SYS 360 Lab 14 1: Remediating an Incident by Using AWS Config and Lambda - JadenGil/Jaden-Tech-Journal GitHub Wiki
Remediating an Incident by Using AWS Config and Lambda
To get started let's navigate to the IAM console. Then go to the roles tab and click on the link for AwsConfigLambdaSGRole:
Then in the permissions tab click on the link for awsconfig_lambda_ec2_sg_role_policy and you will see:
Note from lab: This is a custom role that was created for you. Later in this lab, you will attach this role to a Lambda function that you will create. This role defines the permissions that the Lambda function will have when it runs. The policy will allow the Lambda function to add or remove inbound rules on Amazon EC2 security groups. The policy will also allow the Lambda function to create and write events to CloudWatch logs.
Now we want to go back to roles and select AwsConfigRole's link:
And under permissions, we want to select the link for S3Access:
Note from lab: Currently, this role grants permissions to get the bucket access control lists (ACLs) of Amazon Simple Storage Service (Amazon S3) buckets and upload objects to an S3 bucket if certain conditions are met. These permissions will allow AWS Config to write CloudWatch log files to Amazon S3.
Now, back on the original page for AwsConfigRole we want to select Add permissions:
We want to select the AWS_ConfigRole policy and select Add permission:
Examining the policy, you'll see that the policy grants read-level access
Setting up AWS Config to monitor resources
In the search bar search for "config" and select "Get started":
Recording method settings:
Data governance settings:
Delivery channel settings:
Once those settings are set all the other settings will be default so just confirm everything and finish it.
On the next page select "resources":
Modifying a security group that AWS Config monitors
Now we want to go to VPC, select Security Groups, and select the group LabSG1:
We want to edit LabSG1's inbound rules and add the 3 following rules:
That is all for this step.
Creating an AWS Config rule that calls a Lambda function
We now want to go back to config and select rules and add a rule:
Select "Create custom Lambda rule"
Detail settings:
Evaluation mode settings:
Parameter settings:
The final settings should look something like this:
If so- save.
Now select the link for "EC2SecurityGroup" and take a look over the information:
Revisiting the security group configuration
Now we want to go back to VPC and we will be checking the security groups again.
LabSG1's inbound rules should now look like this:
Note from lab: Recall that you defined inbound rules for SMTPS and IMAPS, as well as HTTP and HTTPS, on this security group. However, the rules for SMTPS and IMAPS no longer exist. Also, recall that you set the IP version for all rules to only IPv4, but now the HTTP and HTTPS rules are defined for IPv4 and IPv6.
In summary, you modified the inbound rules in this security group to look like the ones in the following screenshot. However, they have been significantly modified to look like the previous screenshot.
Now we want to navigate to the Lambda console and under functions select awsconfig_lambda_security_group
Info about the code from the lab:
Using CloudWatch logs for verification
Now we want to navigate to CloudWatch and navigate to the Log groups tab and select awsconfig_lambda_security_group:
in the log streams section of the page select "search all" and on the next page filter for "revoke all":
That is the end of the lab.