def parse_args(self, args):
parser = argparse.ArgumentParser(description="""
Incident Response command line for Amazon Web Services.
This command line interface is designed to process host and key
based incursions without delay or error.
""")
optional_args = parser.add_argument_group()
optional_args.add_argument(
'--version',
action='version',
version="%(prog)s {ver}".format(ver=__version__))
optional_args.add_argument('--verbose',
action='store_true',
help='log debug messages')
optional_args.add_argument('--profile',
default='default',
help="""
A named boto profile to use instead of the default profile.
""")
optional_args.add_argument('--case-number',
default=None,
help="""
The case number to use., usually of the form
"cr-16-053018-2d2d"
""")
optional_args.add_argument('--examiner-cidr-range',
default='0.0.0.0/0',
help="""
The IP/CIDR for the examiner and/or the tool.
This will be added as the only allowed range
in the isolated security group.
""")
optional_args.add_argument('--bucket-name',
default=None,
help="""
Optional.
The id of the s3 bucket to use.
This must already exist
""")
optional_args.add_argument('--dry-run',
action='store_true',
help="""
Dry run. Pass dry run
parameter to perform API calls
but will not modify any resources.
""")
subparsers = parser.add_subparsers(dest="compromise-type")
subparsers.required = True
instance_compromise_parser = subparsers.add_parser(
'instance-compromise', help='')
instance_compromise_parser.add_argument('--target',
required=False,
help="""
instance-id|instance-ip
""")
instance_compromise_parser.add_argument('--targets',
required=False,
help="""
File of resources to process instance-id or ip-address.
""")
instance_compromise_parser.add_argument('--user',
required=False,
help="""
this is the privileged ssh user
for acquiring memory from the instance.
Required for memory only.
""")
instance_compromise_parser.add_argument(
'--ssh-key',
required=False,
help=
'provide the path to the ssh private key for the user. Required for memory only.'
)
instance_compromise_parser.add_argument(
'--plugins',
required=False,
default="gather_host,isolate_host,"
"tag_host,snapshotdisks_host,"
"examineracl_host,get_memory,stop_host",
help="Run some or all of the plugins in a custom order. "
"Provided as a comma separated list of "
"supported plugins: \n"
"{p}".format(p=plugin.Core().instance_plugins()))
instance_compromise_parser.set_defaults(func="instance_compromise")
key_compromise_parser = subparsers.add_parser('key-compromise',
help='')
key_compromise_parser.add_argument('--access-key-id',
required=True,
help='')
key_compromise_parser.add_argument(
'--plugins',
default="disableaccess_key,revokests_key",
required=False,
help="Run some or all of the plugins in a custom order."
" Provided as a comma separated list"
"Supported plugins: \n"
"{p}".format(p=plugin.Core().key_plugins()))
key_compromise_parser.set_defaults(func="key_compromise")
return parser.parse_args(args)
def __init__(self,
examiner_cidr_range='0.0.0.0/0',
compromised_access_key_id=None,
region='us-west-2',
case=None,
steps=None):
if compromised_access_key_id is None:
raise ValueError(
'Must specify an access_key_id for the compromised key.')
self.case_type = 'Key'
self.compromised_access_key_id = compromised_access_key_id
self.region = region
self.case = case
self.plugins = plugin.Core()
self.steps = steps_to_list(steps)
def mitigate(self):
"""Any steps that run as part of key compromises."""
access_key = self.compromised_access_key_id
compromised_resource = compromised.CompromisedMetadata(
compromised_object_inventory={
'access_key_id': access_key,
'region': self.region
},
case_number=self.case.case_number,
type_of_compromise='key_compromise').data()
session = connection.Connection(type='session',
region='us-west-2').connect()