aws_ir

Python command line utility for mitigation of host and key compromises.

Key Compromise

The aws_ir subcommand key-compromise disables access keys in the case of a key compromise. It’s single argument is the access key id, he compromised key is disabled via the AWS api.

usage: aws_ir key-compromise [-h] --access-key-id ACCESS_KEY_ID
                             [--plugins PLUGINS]

optional arguments:
  -h, --help            show this help message and exit
  --access-key-id ACCESS_KEY_ID
  --plugins PLUGINS     Run some or all of the plugins in a custom order.
                        Provided as a comma separated listSupported plugins:
                        disableaccess_key,revokests_key

Below is the output of running the key-compromise subcommand.

$ aws_ir key-compromise --access-key-id AKIAINLHPIG64YJXPK5A
2017-07-20T21:04:01 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2017-07-20T21:04:01 - aws_ir.plans.key - INFO - Attempting key disable.
2017-07-20T21:04:03 - aws_ir.plans.key - INFO - STS Tokens revoked issued prior to NOW.
2017-07-20T21:04:03 - aws_ir.plans.key - INFO - Disable complete.  Uploading results.
Processing complete for cr-17-072104-7d5f
Artifacts stored in s3://cloud-response-9cabd252416b4e5a893395c533f340b7

Installation:

AWS Credentials

Ensure aws credentials are configured under the user running aws_ir as documented by amazon.

Setup Roles with Cloudformation

A cloudformation stack has been provided to setup a group and a responder role.

Simply create the stack available at:

https://github.com/ThreatResponse/aws_ir/blob/master/cloudformation/responder-role.yml.

Then add all your users to the IncidentResponders group. After that you’re good to go!

Note that this roles has a constraint that all your responders use MFA. .. code-block:: bash

aws:MultiFactorAuthPresent: ‘true’

PreviousgitsecretsNextCentralized CloudTrail Logging

Last updated