Appendix B: Sample Code - AWS Security Incident Response Guide

Appendix B: Sample Code

Example AWS CloudTrail Event

The following example shows that an IAM user named Alice used the AWS CLI to call the Amazon EC2 StopInstancesaction by using ec2-stop-instances.

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-06T21:01:59Z", "eventSource": "", "eventName": "StopInstances", "awsRegion": "us-east-2", "sourceIPAddress": "", "userAgent": "ec2-api-tools", "requestParameters": { "instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]}, "force": false }, "responseElements": {"instancesSet": {"items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }]}} }]}

Example AWS CloudWatch Event

The following Amazon CloudWatch Event example shows that an AWS IAM user named jane-roe-test was found publicly exposed on, and could be abused by unauthorized users.

{ "check-name": "Exposed Access Keys", "check-item-detail": { "Case ID": "02648f3b-e18f-4019-8d68-ce25efe080ff", "Usage (USD per Day)": "0", "User Name (IAM or Root)": "jane-roe-test", "Deadline": "1440453299248", "Access Key ID": "AKIAIOSFODNN7EXAMPLE", "Time Updated": "1440021299248", "Fraud Type": "Exposed", "Location": "" }, "status": "ERROR", "resource_id": "", "uuid": "cce6d28f-e44b-4e61-aba1-5b4af96a0f59" }

Example Infrastructure Domain CLI Activities

The following AWS CLI commands show an example of responding to an event within the infrastructure domain. This example uses the AWS APIs to perform many of the initial incident response activities described in this paper.

# Anomaly detected on IP X.X.X.X. Capture that instance's metadata > aws ec2 describe-instances --filters "Name=ip-address,Values=X.X.X.X"
# Protect that instance from accidental termination > aws ec2 modify-instance-attribute --instance-id i-abcd1234 --attribute disableApiTermination --value true
# Switch the EC2 instance's Security Group to a restricted Security Group > aws ec2 modify-instance-attribute --instance-id i-abcd1234 --groups sg-a1b2c3d4
# Detach from the Auto Scaling Group > aws autoscaling detach-instances --instance-ids i-abcd1234 --auto-scaling-group-name web-asg
# Deregister the instance from the Elastic Load Balancer > aws elb deregister-instances-from-load-balancer --instances i-abcd1234 --load-balancer-name web-load-balancer
# Create an EBS snapshot > aws ec2 create-snapshot --volume vol-12xxxx78 --description "ResponderName-Date-REFERENCE-ID"
# Create a new EC2 instance from the Forensic Workstation AMI > aws ec2 run-instances --image-id ami-4n6x4n6x --count 1 --instance-type c4.8xlarge --key-name forensicPublicKey --security-group-ids sg-1a2b3c4d --subnet-id subnet-6e7f819e
# Create a new EBS volume copy from the EBS snapshot > aws ec2 create-volume --region us-east-1 --availability-zone us-east-1a --snapshot-id snap-abcd1234 --volume-type io1 --iops 10000
# Attach the volume to the forensic workstation > aws ec2 attach-volume --volume-id vol-1234abcd --instance-id i-new4n6x --device /dev/sdf
# Create a security group rule to allow the new Forensic Workstation to communicate to the contaminated instance. > aws ec2 authorize-security-group-ingress --group-id sg-a1b2c3d4 --protocol tcp --port 0-65535 --source-group sg-1a2b3c4d
# Tag the contaminated instance with the ticket or reference ID > aws ec2 create-tags -resources i-abcd1234 -tags Key=Environment,Value=Quarantine:REFERENCE-ID