# TDR254: Building incident response playbooks for AWS 

This notebook is to be used in case of malicious activity inside your AWS Account. We will query CloudTrail logs via Athena form within this notebook in order to discover and mitigate malicious account activity. We'll be following best practices from the Well-Architected Framework - Security Pillar as we go through our investigation and remediation efforts.



# Setup


## Load Libraries

In order to query Athena and interact with AWS we need to load several libraries and configure our environment.


In [22]:
import boto3  # the Python SDK for AWS
import pandas as pd # Pandas is a data analysis tool for Python
import sys
pd.set_option("max_colwidth", 150) # Set maximum column width for outputs to make easier to read
!{sys.executable} -m pip install PyAthena # This libary lets us query Athena from our notebook
region='us-east-1' #Set region variable to us-east-1 for commands


You should consider upgrading via the '/home/ec2-user/anaconda3/envs/python3/bin/python -m pip install --upgrade pip' command.[0m


## Connect to Athena

Next we'll setup a connection to our Athena endpoint.


In [23]:
from pyathena import connect
conn = connect(s3_staging_dir='s3://reinforce2021-tdr254-clo-athenaqueryresultsbucket-1inggpjk2pxo7',
   region_name='us-east-1')


## Create Athena Tables

In order to query our CloudTrail logs we need to create the tables in Athena.


In [24]:
create_table = """
CREATE EXTERNAL TABLE IF NOT EXISTS cloudtrail_logs (
   eventversion STRING,
   useridentity STRUCT<
                  type:STRING,
                  principalid:STRING,
                  arn:STRING,
                  accountid:STRING,
                  invokedby:STRING,
                  accesskeyid:STRING,
                  userName:STRING,
   sessioncontext:STRUCT<
   attributes:STRUCT<
                  mfaauthenticated:STRING,
                  creationdate:STRING>,
   sessionissuer:STRUCT<
                  type:STRING,
                  principalId:STRING,
                  arn:STRING, 
                  accountId:STRING,
                  userName:STRING>>>,
   eventtime STRING,
   eventsource STRING,
   eventname STRING,
   awsregion STRING,
   sourceipaddress STRING,
   useragent STRING,
   errorcode STRING,
   errormessage STRING,
   requestparameters STRING,
   responseelements STRING,
   additionaleventdata STRING,
   requestid STRING,
   eventid STRING,
   resources ARRAY<STRUCT<
                  ARN:STRING,
                  accountId:STRING,
                  type:STRING>>,
   eventtype STRING,
   apiversion STRING,
   readonly STRING,
   recipientaccountid STRING,
   serviceeventdetails STRING,
   sharedeventid STRING,
   vpcendpointid STRING
   )
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://reinforce2021-cloudtrail-jerchen-20211014/AWSLogs/910003606845/CloudTrail';"""
pd.read_sql(create_table, conn)


# Investigate


## Investigation 1 

In the first investigation you have been made aware of a potential security incident in your AWS account, some suspicious behaviour has been identified by a development team due to numerous failed access attempts to different resources. At this time they can’t provide you any more details so you’ll need to do your own investigations!


### Step 1 - Discovery
As you know there are some failed access attempts a good starting point is to see what failed access attempts we have in our Amazon CloudTrail logs, the sample SQL query is included here and is in your Jupyter notebook as well.



Check what are those failed user access activities.

In [25]:
query = """
select *
from cloudtrail_logs
where sourceIPAddress in 
('54.240.193.129','10.0.0.1')
and errorMessage like '%Failed authentication%'
order by eventTime desc;
"""
results = pd.read_sql(query, conn)
results

Unnamed: 0,eventversion,useridentity,eventtime,eventsource,eventname,awsregion,sourceipaddress,useragent,errorcode,errormessage,...,requestid,eventid,resources,eventtype,apiversion,readonly,recipientaccountid,serviceeventdetails,sharedeventid,vpcendpointid
0,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU67CLVSJXEC, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=ec2_fullaccess_user, se...",2021-10-30T22:22:51Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,edf3e334-9fb3-450a-8552-9987e55e0e3f,,AwsConsoleSignIn,,False,910003606845,,,
1,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU6VJV47ANAD, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=admin_user, sessioncont...",2021-10-30T22:22:39Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,e18dbdbe-b3b2-4ddb-983f-c06d56eadea3,,AwsConsoleSignIn,,False,910003606845,,,
2,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU6QQS54AYSS, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=testuser, sessioncontex...",2021-10-30T22:22:29Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,52febd4b-28df-4ed5-90fc-f34726f36b6a,,AwsConsoleSignIn,,False,910003606845,,,
3,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU6TR5PFZSF2, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=jerchen, sessioncontext...",2021-10-30T22:14:23Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,f6f2ecb7-232d-49bb-be48-21bb5e8555c7,,AwsConsoleSignIn,,False,910003606845,,,


In [None]:
query = """
select *
from cloudtrail_logs
where errorCode  
('Client.UnauthorizedOperation','Client.InvalidPermission.NotFound','Client.OperationNotPermitted','AccessDenied')
and useridentity.arn like '%iam%'
order by eventTime desc;
"""
results = pd.read_sql(query, conn)
results

In [37]:
query = """
select *
from cloudtrail_logs
where errorMessage like '%Failed authentication%' 
and userIdentity.type = 'IAMUser'
order by eventTime desc;
"""
results = pd.read_sql(query, conn)
results


Unnamed: 0,eventversion,useridentity,eventtime,eventsource,eventname,awsregion,sourceipaddress,useragent,errorcode,errormessage,...,requestid,eventid,resources,eventtype,apiversion,readonly,recipientaccountid,serviceeventdetails,sharedeventid,vpcendpointid
0,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU67CLVSJXEC, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=ec2_fullaccess_user, se...",2021-10-30T22:22:51Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,edf3e334-9fb3-450a-8552-9987e55e0e3f,,AwsConsoleSignIn,,False,910003606845,,,
1,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU6VJV47ANAD, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=admin_user, sessioncont...",2021-10-30T22:22:39Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,e18dbdbe-b3b2-4ddb-983f-c06d56eadea3,,AwsConsoleSignIn,,False,910003606845,,,
2,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU6QQS54AYSS, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=testuser, sessioncontex...",2021-10-30T22:22:29Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,52febd4b-28df-4ed5-90fc-f34726f36b6a,,AwsConsoleSignIn,,False,910003606845,,,
3,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU6TR5PFZSF2, arn=null, accountid=910003606845, invokedby=null, accesskeyid=, username=jerchen, sessioncontext...",2021-10-30T22:14:23Z,signin.amazonaws.com,ConsoleLogin,us-east-1,54.240.193.129,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0,,Failed authentication,...,,f6f2ecb7-232d-49bb-be48-21bb5e8555c7,,AwsConsoleSignIn,,False,910003606845,,,


In [11]:
query = """
select *
from cloudtrail_logs
where errorCode in ('Client.UnauthorizedOperation','Client.InvalidPermission.NotFound','Client.OperationNotPermitted','AccessDenied')
and useridentity.arn like '%iam%'
and eventTime >= '2021-10-14T11:45:00Z'
and eventTime < '2021-10-14T11:45:30Z'
order by eventTime desc;
"""
results = pd.read_sql(query, conn)
results

Unnamed: 0,eventversion,useridentity,eventtime,eventsource,eventname,awsregion,sourceipaddress,useragent,errorcode,errormessage,...,requestid,eventid,resources,eventtype,apiversion,readonly,recipientaccountid,serviceeventdetails,sharedeventid,vpcendpointid
0,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:29Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,0MT63FNP2HXM9DVY,746c66f3-8189-44ef-b646-3bdbdfae3b62,"[{arn=arn:aws:s3:::sagemaker-studio-us-east-1-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
1,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:29Z,s3.amazonaws.com,DeleteBucket,ap-southeast-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,0MT9BFSJ657DX8HQ,efaafe54-ce44-43bb-ada2-7c4e5358c45c,"[{arn=arn:aws:s3:::sagemaker-studio-ap-southeast-2-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
2,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:27Z,s3.amazonaws.com,DeleteBucket,us-west-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,X92V1F9AQSKV2ZV3,d8095b3e-ea48-405c-9a5a-722672ff0d44,"[{arn=arn:aws:s3:::sagemaker-studio-910003606845-ng9u93sj4tf, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
3,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:26Z,s3.amazonaws.com,DeleteBucket,ap-southeast-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,6N7W5B5TY865G4E4,a3c2ca3b-24bc-470b-8670-5ee690a8ce75,"[{arn=arn:aws:s3:::sagemaker-notebook-ap-southeast-2-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
4,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:26Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,6N7KQ4RM7MQWZN01,a56d3a0c-50d9-4103-990a-6e58a9ac6ca7,"[{arn=arn:aws:s3:::sagemaker-studio-910003606845-mbuglbudgrc, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
5,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:24Z,s3.amazonaws.com,DeleteBucket,ap-southeast-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,CJMGJSKE1V7X1Z76,bd1666c1-7236-40ed-a2d2-f90498a15969,"[{arn=arn:aws:s3:::sagemaker-ap-southeast-2-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
6,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:22Z,s3.amazonaws.com,DeleteBucket,ap-southeast-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,J36JV131Z125DTWW,b0f0e955-5489-43ee-b4cb-ada59c82a224,"[{arn=arn:aws:s3:::s3-lens-dashboard-export-data-2021, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
7,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:20Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,CAV9K2ZX460JB423,fb604ec7-3cd0-42fb-8fee-05de6b72ccaf,"[{arn=arn:aws:s3:::s3-health-stack-106-bucket, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
8,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:20Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,CAV3XX7P16FCYBXN,b1f4cb45-920a-4373-9a82-3df67c3f0a1d,"[{arn=arn:aws:s3:::reinforce2021-tdr254-clo-athenaqueryresultsbucket-1inggpjk2pxo7, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
9,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:20Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,CAV7Q373DT79JFVT,6b685384-ff7e-4363-a907-014b8b988526,"[{arn=arn:aws:s3:::reinforce2021-tdr254-910003606845-us-east-1-data, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,


In [12]:
query = """
select eventTime, eventSource, eventName, errorCode, errorMessage, responseElements, awsRegion, userIdentity.arn, sourceIPAddress, userAgent
from cloudtrail_logs
where errorCode in ('Client.UnauthorizedOperation','Client.InvalidPermission.NotFound','Client.OperationNotPermitted','AccessDenied')
and useridentity.arn like '%iam%'
and eventTime >= '2021-10-14T11:45:00Z'
and eventTime < '2021-10-14T11:45:30Z'
order by eventTime desc;
"""
results = pd.read_sql(query, conn)
results

Unnamed: 0,eventTime,eventSource,eventName,errorCode,errorMessage,responseElements,awsRegion,arn,sourceIPAddress,userAgent
0,2021-10-14T11:45:29Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,ap-southeast-2,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
1,2021-10-14T11:45:29Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,us-east-1,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
2,2021-10-14T11:45:27Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,us-west-2,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
3,2021-10-14T11:45:26Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,ap-southeast-2,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
4,2021-10-14T11:45:26Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,us-east-1,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
5,2021-10-14T11:45:24Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,ap-southeast-2,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
6,2021-10-14T11:45:22Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,ap-southeast-2,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
7,2021-10-14T11:45:20Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,us-east-1,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
8,2021-10-14T11:45:20Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,us-east-1,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]
9,2021-10-14T11:45:20Z,s3.amazonaws.com,DeleteBucket,AccessDenied,Access Denied,,us-east-1,arn:aws:iam::910003606845:user/compromized_account,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100]


In [13]:
query = """
select userIdentity.arn, count(*) as total
from cloudtrail_logs
where errorCode in ('Client.UnauthorizedOperation','Client.InvalidPermission.NotFound','Client.OperationNotPermitted','AccessDenied')
and useridentity.arn like '%iam%'
and eventTime >= '2021-10-13T11:45:00Z'
and eventTime < '2021-10-15T11:45:30Z'
group by userIdentity.arn
order by total desc;
"""
results = pd.read_sql(query, conn)
results

Unnamed: 0,arn,total
0,arn:aws:iam::910003606845:user/compromized_account,51


### Step 2 - Initial investigation
Now that you have identified the potential IAM entity which has been compromised, you should do further investigations to identify what the entity has been attemping to do.



In [14]:
query = """
select *
from cloudtrail_logs
where userIdentity.arn='arn:aws:iam::910003606845:user/compromized_account'
and eventTime >= '2021-10-13T11:45:00Z'
and eventTime < '2021-10-15T11:45:30Z'
order by eventTime desc;
"""
results = pd.read_sql(query, conn)
results


Unnamed: 0,eventversion,useridentity,eventtime,eventsource,eventname,awsregion,sourceipaddress,useragent,errorcode,errormessage,...,requestid,eventid,resources,eventtype,apiversion,readonly,recipientaccountid,serviceeventdetails,sharedeventid,vpcendpointid
0,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:35Z,ec2.amazonaws.com,RunInstances,us-east-1,44.193.5.143,Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100,Client.UnauthorizedOperation,You are not authorized to perform this operation. Encoded authorization failure message: DmQwpI7iNqoHnKipUCmUtSljfdN1s_cvS4M3bQLAnd5S1MO3_RSwTQdcM...,...,4d6e5d4e-3979-444b-81fa-c13caa22152e,357ec252-30ef-4b5e-996f-97e011d2e86e,,AwsApiCall,,False,910003606845,,,
1,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:33Z,iam.amazonaws.com,CreateUser,us-east-1,44.193.5.143,Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100,AccessDenied,User: arn:aws:iam::910003606845:user/compromized_account is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::910003606845:user/...,...,d9288e4f-199a-4642-9e8c-94c430588485,b92881c7-6c00-4042-bc08-755a3421adf2,,AwsApiCall,,False,910003606845,,,
2,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:32Z,s3.amazonaws.com,DeleteBucket,ap-southeast-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,G69M3P7FSX96EBQZ,d0fb4977-ee74-4041-bec3-e20b8c8f3b54,"[{arn=arn:aws:s3:::test-s3-cloudtrail-bucket, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
3,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:32Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,G69N1TXGQM9RM5NX,97821658-bca9-4e08-b220-5b50bcb95487,"[{arn=arn:aws:s3:::tfc-ml-ai-2020, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
4,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:30Z,s3.amazonaws.com,DeleteBucket,us-west-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,GEQC1H8X6ENV7RXE,e80940d2-916d-46bd-8a4b-15752419cd18,"[{arn=arn:aws:s3:::sagemaker-studio-us-west-2-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
5,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:30Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,GEQDAFQNRR62QZF2,1192d194-f1cd-4187-991d-46ed3f026e9c,"[{arn=arn:aws:s3:::test-20200505, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
6,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:30Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,GEQ3DDZ2FS8E0X9K,2cbc989a-c5db-4ccf-90e6-a3ae7c275149,"[{arn=arn:aws:s3:::test-cost-usage-billing-report-2021, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
7,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:29Z,s3.amazonaws.com,DeleteBucket,ap-southeast-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,0MT9BFSJ657DX8HQ,efaafe54-ce44-43bb-ada2-7c4e5358c45c,"[{arn=arn:aws:s3:::sagemaker-studio-ap-southeast-2-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
8,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:29Z,s3.amazonaws.com,DeleteBucket,us-east-1,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,0MT63FNP2HXM9DVY,746c66f3-8189-44ef-b646-3bdbdfae3b62,"[{arn=arn:aws:s3:::sagemaker-studio-us-east-1-910003606845, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,
9,1.08,"{type=IAMUser, principalid=AIDA5HYDRCU62STTT5MQD, arn=arn:aws:iam::910003606845:user/compromized_account, accountid=910003606845, invokedby=null, ...",2021-10-14T11:45:27Z,s3.amazonaws.com,DeleteBucket,us-west-2,44.193.5.143,[Boto3/1.17.100 Python/3.8.11 Linux/4.14.243-194.434.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.20.100],AccessDenied,Access Denied,...,X92V1F9AQSKV2ZV3,d8095b3e-ea48-405c-9a5a-722672ff0d44,"[{arn=arn:aws:s3:::sagemaker-studio-910003606845-ng9u93sj4tf, accountid=910003606845, type=AWS::S3::Bucket}]",AwsApiCall,,False,910003606845,,,


### Step 3 - Bring it all together
Bring together the previous queries to create a single query showing the event name, AWS service, and AWS region where requests were being made to by the compromised IAM entity.



In [15]:
query = """
select eventName, count(*) as total, eventSource, awsRegion
from cloudtrail_logs
where userIdentity.arn='arn:aws:iam::910003606845:user/compromized_account'
and eventTime >= '2021-10-13T11:45:00Z'
and eventTime < '2021-10-15T11:45:30Z'
group by eventName, eventSource, awsRegion
order by total desc;
"""
results = pd.read_sql(query, conn)
results


Unnamed: 0,eventName,total,eventSource,awsRegion
0,DeleteBucket,24,s3.amazonaws.com,us-east-1
1,DeleteBucket,14,s3.amazonaws.com,ap-southeast-2
2,DeleteBucket,5,s3.amazonaws.com,us-west-2
3,DeleteBucket,4,s3.amazonaws.com,ap-southeast-1
4,ListTables,1,dynamodb.amazonaws.com,us-east-1
5,ListBuckets,1,s3.amazonaws.com,us-east-1
6,DescribeInstances,1,ec2.amazonaws.com,us-east-1
7,ListTrails,1,cloudtrail.amazonaws.com,us-east-1
8,DeleteBucket,1,s3.amazonaws.com,us-east-2
9,RunInstances,1,ec2.amazonaws.com,us-east-1


### Step 4 - Containment
Now that you have identified the potential IAM entity which has been compromised you need to perform containment activities. The first of these will be to find out what the Access Key ID is being used by the account.



In [16]:
query = """
select eventName, count(*) as total, eventSource, awsRegion
from cloudtrail_logs
where userIdentity.arn='arn:aws:iam::910003606845:user/compromized_account'
group by eventName, eventSource, awsRegion
order by total desc;
"""
results = pd.read_sql(query, conn)
results

Unnamed: 0,eventName,total,eventSource,awsRegion
0,DeleteBucket,24,s3.amazonaws.com,us-east-1
1,DeleteBucket,14,s3.amazonaws.com,ap-southeast-2
2,DeleteBucket,5,s3.amazonaws.com,us-west-2
3,DeleteBucket,4,s3.amazonaws.com,ap-southeast-1
4,ListTrails,1,cloudtrail.amazonaws.com,us-east-1
5,DescribeInstances,1,ec2.amazonaws.com,us-east-1
6,DeleteBucket,1,s3.amazonaws.com,us-east-2
7,ListTables,1,dynamodb.amazonaws.com,us-east-1
8,ListUsers,1,iam.amazonaws.com,us-east-1
9,DeleteBucket,1,s3.amazonaws.com,us-west-1


In [17]:
query = """
select useridentity.accesskeyid, count(*) as total
from cloudtrail_logs
where userIdentity.arn='arn:aws:iam::910003606845:user/compromized_account'
group by useridentity.accesskeyid
order by total desc;
"""
results = pd.read_sql(query, conn)
results



Unnamed: 0,accesskeyid,total
0,AKIA5HYDRCU6VSTSXB5G,57


In [18]:
access_key_to_deactivate='AKIA5HYDRCU6VSTSXB5G'
username='jerchen'
iam = boto3.resource('iam', region_name=region)
access_key = iam.AccessKey(username,access_key_to_deactivate)
response_status = access_key.deactivate()
status_code = response_status['ResponseMetadata']['HTTPStatusCode']
if status_code == 200:
    print('Key Disabled Successfully')
else:
    print('Key deactivation failed')


NoSuchEntityException: An error occurred (NoSuchEntity) when calling the UpdateAccessKey operation: The Access Key with id AKIA5HYDRCU6VSTSXB5G cannot be found.

In [None]:
username='USERNAME'
iam = boto3.client('iam', region_name=region)
response = iam.put_user_policy(UserName=username,PolicyName='Block',PolicyDocument='{"Version":"2012-10-17","Statement":{"Effect":"Deny","Action":"*","Resource":"*"}}')
status_code = response['ResponseMetadata']['HTTPStatusCode']
if status_code == 200:
    print('Policy attached successfully')
else:
    print('Policy attachment failed')


## Investigation 2 

In the second investigation you have been made aware of a potential security incident in your AWS account, some suspicious behaviour has been identified by an engineering team due them identifying an unknown EC2 instance during a scheduled patching event. At this time they can’t provide you any more details so you’ll need to do your own investigations!


### Step 1 - Discovery
As you know there are some suspicious EC2 instance(s) the first step is to try to identify if any instance(s) are performing suspicious activities. Sometimes this would be discovery actions, such as listing S3 buckets to try and enumerate resources in your environment, this isn’t a normal activity that you’d expect EC2 instances to be performing.



In [None]:
query = """
select useridentity.principalid,eventsource,eventname,count(*) as total
from cloudtrail_logs
where useridentity.principalid like '%:i-%'
and eventsource = 's3.amazonaws.com'
and eventname = 'ListBuckets'
group by useridentity.principalid,eventsource,eventname
order by total desc;
"""
results = pd.read_sql(query, conn)
results


### Step 2 - Initial investigation
Now that you have identified the potential IAM entity which has been compromised, you should do further investigations to identify what the entity has been attemping to do.



In [None]:
query = """

"""
results = pd.read_sql(query, conn)
results


### Step 3 - Bring it all together




In [None]:
query = """

"""
results = pd.read_sql(query, conn)
results


### Step 4 - Containment
To secure the EC2 instance for further investigation, you should place it into a new, restricted security group (rather than changing the exisiting security group as this won’t terminate active sessions), and snapshot the EBS volume for future investigation.



In [None]:
import time
instance_id='<INSTANCE_ID>'
ec2=boto3.resource('ec2')
instance=ec2.Instance(instance_id)
vpc_id=instance.vpc_id
security_group=instance.security_groups[0]['GroupId']
ec2_client=boto3.client('ec2')
response=ec2_client.create_security_group(
    GroupName='Restricted_Group',
    Description='Restricts_access',
    VpcId=vpc_id
)
restricted_sg=ec2.SecurityGroup(response['GroupId'])
response=restricted_sg.revoke_egress(
    IpPermissions=restricted_sg.ip_permissions_egress
)
response=instance.modify_attribute(Groups=[restricted_sg.id])
ebs_vol=instance.block_device_mappings[0]['Ebs']['VolumeId']
response=ec2.create_snapshot(VolumeId=ebs_vol)
time.sleep(30)
instance.terminate()
