Security is important. Using CloudTrail, CloudWatch and Lambda, we are going to create a simple security notification service when security issue is detected.
This is what we are going to build
When these rules below is detected, we will receive slack notification within several minutes, approximately within 15 minutes.
- A port 22 is open to 0.0.0.0/0 in any EC2 instance
- A new port is open beside port 80 and 443
- New IAM user is created and joined the Administrator Group
- A user login as Root
The rules is created using Jmespath. Take a look at src/example-events directory to try the example events from Cloudtrail with the rule.
export AWS_PROFILE=YOUR_PROFILE AWS_DEFAULT_REGION="ap-southeast-1"
terraform init
./deploy.sh
The name is coming from Jurassic Park scene where the goat is feed to T-Rex. This means, goat is a vulnerable things. The terraform script will create an EC2 instance with several dangerous port is open to world.
cd goat
terraform init
terraform plan
terraform apply -auto-approve