Skip to content

Commit

Permalink
ENHANCE: Added more Lambda env variables to make it more customisable
Browse files Browse the repository at this point in the history
  • Loading branch information
Syed Jaffry committed Sep 1, 2018
1 parent cc8d570 commit 71c8b04
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 19 deletions.
31 changes: 22 additions & 9 deletions EC2 Auto Clean Room Forensics/Incident-Response-Stepfunctions-lambda-vpc.yaml
View file
Expand Up @@ -39,10 +39,9 @@ Parameters:
Type: String
Description: Node Runtime
Default: nodejs6.10
AMIID:
AmiId:
Type: String
Description: AMI Details
Default: ami-c3d113a1
Description: AMI to use when launching the forensics instance
instanceProfile:
Type: String
Description: Instance Profile Details Details
Expand All @@ -63,7 +62,6 @@ Parameters:
lambdas3bucketsname:
Type: String
Description: Bucket name where lambda functions reside
Default: sydney-summit-incident-response
lambdas3keyname:
Type: String
Description: Key name of lambda functions in S3
Expand All @@ -76,6 +74,16 @@ Parameters:
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Ec2KeyPair:
Type: String
Description: Key pair to use in starting a new instance
OutputS3Bucket:
Type: String
Description: Name of S3 bucket where forensic analysis report will be stored
OutputS3BucketRegion:
Type: String
Description: Output S3 bucket region

Mappings: {}
Resources:
IncidentResponseStepFunction:
Expand Down Expand Up @@ -332,8 +340,10 @@ Resources:
Ref: lambdas3keyname
Environment:
Variables:
ISOLATED_SECUTRITYGROUP:
Ref: IsolatedInstanceSecurityGroup
OUTPUT_S3_BUCKETNAME:
Ref: OutputS3Bucket
OUTPUT_S3_BUCKETREGION:
Ref: OutputS3BucketRegion
Type: AWS::Lambda::Function
createRemediationStepsLambda:
Properties:
Expand Down Expand Up @@ -399,15 +409,18 @@ Resources:
Ref: lambdas3keyname
Environment:
Variables:
ISOLATED_SECUTRITYGROUP:
Ref: IsolatedInstanceSecurityGroup
FORENSIC_SECUTRITYGROUP:
Ref: InstanceSecurityGroup
AMI_ID:
Ref: AMIID
Ref: AmiId
INSTANCE_PROFILE:
Ref: instanceProfile
SUBNET_ID:
Ref: Subnet
EC2_KEYPAIR:
Ref: Ec2KeyPair
Type: AWS::Lambda::Function
DependsOn: InstanceSecurityGroup
CreateAndAttachAffectedVolume:
Properties:
FunctionName: sec-ir-6-createAndAttachAffectedVolume
Expand Down
17 changes: 10 additions & 7 deletions EC2 Auto Clean Room Forensics/Lambda-Functions/createForensicInstance.py
View file
Expand Up @@ -29,21 +29,24 @@ def lambda_handler(event, context):
Monitoring={
'Enabled': True
},
# SubnetId=os.environ['SUBNET_ID'],

IamInstanceProfile={
'Arn': os.environ['INSTANCE_PROFILE']
},
# UserData = '#!/bin/bash \n cd /tmp \n sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_386/amazon-ssm-agent.rpm \n sudo amazon-ssm-agent start',

UserData = "#!/bin/bash \n export instancehostname=$(hostname) \n sudo sed -i -e 's/127.0.0.1 localhost/127.0.0.1 localhost '$instancehostname'/g' /etc/hosts \n mkdir /tmp/ssm \n cd /tmp/ssm \n wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb \n sudo dpkg -i amazon-ssm-agent.deb \n sudo systemctl enable amazon-ssm-agent \n sudo systemctl start amazon-ssm-agent \n",
KeyName ='foresic-key',
KeyName = os.environ['EC2_KEYPAIR'],
NetworkInterfaces = [
{
'AssociatePublicIpAddress': True,
'DeviceIndex': 0,
'SubnetId': os.environ['SUBNET_ID']
}],
{
'AssociatePublicIpAddress': True,
'DeviceIndex': 0,
'SubnetId': os.environ['SUBNET_ID'],
'Groups': [
os.environ['FORENSIC_SECUTRITYGROUP'],
],
}
],
TagSpecifications=[
{
'ResourceType': 'instance',
Expand Down
8 changes: 5 additions & 3 deletions EC2 Auto Clean Room Forensics/Lambda-Functions/runForensicAnalysis.py
View file
Expand Up @@ -14,14 +14,16 @@
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

import boto3
import os

ssmclient = boto3.client('ssm')

def lambda_handler(event, context):


instanceID = event['instanceID']
S3BucketName='sydney-summit-incident-response'
S3BucketName = os.environ['OUTPUT_S3_BUCKETNAME']
S3BucketRegion = os.environ['OUTPUT_S3_BUCKETREGION']
commands = ['#!/bin/bash','printf -v date "%(%F)T" -1', 'sudo mkdir /forensics','dd if=/dev/xvdb1 of=/forensics/i-23sdf5esdf.dd' ,'fls -r -m -i /forensics/i-23sdf5esdf.dd >/home/ubuntu/file-full-i-23sdf5esdf.txt', 'mactime -b /home/ubuntu/file-full-i-23sdf5esdf.txt $date >/home/ubuntu/file-2018-i-23sdf5esdf.txt', 'fls -rd /forensics/i-23sdf5esdf.dd >/home/ubuntu/file-deleted-i-23sdf5esdf.txt', 'sudo apt-get install cloud-utils ','EC2_INSTANCE_ID=$(ec2metadata --instance-id)', 'cp /home/ubuntu/file-deleted-i-23sdf5esdf.txt /home/ubuntu/file-deleted-$EC2_INSTANCE_ID-' + instanceID+ '.txt', 'cp /home/ubuntu/file-2018-i-23sdf5esdf.txt /home/ubuntu/$EC2_INSTANCE_ID.txt', 'cp /home/ubuntu/file-full-i-23sdf5esdf.txt /home/ubuntu/file-full-$EC2_INSTANCE_ID.txt', 'aws s3 cp /home/ubuntu/file-full-$EC2_INSTANCE_ID.txt s3://' + S3BucketName+ '/incident-response/file-full-$EC2_INSTANCE_ID.txt','aws s3 cp /home/ubuntu/file-deleted-$EC2_INSTANCE_ID-' + instanceID+ '.txt s3://' + S3BucketName + '/incident-response/file-deleted-$EC2_INSTANCE_ID-' + instanceID+ '.txt', 'aws s3 cp /home/ubuntu/$EC2_INSTANCE_ID.txt s3://' + S3BucketName +'/incident-response/$EC2_INSTANCE_ID.txt']


Expand All @@ -34,8 +36,8 @@ def lambda_handler(event, context):
},
Comment='SSM Command Execution',
# sydney-summit-incident-response
OutputS3Region='ap-southeast-2',
OutputS3BucketName='sydney-summit-incident-response',
OutputS3Region=S3BucketRegion,
OutputS3BucketName=S3BucketName,
OutputS3KeyPrefix=event.get('ForensicInstanceId')

)
Expand Down

0 comments on commit 71c8b04

Please sign in to comment.