This toolkit is a serverless framework application that builds on the capabilities in aws_ir. It can do host_compromises, key_compromises, and cloudtrail_compromises.
cd serverless-project-iraas
npm install --save serverless
npm install --save serverless-python-requirements
npm install --save https://github.com/vortarian/serverless-sqs-fifo
-
CIM ( MozDef in our case ) generates an alert to the service by outputting to an SQS Queue for incidents in.
-
CloudWatch events poll the SQS queue every 1-minute and if there's work to do spin up the credential helper function. The credential helper looks at the list of roles and attempts to match the account ID with the resource we're remediating. Once a role is matched that role is assumed and the credentials are passed to the IR function.
-
The IR function determines the type of resource it is taking actions on and follows the plan for that type of resource as determined by the configuration of the deployment.
CloudTrail Disabled
Instance Suspected of Malicious Activity (Future)
Access Key Suspected Leak or Anomaly (Future)
- SQS Input FIFO Queue
- SQS Output FIFO Queue
- CloudWatch metric + CloudWatch Event to invoke lambda if SQS.ApproxMessagesVisible > 0
- Credential Assumption Function
- IR Function
A Dockerfile is present in the project to facilitate deployment with the serverless framework.
docker run --rm -ti \
-v ~/.aws:/root/.aws \
-v ~/workspace/iraas/:/workspace \
mozillaiam/docker-sls:latest \
/bin/bash
A sample client for event mocking purposes has been provided in the example-client directory.