Preparation materials for a presentation about AWS security
Disclaimer: The contents of this repository are for educational purposes. They may not be production grade.
AWS provides three services that can help enhance your account security with little overhead: AWS GuardDuty, AWS Config, AWS CloudTrail.
The Basic Configuration code examples are a starting point for their configuration.
Organizations with more than one AWS Account, or presence in multiple regions may benefit from automating certain configuration and alerting tasks.
The Automation section of these examples contains some reference implementations of monitoring patterns.
The files are grouped by three main groups.
00_Shared Prerequisites: Resources that will be shared across multiple service. Terraform variables. etc.
10_Basic Configuration: Minimal configuration to enable the described AWS services.
20_Automation: Automation resources to simplify the environment verification.
- Create a trail and save it's output to an S3 bucket.
- Enable the GuardDuty Detector.
- Enable a Configuration Recorder.
- Periodically save the compliance status to an S3 Bucket.
- Create one AWS Config rule to detect public S3 buckets.
- Create one AWS Config rule to detect CloudTrail encryption.
Create an AWS CloudWatch Event Rule that triggers an SNS Notification on any Compliance change.
Create an AWS CloudWatch Event Rule that triggers an SNS Notification on any GuardDuty finding.
- Create an S3 Bucket to save the results of our AWS Athena queries
- Create a new AWS Athena Database
- Create a new AWS Athena Workgroup
- Create a new AWS Athena Table with the AWS CloudTrail data
- Create an AWS Athena Named query to read all the IAM modifications of the previous day
- Create an AWS CloudWatch Event Rule to trigger a lambda on a schedule
- Deploy an AWS Lambda to trigger all the Athena Saved Queries in the compliance Workgroup
- Lambda code to read and trigger all the Athena Saved Queries in the compliance Workgroup
- Deploy an AWS Lambda subscribed to object creation S3 events on the Ahena results bucket
- Lambda code to trigger an SNS Notification whenever a non-empty
.csvis created in the Athena results bucket
Running the Code
- Make sure you have
- Edit the values on
00_variables.tfas you seem fit. Change the
compliance_bucket_name_sufixfor it may already be taken
terraform detroyfor cleanup