def getClient(findingArn: str):
FindingId=findingArn.split("/")[3]
DetectorId=findingArn.split("/")[1]
targetAccount=findingArn.split("/")[0].split(":")[4]
session=account_session.get_session(targetAccount, os.environ['TargetAccountSecurityRoleName'])
client = session.client('guardduty')
return(client, DetectorId, FindingId)
def lambda_handler(event, context):
SecurityTagKey = os.environ['SecurityTagKey']
TargetAccountSecurityRoleName = os.environ['TargetAccountSecurityRoleName']
BlockPolicyArn = os.environ['BlockPolicyArn']
if event['detail-type'] == "GuardDuty Finding":
finding = event["detail"]
elif event['detail-type'] == "Security Hub Findings - Custom Action":
finding = security_hub.getFinding(event)
else:
raise Exception("Neither GuardDuty nor SecurityHub event")
event_id = finding['id']
targetAccount = finding["accountId"]
principle_id = finding["resource"]["accessKeyDetails"]["userName"]
principle_type = finding["resource"]["accessKeyDetails"]["userType"]
session = account_session.get_session(
targetAccount, os.environ['TargetAccountSecurityRoleName'])
logger.info(
f"GuardDuty Duty event {event_id} triggers checking principle {principle_type} of type {principle_type} in account {targetAccount}"
)
client = session.client('iam')
if principle_type == "AssumedRole":
response = client.get_role(RoleName=principle_id)
if 'Tags' in response['Role']:
for t in response['Role']['Tags']:
if t['Key'] == SecurityTagKey:
logger.info(
f"Security exception defined with tag {SecurityTagKey}. Skipping blocking {principle_id} of type {principle_type} in account {targetAccount}"
)
return
client.attach_role_policy(RoleName=principle_id,
PolicyArn=BlockPolicyArn)
else:
response = client.get_user(UserName=principle_id)
if 'Tags' in response['User']:
for t in response['User']['Tags']:
if t['Key'] == SecurityTagKey:
logger.info(
f"Security exception defined with tag {SecurityTagKey}. Skipping blocking {principle_id} of type {principle_type} in account {targetAccount}"
)
return
client.attach_user_policy(UserName=principle_id,
PolicyArn=BlockPolicyArn)
guard_duty.archiveGuardDutyFinding(finding["arn"])
notify.sendNotification(
f"Attached deny policy to principle {principle_id} of type {principle_type} in account {targetAccount}. Guard Duty finding id {event_id} archived."
)
def lambda_handler(event, context):
logger.info(f"recieved event: {json.dumps(event)}")
SecurityTagKey = os.environ['SecurityTagKey']
region = os.environ['AWS_REGION']
targetAccount = event["account"]
session = account_session.get_session(
targetAccount, os.environ['TargetAccountSecurityRoleName'])
# check for security exeption
client = session.client('resourcegroupstaggingapi')
paginator = client.get_paginator('get_resources')
pages = paginator.paginate(TagFilters=[{
'Key': SecurityTagKey,
}],
ResourceTypeFilters=[event["resourseType"]])
for page in pages:
for res in page['ResourceTagMappingList']:
if event["resourceId"] in res['ResourceARN']:
logger.info(
f"Security exception defined with tag {SecurityTagKey}. Skipping {event['resourceId']} of type {event['resourseType']}"
)
return
# execute automation
if "AutomationDocumentName" in event:
client = boto3.client('ssm')
response = client.start_automation_execution(
DocumentName=event['AutomationDocumentName'],
Parameters=event['AutomationParameters'],
TargetLocations=[{
"Accounts": [targetAccount],
"Regions": [region]
}])
notify.sendNotification(
f"Triggered incident response in account {event['account']}, SSM document {event['AutomationDocumentName']} with id {response['AutomationExecutionId']} and input parameters "
+ json.dumps(event['AutomationParameters']))
def lambda_handler(event, context):
AllowedNetworkRangeIPv4=os.environ['AllowedNetworkRangeIPv4']
AllowedNetworkRangeIPv6=os.environ['AllowedNetworkRangeIPv6']
SecurityTagKey=os.environ['SecurityTagKey']
if event['source'] == "aws.config":
sg_id=event["detail"]["resourceId"]
targetAccount=event["account"]
else:
raise Exception('Unknown event source. Supported only aws.config')
session=account_session.get_session(targetAccount, os.environ['TargetAccountSecurityRoleName'])
logger.info(f"Checking security group {sg_id} in account {targetAccount}")
client = session.client('ec2')
response = client.describe_security_groups(GroupIds=[ sg_id ])
if "Tags" in response['SecurityGroups'][0]:
for t in response['SecurityGroups'][0]['Tags']:
if t['Key'] == SecurityTagKey:
logger.info(f"Security exception defined with tag {SecurityTagKey}. Skipping security group {sg_id} to confine")
return
for p in response['SecurityGroups'][0]['IpPermissions']:
for r in p['IpRanges']:
if r["CidrIp"] == "0.0.0.0/0":
client.revoke_security_group_ingress(IpPermissions=[p], GroupId=sg_id)
r["CidrIp"]=AllowedNetworkRangeIPv4
client.authorize_security_group_ingress(IpPermissions=[p], GroupId=sg_id)
for r in p['Ipv6Ranges']:
if r["CidrIpv6"] == "::/0":
client.revoke_security_group_ingress(IpPermissions=[p], GroupId=sg_id)
r["CidrIpv6"]=AllowedNetworkRangeIPv6
client.authorize_security_group_ingress(IpPermissions=[p], GroupId=sg_id)
notify.sendNotification(f"Confined security group {sg_id} in account id {targetAccount} to safe CIDR")
def lambda_handler(event, context):
SecurityTagKey = os.environ['SecurityTagKey']
TargetAccountSecurityRoleName = os.environ['TargetAccountSecurityRoleName']
if event['detail-type'] == "GuardDuty Finding":
finding = event["detail"]
elif event['detail-type'] == "Security Hub Findings - Custom Action":
finding = security_hub.getFinding(event)
else:
raise Exception("Neither GuardDuty nor SecurityHub event")
i_id = finding["resource"]["instanceDetails"]["instanceId"]
targetAccount = finding["accountId"]
event_id = finding['id']
logger.info(
f"GuardDuty Duty event {event_id} triggers checking instance {i_id} in account {targetAccount}"
)
session = account_session.get_session(
targetAccount, os.environ['TargetAccountSecurityRoleName'])
client = session.client('ec2')
ec2 = client.describe_instances(InstanceIds=[i_id])
if "Tags" in ec2['Reservations'][0]['Instances'][0]:
for t in ec2['Reservations'][0]['Instances'][0]["Tags"]:
if t['Key'] == SecurityTagKey:
logger.info(
f"Security exception defined with tag {SecurityTagKey}. Skipping Isolation of instance {i_id} in account {targetAccount}"
)
return
secGrName = f"secIsolation-{event_id}"
vpcID = ec2['Reservations'][0]['Instances'][0]["VpcId"]
# Check if isolation security group already exists
try:
r = client.describe_security_groups(Filters=[{
'Name': 'group-name',
'Values': [secGrName]
}, {
'Name': 'vpc-id',
'Values': [vpcID]
}])
secGrId = r['SecurityGroups'][0]['GroupId']
logger.info(f'Found existing isolation Sec Group {secGrId}')
except:
r = client.create_security_group(Description='security isolation',
GroupName=secGrName,
VpcId=vpcID)
secGrId = r['GroupId']
client.revoke_security_group_egress(IpPermissions=[{
"IpProtocol":
"-1",
"IpRanges": [{
"CidrIp": "0.0.0.0/0"
}],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}],
GroupId=secGrId)
logger.info(f'Created new isolation Sec Group {secGrId}')
for eni in ec2['Reservations'][0]['Instances'][0]['NetworkInterfaces']:
client.modify_network_interface_attribute(
NetworkInterfaceId=eni["NetworkInterfaceId"], Groups=[secGrId])
guard_duty.archiveGuardDutyFinding(finding["arn"])
notify.sendNotification(
f"Isolation security group {secGrId} created and attached to instance {i_id} in account {targetAccount}. Guard Duty finding id {event_id} archived"
)