This Sample demonstrates how to deploy a solution for automatic isolation of Amazon EC2 behaving suspiciously
In Amazon VPC, we have the functionality of Security Groups. They control incoming and outgoing traffic to applied resources. For example, when associating an EC2 instance with a Security Group, it acts as a stateful firewall to allow or deny external communication to that instance. Inbound rules control incoming traffic to the instance, and outbound rules control outgoing traffic from the instance. It is through the Security Group of the instance that is detected with suspicious behavior that the isolation action will be taken.
-
Incident Response Pipeline: This component is responsible for detecting vulnerabilities and anomalies in the workload and, in turn, triggering the instance isolation process through the following services:
- Amazon GuardDuty: Service responsible for detecting potential threats. It continuously monitors malicious activities in AWS accounts, including Amazon EC2 instances, generating Findings.
- Amazon EventBridge: Service responsible for being the broker that sends the payload with GuardDuty findings to an AWS Lambda function, which will be responsible for executing instance isolation actions.
- AWS Lambda: Service responsible for executing the code that contains the business logic for isolating the EC2 instance.
-
Forensic: After the potentially compromised instance has undergone the entire isolation process performed by AWS Lambda, the instance will be separated from the internet or the rest of the application environment, ready to initiate the investigation and forensic process using the AWS Systems Manager Session Manager service.
- AWS CLI with credentials configured which will also be used by the CDK.
- Create and source a Python virtualenv on MacOS and Linux, and install python dependencies:
python3 -m venv .env
source .env/bin/activate
pip install -r requirements.txt
- Install the latest version of the AWS CDK CLI:
npm i -g aws-cdk
- Bootstrapping your CDK with:
cdk bootstrap
Make sure you have AWS CDK installed and working, all the dependencies of this project defiend in the requirements.txt file.
Before deploy the application note that Amazon EventBridge is set to trigger AWS Lambda with any type of finding from Amazon GuardDuty by default. However, you can modify this in /automated-ec2-isolation-for-incident-response/cdk_deploy_for_isolated_ec2/cdk_deploy_for_isolated_ec2_stack.py
in the source
parameter of the broker
object. Replace "aws.guardduty"
with the specific finding you desire.
You can check the Finding types here
git clone https://github.com/aws-samples/automated-ec2-isolation-for-incident-response.git
cd automated-ec2-isolation-for-incident-response
- Run
cdk deploy
and wait for the deployment to finish successfully;
- Open you AWS Console in the region where you deployed the application
- Launch an EC2 instance
- Connect to your instance from your Linux or Mac local machine or Windows
- Genereta sample findings to your EC2 instance
After these steps, wait around 3 minutes and you can check that your SSH connection to your EC2 has been fineshed and also the Security Group has changed, isolating the instance.
Open your terminal on the root of the clone repository and run this command:
cdk destroy
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.