This project is a Terraform-based implementation for deploying a Security Operations Center (SOC) using Kali Linux in AWS. It provides an Infrastructure as Code (IaC) solution that allows users to easily replicate and manage a complete SOC environment using the Kali Purple suite. This implementation is inspired by the original CloudFormation-based deployment by ZoccoCss.
Once resources have been deployed follow Kali Purple Documentation to configure ElasticSearch and the other tools.
The Kali SOC project allows you to deploy a fully functional Security Operations Center in AWS, leveraging Kali Linux tools for purple team activities. This setup is suitable for practicing security operations, threat detection, response activities, and training.
This Terraform implementation provides:
- Modularized infrastructure management using best practices for reusability and scalability.
- Equivalent components to the CloudFormation stack with added flexibility for those more familiar with Terraform as an IaC tool.
- Automation of VPC creation, subnets, routing, security groups, network interfaces, and EC2 instances.
The Terraform code is organized into modules, each of which handles a specific piece of the infrastructure:
This module manages IAM roles and policies for accessing the SOC components, ensuring each instance has the necessary permissions.
The VPC module creates the Virtual Private Cloud (VPC) in AWS that will host all the resources for the SOC. It defines the IP ranges, enables DNS support, and sets up a logically isolated network environment.
The subnets module creates public, LAN, and SOC subnets:
- Public Subnet: For instances that need internet exposure.
- LAN Subnet: For internal network communication.
- SOC Subnet: Used for secure communication for security operations.
This module creates the Internet Gateway, providing internet access for instances in the public subnet.
This module configures routing for the VPC by creating route tables and associating them with subnets to control network traffic flow, including routes for the internet gateway.
The security groups module creates an open security group for the SOC instances, with rules that control inbound access for various services, including SSH, RDP, HTTP, HTTPS, and custom ports used by different components.
This module creates network interfaces for instances, connecting them to the appropriate subnets with specific security groups to control traffic flow. These interfaces are key for enabling secure and isolated communication between different SOC components.
The EC2 module launches Kali Linux-based instances for the SOC environment:
- Kali Purple: Core SOC platform.
- Kali Violet, Eminence, Heliotrope, Byzantium: Various specialized instances, each for different testing, monitoring, or threat simulation purposes.
- Each instance is linked to its corresponding network interface, security group, and IAM profile.
| Machine Name | Primary Purpose |
|---|---|
| Kali-Basic | Customization base machine |
| Kali-Pearly | Vulnerable machine with DVWA |
| Kali-Heliotrope | Attack platform with desktop environment |
| Kali-Eminence | Runs Malcolm (network monitoring) |
| Kali-Bizantium | OPNsense firewall |
| Kali-Purple | Central Elasticsearch instance |
| Kali-Violet | Runs OpenCTI and other tools |
Before deploying the SOC environment, make sure to subscribe to the following Amazon Machine Images (AMIs):
To deploy this Terraform setup, you need:
- An AWS account with permissions to create VPC, EC2 instances, IAM roles, and other necessary resources.
- Terraform installed on your local machine.
- An SSH key pair for accessing the instances (configured via key_name variable). To generate a new SSH key pair, use the following command:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/kali_purple_key
This command will create a new SSH key pair named kali_purple_key and store it in your .ssh directory.
- Adjustments to CIDR ranges, security group rules, and instance types based on your specific requirements.
-
Clone the repository:
git clone https://github.com/tayontech/kali-soc-terraform.git cd kali-soc-terraform -
Initialize Terraform to set up the necessary providers:
terraform init
-
Plan the deployment to see what changes will be made:
terraform plan
-
Apply the changes to create the infrastructure in AWS:
terraform apply
-
Once deployment is complete, you can access the SOC instances via SSH, RDP, or other configured protocols.
To check the system log for the OPNsense EC2 password, follow these steps:
-
Go to the Amazon EC2 console (https://console.aws.amazon.com/ec2/).
-
Navigate to the "Instances" section and select your OPNsense instance.
-
Click on the "Actions" dropdown menu, then select "Monitor and troubleshoot" > "Get system log".
-
In the system log window, scroll up to find the initial passwords. You should see a section that looks like this:
********************************************************************************************************** *** set initial ec2-user password to : [password] ***!!! remember to change this immediately *** openssh-key provided, set to ec2-user *** set initial root password to : [password] *** remember to change this immediately ********************************************************************************************************** -
Note down both the ec2-user and root passwords. The password from the system log will be used to initially log into the OPNsense firewall.
After logging in, upload the firewall configuration file to set all the rules, configurations, and passwords for the OPNsense firewall.
Important points to remember:
- It may take 5-10 minutes after the instance boots for the password message to appear in the system log.
- If the output of "Get System Log" is empty or doesn't contain the expected output, try "Get Instance Screenshot" instead.
- For security reasons, it's crucial to change these initial passwords immediately after your first login.
Remember to change the default passwords as soon as possible for security reasons. You can do this through the OPNsense web interface after your initial login.
Additionally, disable SSH access to the root user through the OPNsense console settings for better security.
After the OPNsense firewall has been set up with the new configuration file, follow these steps:
-
SSH into the firewall while connected to the VPN:
ssh root@192.168.1.10
Use the password
VPZaE9268J51pb#P*4ur. -
Once inside the firewall, SSH into the Kali Eminence instance:
ssh kali@192.168.1.230
-
Navigate to the Malcolm directory and start the service:
cd ~/Malcolm/scripts ./start
To log in to the Byzantium (OPNsense Firewall) after uploading the configuration file, use the following credentials:
Username: root
Password: VPZaE9268J51pb#P*4ur
To log in to all EC2 instances, use the following credentials:
Username: kali
Password: kali2023
-
Kali Purple: Access Elasticsearch via the following credentials:
Username: elastic Password: 9voOW_WV6AO3EifKz=uuAccess via browser at:
https://192.168.253.105:5601 -
Kali Violet: Includes OpenCTI and GVM services.
- OpenCTI:
Username: admin@opencti.io Password: kalipurpleSOCCTI - OpenCTI Portainer:
Username: admin Password: kalipurpleSOCPortainer - GVM:
Username: admin Password: efa72ac9-95fe-496e-b110-e68baa757ea5
Access via browser at:
https://192.178.253.107:8080https://192.178.253.107:9392
- OpenCTI:
-
Kali Eminence: Malcolm monitoring tools are accessible via the following links:
https://192.168.253.103/https://192.168.253.103/dashboardhttps://192.168.253.103/uploadhttps://192.168.253.103/netboxhttps://192.168.253.103/cyberchefhttps://192.168.253.103/readmehttps://192.168.253.103/name-map-uihttps://192.168.253.103:488https://192.168.253.103:9443https://192.168.253.103:8022/files
Rather than using a pre-built AMI, the Byzantium machine is set up using its configuration file. To configure it:
-
Download the configuration file:
config-byzantium.localdomain.xml -
Edit the file and replace all instances of
XXX.XXX.XXX.XXXwith your Byzantium EC2 instance public address. -
Launch the default OPNsense image in the stack and upload the configuration file.
OpenVPN configuration is also included in the Byzantium setup. The default credentials for OpenVPN are:
Username: kaliopenvpn
Password: bizantium
- SSH Access: By default, the security group allows SSH access from anywhere (
0.0.0.0/0). For production environments, this should be restricted to trusted IP ranges. - IAM Roles: Roles are configured with specific permissions for SSM and other services. Make sure these permissions are correctly scoped to avoid overprivileged access.
To destroy the infrastructure and avoid any ongoing costs, run:
terraform destroyContributions are welcome! If you have ideas for improvements, feel free to open a pull request or issue.
The original CloudFormation implementation by ZoccoCss is available at ZoccoCss/kalisoc. This Terraform version aims to provide an alternative deployment option for those comfortable with Terraform.
This project is open-sourced under the MIT License. See the LICENSE file for more details.