a thing** button (if there are already things listed, click the **Create** button instead).
77 |
78 | - __3.1.4.__ Enter the name `device1` and click **Create thing**. You should see a new entry as shown below.
79 |
80 | 
81 |
82 | - __3.1.5.__. On the left select **Secure**, then **Certificates**, then click **Create a certificate** and then Click **Create certificate.** You will then be presented with a page telling you the certificate has been created and given the opportunity to download four items as shown below. Continue below this picture for download instructions. **NOTE: You will not use the public key but please download it nonetheless.**
83 |
84 | 
85 |
86 | Use the top three download links to download the certificate, public key, and private key to a folder on your system. Also download the root CA from the link above the Activate button by right-clicking and saving the file as **rootCA.pem**. To clarify, you are downloading **four** separate items! Once done and verified you have the files locally saved, click **Activate** and then scroll to the bottom of the window and click **Attach a policy**.
87 |
88 | You have thus far created a device and a certificate. You will now define what the holder of the certificate (which will eventually be Node-RED running on Amazon EC2) can do.
89 |
90 | - __3.1.6.__ Click **Create new policy**.
91 |
92 | - __3.1.7.__ On the **Create a policy** page create the statement as follows:
93 |
94 | 
95 |
96 | **Name**: device1_full_access
97 |
98 | **Action**: iot:*
99 |
100 | **Resource ARN**: *
101 |
102 | **Effect**: Allow
103 |
104 | This represents a policy named device1_full_access that can perform all iot actions ( iot:* ) on all resources. In other words, the policy will grant full IoT access to any certificate to which the policy is attached.
105 |
106 | - __3.1.8.__ Select **Create**.
107 |
108 | - __3.1.9.__ From the main AWS IoT menu, select **Secure**, **Certificates.**
109 |
110 | - __3.1.10.__ Select the certificate that you created above by hovering over the certificate and checking the blue box that appears. With it checked, select the drop-down menu **Actions** and click on **Attach policy**. Then select the **device1_full_access** policy and click **Attach**. You have now attached the policy to the certificate.
111 |
112 | - __3.1.11.__ Select the drop-down menu **Actions** and click on **Attach thing** and select the thing named **device1**. Click **Attach**. You have now attached the certificate with its policy to the device. Later in this module, you will configure Node-RED with the certificate that has this policy causing, Node-RED to be recognized by AWS IoT as **device1**.
113 |
114 | - __3.1.12.__ On this AWS IoT console home page, near the bottom left click Settings. Copy the value in the **Endpoint** field and save it in a text file. You will need this value later in the module when you configure Node-RED.
115 |
3.2. Configure Node-RED (expand for details) 119 |
120 |
121 |
122 | - __3.2.1.__ By this point, the CloudFormation stack with the Node-RED Amazon EC2 instance should be complete Go to the AWS CloudFormation console, select the stack and look at the output tab. If you do not see the output tab, refresh the CloudFormation console page. You should see the following values:
123 |
124 | **HostIPAddress**: The IP address of the EC2 instance
125 |
126 | **NodeREDURL**: The URL of the EC2 instance
127 |
128 | - __3.2.2.__ Browse to the URL and you should see Node-RED appear. If you receive a timeout message or your browser pauses, the initial set up of the instance may still be taking place. In that case, just wait a minute or two and try again. Firefox users may have difficulty viewing Node-RED. If so, please try Chrome, IE, or Safari.
129 |
130 | 
131 |
132 | The interface has three sections. Going from left to right:
133 |
134 | **Nodes**: These represent actions or objects for Node-RED.
135 |
136 | **Flow Canvas**: You position nodes, configure them, and connect them on the canvas to create message flows.
137 |
138 | **Info/Debug**: The info tab will provide more details on the selected node. The debug tab will show in real time all activity for the debug nodes.
139 |
140 | Click on the **device1** tab. This will display the two flows to be tested. The first flow, **Publish time locally**, generate a binary timestamp (the Generate Timestamp node), then have that converted to a friendly date and time (the timestampToString node), and then finally print the time to the debug window (the Print time locally node). The second flow will do something similar, except you will see there is an additional output to be configured to send the message to the AWS IoT service.
141 |
142 | **First flow - Publish time locally**
143 |
144 | - __3.2.3.__ On the right side of the make sure the debug tab is selected.
145 |
146 | - __3.2.4.__ On the Generate Timestamp node for Publish time locally, click the button on the left side. This will generate the timestamp, then convert and send. You will see the message in the debug frame. Every click on the inject node (Generate Timestamp) will publish a message in the debug window. See the vertical red arrows below for clarification.
147 |
148 | 
149 |
150 | **Second flow - Single click message to AWS IoT**
151 |
152 | - __3.2.5.__ The second flow under **Single click message to AWS IoT** does two things. Like the first flow, Node-RED will print a timestamp locally. Additionally, there is also a branch flow which translates the time to JSON format (the timestampToJSON node) and then sends the message to AWS IoT (the AWS IoT node). You will see a red alert icon on the upper right corner of the AWS IoT node because some configuration information is missing.
153 |
154 | To configure the AWS IoT node, double-click it. This will bring up a window that allows you to edit the MQTT properties of the node. [MQTT](https://en.wikipedia.org/wiki/MQTT) is one of the underlying network protocols used by AWS IoT. Click the pencil icon as shown below by the red arrow.
155 |
156 | 
157 |
158 | Another window will appear on which you will enter MQTT configuration information.
159 |
160 | On the Connection tab, configure the following:
161 |
162 | **Server**: Endpoint value that you copied earlier
163 |
164 | **Port**: 8883 (Make sure you use this value otherwise your messages will not go through!)
165 |
166 | **Client ID**: device1
167 |
168 | Now check the box named Enable Secure SSL/TLS communication. The window should like similar to that shown below.
169 |
170 | 
171 |
172 | - __3.2.6.__ Click the pencil next to the Add new tls-config dropdown as shown by the red arrow above. A new window will appear as shown below.
173 |
174 | 
175 |
176 | - __3.2.7.__ On the Add new-tls-config screen, make sure the **Use key and certificates from local files** is deselected (which would cause Node-RED to use files on the Node-RED instance itself), and instead select the Upload button for each and navigate to the directory where the files are saved. The files will have names similar to the following:
177 |
178 | **Certificate**: c1234567-**certificate**.pem.crt
179 |
180 | **Private Key**: c1234567-**private**.pem.key (**NOTE: You must use the private key file! Do not select the public key file! You will not be uploading the public key in this lab! **)
181 |
182 | **CA Certificate**: rootCA.pem
183 |
184 | **Verify server certificate**: selected
185 |
186 | **Name**: IoT Security Lab
187 |
188 | If for some reason you forgot to download the **rootCA.pem** file earlier, you can right click on the following link, open it in a new tab and save the value into a file named **rootCA.pem**:
189 |
190 | [[rootCA.pem]](https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem)
191 |
192 | - __3.2.8.__ Then click **Add**, which will bring you back to the **Add mqtt-broker config node** window.
193 |
194 | - __3.2.9.__ From the mqtt-broker config node page, click **Add**. You will return to the **Edit mqtt out node** window.
195 |
196 | - __3.2.10.__ Enter the following information into the fields in the window.
197 |
198 | **Topic:** topic1
199 |
200 | **QoS**: 0
201 |
202 | **Name:** AWS IoT
203 |
204 | The server name will already be filled in based on the information you have provided as shown in the screen below. Later in the module, we will show how to subscribe to messages sent to **topic1** to verify communication from AWS IoT and Node-RED.
205 |
206 | 
207 |
208 | - __3.2.11.__ Click **Done** to go back to the main GUI.
209 |
210 | - __3.2.12.__ Finally, notice that the **Deploy** icon in the upper right of the GUI is red. If you do not do this, your changes will not be enabled! This means changes have been made and need to be deployed. Click on this button and the flow will be saved, validated, and ready for use. If validation succeeds, the AWS IoT node (the Node-RED Amazon EC2 instance) will connect to the AWS IoT platform. You should see a green icon with connected under the AWS IoT node, Node-RED was able to successfully connect to the AWS IoT platform. **(NOTE: If you are not seeing the connection icon showing in green, return to step 3.2.5 to reconfigure the IOT paramaters.)**
211 |
212 | - __3.2.13.__ Bring up the AWS Console in a new browser window or tab and navigate to the AWS IoT console and select **Test**. Then select Subscribe to a topic link, enter **topic1** as the topic, and finally click the Subscribe to topic button per the figure below.
213 |
214 | 
215 |
216 | The MQTT client will then appear as shown below.
217 |
218 | 
219 |
220 | - __3.2.14.__ Return to the Node-RED window. Clean out the debug window by clicking the trash can icon. Click the button to the left of the Generate Timestamp node for the Single click message to AWS IoT flow. You will see the friendly date and time posted in the debug window, but you will also see the message published in the MQTT client in the AWS Console. Notice also that the AWS IoT node continues to show that it is connected which means that the policy attached to the certificate does allow the desired communication.
221 |
222 | 
223 |
224 | - __3.2.15.__ Now return to the AWS IoT window with the MQTT client. You should see a message that was published to topic1 as shown in the figure below.
225 |
226 | 
227 |
228 | You have now done the following:
229 |
230 | * Defined an IoT device.
231 |
232 | * Created a certificate and attached a policy which has full access to AWS IoT
233 |
234 | * Launched a Node-RED instance on AWS and configured Node-RED with the certificate information from AWS IoT, thereby enabling the Node-RED instance to simulate an IoT device and communicate with AWS IoT
235 |
236 | * Captured traffic from Node-RED within AWS IoT.
237 |
238 | You will now learn how to restrict access to AWS IoT.
239 |
4.1. Create Permissions for Device Specific Topics (expand for details) 245 |
246 |
247 |
248 | Earlier in this module you created a policy for your AWS IoT certificate that was very open and allowed the holder of that certificate to publish to any IoT topic. We are now going to show you how to restrict that policy so it only allows publishing to the topic we have already created.
249 |
250 | - __4.1.1.__ Go to the main IoT console and choose **Secure**, **Policies**. You should see a policy named device1_full_acccess. Click directly on the policy name.
251 |
252 | On the top of the window you will see the policy ARN (Amazon Resource Name). It will look something like:
253 |
254 | `arn:aws:iot:us-west-2:123456789012:policy/device1_full_access`
255 |
256 | Copy the region name (`us-west-2` in the above example) and the account number (`123456789012` in the above example) to a scratch file for future use.
257 |
258 | - __4.1.2.__ Go back to the main IoT console and choose **Secure**, **Policies**. Click **Create**.
259 |
260 | Enter `device1_allow_publish` and click **Advanced mode.**
261 |
262 | - __4.1.3.__ Replace the JSON with the content below, replacing `REGION` and `ACCOUNT` with the values you copied earlier. Make sure you retain all of the colon (:) separators.
263 |
264 | ````
265 | {
266 | "Version": "2012-10-17",
267 | "Statement": [
268 | {
269 | "Effect": "Allow",
270 | "Action": [
271 | "iot:Subscribe",
272 | "iot:Connect",
273 | "iot:Receive"
274 | ],
275 | "Resource": [
276 | "*"
277 | ]
278 | },
279 | {
280 | "Effect": "Allow",
281 | "Action": [
282 | "iot:Publish"
283 | ],
284 | "Resource": [
285 | "arn:aws:iot:REGION:ACCOUNT:topic/topic1"
286 | ]
287 | }
288 | ]
289 | }
290 |
291 | ````
292 |
293 | - __4.1.4.__ Click **Create**.
294 |
295 | - __4.1.5.__ Navigate to **Secure**, **Certificates** and click on the name of your certificate. On the left menu, click **Policies**. Now select **Attach policy** under Actions and select **device1_allow_publish**. Then detach the **device1_full_access** policy from the certificate.
296 |
297 | - __4.1.6.__ Go to the IoT console and select **Test**. Subscribe to **topic1**.
298 |
299 | - __4.1.7.__ Go to the Node-RED window and generate another message under **Single click message to AWS IoT**. You should see messages continue to appear on the test window. The AWS IoT node should continue to remain connected.
300 | You have now restricted the AWS IoT device represented by Node-RED so that it can only publish to the topic named **topic1**.
301 |
302 | - __4.1.8.__ On the Node-RED window, double click on the **AWS IoT** node. Change the topic name to **topic2**. Click **Done**. Click **Deploy**.
303 |
304 | - __4.1.9.__ Generate another message under **Single click message to AWS IoT**. You should see the AWS IoT node disconnect for a few seconds as shown in the figure below. This is because you are only allowed to publish to topic **topic1**.
305 |
306 | 
307 |
2.1. Enable AWS Config (expand for details) 47 |
48 |
49 |
50 | - __2.1.1.__ On the **Services** menu, click **Config**.
51 |
52 | - __2.1.2.__ Click **Get Started** if you see a button with that text, else click
53 | **Settings**.
54 |
55 | - __2.1.3.__ Under Resource types to record, ***uncheck*** the box **Record all resources supported in this region**.
56 |
57 | - __2.1.4.__ Click inside of the **Specific types** box. A scroll box field will appear. Scroll down to the EC2 section and click **SecurityGroup**. You should see **EC2: Security Group** appear in the **Specific types** box. Click outside of the box to close the scroll box field.
58 |
59 | - __2.1.5.__ Under **Amazon S3 bucket**, select **Create a bucket**. In the **Bucket name** field, use the default name that is provided. Leave the **Prefix (optional)** text box empty. *Make sure that the Bucket Name is not already created else you will get a bucket already exist error.*
60 |
61 | - __2.1.6.__ Under **AWS Config Role**, select **Create a Role**. In the **Role name** field, use the default name that is provided.
62 |
63 | - __2.1.7.__ Click the **Next** button at the bottom right of the web page.
64 |
65 | - __2.1.8.__ On the **AWS Config Rules** page, do not select any rules. You will add a custom rule later. Click **Next**.
66 |
67 | - __2.1.9.__ On the **Review** page, click **Confirm.** After a while, you will see the **Config Dashboard** page appear.
68 |
69 | 
70 |
71 |
72 |
73 |
74 |
2.2. Create an EC2 Security Group (expand for details) 78 |
79 |
80 |
81 | - __2.2.1.__ Click the **Services** menu and select **VPC.** The **VPC Dashboard** will appear.
82 |
83 | - __2.2.2.__ On the left hand side of the window click **Security Groups**.
84 |
85 | - __2.2.3.__ Click **Create Security Group button**.
86 |
87 | - __2.2.4.__ In the **Name tag** text box, enter "SID402Module3SG". The **Group name** text box should populate automatically.
88 |
89 | - __2.2.5.__ In the Description text box, enter "Module 3 Security Group". Keep the default VPC in the **VPC** drop down list.
90 |
91 | - __2.2.6.__ Click **Yes, Create** button.
92 |
93 | - __2.2.7.__ Select the **SID402Module3SG** Security Group. Copy the group identifier which will be in the form of sg-######## to a scratch file as you will need it later.
94 |
95 | - __2.2.8.__ Click on the **Inbound Rules** tab and click the **Edit** button.
96 |
97 | - __2.2.9.__ Add the Inbound Rules. Your Inbound Rules should look like this:
98 |
99 |
2.3. Create and Run the AWS Config Rule (expand for details) 110 |
111 |
112 |
113 | - __2.3.1.__ Click on the **Services** menu and select **Config.** The AWS Config page will appear.
114 |
115 | - __2.3.2.__ On the left side of the window, click **Rules**. On the bottom of the window, you should see “*No rules. Click Add rule to create a rule”.* Go ahead and click the **Add rule** button. The **Add rule** page will appear.
116 |
117 | - __2.3.3.__ Click the **Add custom rule** button.
118 |
119 | - __2.3.4.__ In the **Name** field, enter **EC2SecurityGroup**.
120 |
121 | - __2.3.5.__ In the Description field enter “Restrict ingress ports to HTTP and
122 | HTTPS”.
123 |
124 | - __2.3.6.__ Click the **Create AWS Lambda function** link. Click **Author From
125 | Scratch** button.
126 |
127 | - __2.3.7.__ In the Name field enter **awsconfig_lambda_security_group**.
128 |
129 | - __2.3.8.__ In the **Role** field select **Create a custom role** and a new page
130 | window will appear.
131 |
132 | - __2.3.9.__ In the **IAM Role** field, select **Create new IAM Role** from the list and in the **Role Name** text box enter **awsconfig_lambda_ec2_security_group_role**.
133 |
134 | - __2.3.10.__ Click on **View Policy Document** to open the policy window and then click on the **Edit** link. Click **Ok** if a warning message appears about reading the documentation.
135 |
136 | - __2.3.11.__ In the policy window erase the existing content and enter the following:
137 |
138 | ````
139 | {
140 | "Version": "2012-10-17",
141 | "Statement": [
142 | {
143 | "Effect": "Allow",
144 | "Action": [
145 | "logs:CreateLogGroup",
146 | "logs:CreateLogStream",
147 | "logs:PutLogEvents"
148 | ],
149 | "Resource": "arn:aws:logs:*:*:*"
150 | },
151 | {
152 | "Effect": "Allow",
153 | "Action": [
154 | "config:PutEvaluations",
155 | "ec2:DescribeSecurityGroups",
156 | "ec2:AuthorizeSecurityGroupIngress",
157 | "ec2:RevokeSecurityGroupIngress"
158 | ],
159 | "Resource": "*"
160 | }
161 | ]
162 | }
163 | ````
164 |
165 | - __2.3.12.__ Click the **Allow** button. The page will close and you will return to the Lambda **Basic Information** page.
166 |
167 | - __2.3.13.__ Click **Create function**
168 |
169 | - __2.3.14.__ For Runtime select **Python 2.7**.
170 |
171 | - __2.3.15.__ For Code entry type select **Upload a .ZIP file**
172 |
173 | - __2.3.16.__ Download this file the [awsconfig_lambda_security_group.zip](https://s3-us-west-2.amazonaws.com/sid402-artifacts/lambda/awsconfig_lambda_security_group.py.zip) file and save it on your computer. Click the Upload button under Function Package and upload the file you just downloaded.
174 |
175 | - __2.3.17.__ In the Handler field enter **awsconfig_lambda_security_group.lambda_handler**.
176 |
177 | - __2.3.18.__ Leave the **Memory (MB)** field under Basic Settings field with the default value of 128.
178 |
179 | - __2.3.19.__ In the **Timeout** fields, set **min** to 1 and **sec** to 0. Lambda functions can run for a maximum of five minutes. This is particular function typically takes less than five seconds to run so allowing one minute should be more than adequate.
180 |
181 | - __2.3.20.__ For **VPC** under Network tab, accept the default value of **No VPC**.
182 |
183 | - __2.3.21.__ Click the “Save” button at the top of the page.
184 |
185 | - __2.3.22.__ You should see Python code that looks similar to what appears below. If you don’t see code, revisit the work you did in steps 14 and 15. The part of the handler name to the left of the period must match the file name.
186 |
187 | 
188 |
189 | Let’s take a look at a few things in the code. Scroll down to where you see the value **REQUIRED_PERMISSIONS**.
190 |
191 | 
192 |
193 | This is an array of desired ingress IP Permissions in the format used by the **describe_security_groups()** API call which is used later in the code. Notice that the array only contains permissions for HTTP (TCP port 80) and HTTPS (TCP port 443). It does not contain the permissions we added for SMTPS (TCP port 465) and IMAPS (TCP port 993).
194 |
195 | If the ingress permissions contain anything other than the permissions in this array, the code uses the
196 | **authorize_security_group_ingress()** and **revoke_security_group_ingress()** calls to add or remove
197 | permissions as appropriate. Therefore, we should expect that the SMTPS (TCP port 465) and IMAPS (TCP port 993) permissions should be removed when we run this function.
198 |
199 | - __2.3.23.__ On the upper right part of the page you should some text following **ARN**. Copy the text beginning with **arn:aws:lambda** all the way to the end into scratch text file or leave it in your copy/paste buffer. It should look something like this: *arn:aws:lambda:us-west-2:account number:function:awsconfig_lambda_security_group*
200 |
201 | Go back to the **AWS Config** page that should still be open to **Add custom rule**.
202 |
203 | __Note:__ If you closed the AWS Config page accidentally, then go back to the Lambda page you were just on and click **Services** and select **Config** and do steps 2.1-2.5 again and then continue below.
204 |
205 | - __2.3.24.__ In the **AWS Lambda function ARN** field, enter the **arn:aws:lambda** value that you copied in the previous step.
206 |
207 | - __2.3.25.__ For Trigger type select **Configuration changes**.
208 |
209 | - __2.3.26.__ For **Scope of changes** select the radio box for **Resources**. Click in the **Resources** text box scroll box will appear.
210 |
211 | - __2.3.27.__ Pick **EC2: SecurityGroup**. Enter the security group identifier you copied earlier (in the form of sg-########) into the **Resource identifier** field.
212 |
213 | - __2.3.28.__ In **Rule parameters**, in the **Key** field enter **debug** and in the **Value** field enter **true** to generate additional data you can look at later if you choose.
214 |
215 | - __2.3.29.__ Click **Save**. You will return to the AWS Config Rules page. Under the **Compliance** column, you will see the function has been submitted for an initial evaluation. This initial evaluation may take several minutes to complete. This same evaluation will also take place whenever the security group is changed again in the future. Click the refresh button periodically as well to update the evaluation status.
216 |
217 | 
218 |
219 | - __2.3.30.__ Once the compliance evaluation has taken place, you should see the
220 | following:
221 |
222 | 
223 |
3.1. Revisiting the VPC Security Group (expand for details) 229 |
230 |
231 |
232 | - __3.1.1.__ We will now examine the VPC security group that we had previously created to allow HTTP, HTTPS, IMAPS, and SMTPS traffic. Click the **Services** menu and select **VPC**. The **VPC Dashboard** will appear.
233 |
234 | - __3.1.2.__ On the left hand side of the window click Security Groups.
235 |
236 | - __3.1.3.__ Click the **Inbound** tab that appears below. Notice that only HTTP and HTTPS traffic are permitted as shown below.
237 |
238 | 
239 |
240 | This corresponds to the **REQUIRED_PERMISSIONS** that were configured into the Lambda function as described in step 44. The Lambda function detected the additional permissions for SMTPS (TCP port 465) and IMAPS (TCP port 993) that were present in the security group and removed them. In this case, the detection happened during the initial rule validation. If you were to modify the security group again, a
241 | compliance evaluation would be triggered which would again invoke the Lambda function and the changes would be reverted.
242 |
3.2. Using Amazon CloudWatch Logs for Verification (expand for details) 246 |
247 |
248 |
249 | - __3.2.1.__ We will now use Amazon CloudWatch Logs to see what the Lambda function did. Click the **Services** menu and select **Cloudwatch.**
250 |
251 | - __3.2.2.__ On the left side of page, select **Logs**.
252 |
253 | - __3.2.3.__ Click on the link that contains **awsconfig_lambda_security_group**.
254 |
255 | - __3.2.4.__ Under **Log Streams**, beginning with the top link, click each link until you see an entry that contains the words **revoking for** and expand the entry. You should see something similar to this. The security group values have been blacked out. This shows that the two entries for ports 993 and 465 have been removed.
256 |
257 | 
258 |
259 | - __3.2.5.__ (Optional) If have another 15 minutes remaining, modify the ingress ports of the security group as described in steps 17-24. That will trigger another evaluation of the security group configuration. After 8-13 minutes, the ingress port configuration will revert to include only HTTP (TCP port 80) and HTTPS (TCP port 443). You will be able to verify this by revisiting the security group settings.
260 |
263 | 264 | # ___VICTORY!___ 265 | 266 |
267 | 268 | ### Conclusion 269 | 270 | Congratulations! You have now successfully: 271 | 272 | 1. Enabled AWS Config 273 | 274 | 2. Uploaded a Lambda function to support a rule for AWS Config that 275 | evaluations permissions on an EC2 security group. 276 | 277 | 3. Modified the default VPC Security group to contain both compliant 278 | and noncompliant permissions 279 | 280 | 4. Enabled the AWS Config Rule and observed the results 281 | 282 | 5. Examined the activity of the Lambda function using Amazon Cloudwatch 283 | Logs. 284 | 285 | ### Clean Up 286 | 287 | ___Complete clean up at the end of the Workshop___ 288 | 289 |
1. Module 1 Clean Up (expand for details) 291 |
292 |
293 |
294 | 1. In the AWS Management Console, on the Services menu, click CloudFormation
295 | 2. select SID402-AutomatingSecurityEvents
296 | 3. click on Actions, select Delete Stack
297 | 4. click on Yes, Delete to confirm deletion
298 | 5. repeat steps 2-4 to delete the SID402-CWLforCloudTrailAPIActivity Stack
299 | 6. In the AWS Management Console, on the Services menu, click CloudWatch
300 | 7. Under Alarms, select S3 Bucket Activity
301 | 8. click on Actions, select Delete
302 | 9. click on Yes, Delete
303 | 10. In the AWS Management Console, on the Services menu, click CloudTrail
304 | 11. Open the trail that you created in this module
305 | 12. In top right, next to Logging, click on "On/Off" switch
306 | 13. Click Continue in the popup window
307 | 14. Click on the "trash can" icon to delete the trail
308 | 15. Click Delete in the popup window
309 |
2. Module 2 Clean Up (expand for details) 313 |
314 |
315 |
316 | 1. Delete the AWS CloudFormation stack you previously launched.
317 |
318 | 2. Remove all IOT configuration items (things, certificates, policies).
319 |
3. Module 3 Clean Up (expand for details) 323 |
324 |
325 |
326 | 1. Delete the IAM role "awsconfig_lambda_ec2_security_group_role".
327 |
328 | 2. Delete the AWS Config Rule "EC2SecurityGroup".
329 |
330 | 3. If AWS Config was not enabled, turn off AWS Config in Config Settings.
331 |
332 | 4. Delete the Lambda function "awsconfig_lambda_security_group".
333 |
334 | 5. Delete s3 bucket for config if created during lab: config-bucket-
7 | 8 | ## ___Welcome to the IthaCorp Cloud Engineering Team!___ 9 | 10 |
24 | 25 | # [Let the Odyssey begin!](1_MonitoringSecEvents) 26 | 27 |
28 | 29 | ## Prerequisites 30 | 31 | ### AWS Account 32 | 33 | In order to complete this workshop you'll need an AWS Account with admin access to services including Amazon EC2, Amazon VPC, AWS Identity and Access Management (IAM), Amazon Simple Storage Service (S3), AWS Lambda, and AWS IoT. 34 | 35 | The code and instructions in this workshop assume only one student is using a given AWS account at a time. If you try sharing an account with another student, you'll run into naming conflicts for certain resources. You can work around this by either using a suffix in your resource names or using distinct Regions, but the instructions do not provide details on the changes required to make this work. 36 | 37 | ### Region 38 | 39 | Choose an AWS Region to execute the workshops which support the complete set of services covered in the material including Amazon EC2, Amazon VPC, Amazon S3, AWS Lambda, Amazon VPC, AWS IoT, AWS CloudWatch and AWS CloudTrail. Use the [Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) to determine which services are available in a Region. 40 | 41 | ## Modules 42 | 43 | 1. [Monitoring Security Events in AWS](1_MonitoringSecEvents) 44 | 2. [Implementing Security with AWS IoT](2_ImplementSecWithIoT) 45 | 3. [Automating Security Remediation in AWS](3_AutoSecRemediation) 46 | --------------------------------------------------------------------------------