These resources will respond to a SecurityHub finding by quarantining and affected EC2 Instance and collecting forensic data from it.
- Enable Inspector and Security Hub
- Create a Custom Action in SecurityHub as follows:
- Action name: CompromisedEC2
- Description: Trigger a Lambda Incident Response function to quarantine an instance and collect forensic data.
- Custom action ID: CompromisedEC2
- Create an EC2 instance (if needed)
If you want a ram dump, make and kernel-headers must be installed:
yum -y install make kernel-headers - Create an S3 bucket and upload the file: aws_forensics_lambda.zip to the root folder
- Create a CloudFormation stack called forensics-and-incident-response, using the file: aws_forensics.yaml
- Upload the file called get-forensic-data.sh to the bucket starting with:
forensics-and-incident-resp-forensicsscriptsbucket-<random-string>
Note: there are 2 similarly named buckets, be sure to upload to the one with "scripts" in the name - In SecurityHub, look for a finding for an EC2 instance, click it, and select Actions-->CompromisedEC2
Note: you will need to wait for some findings to appear, or upload a file which will trigger an inspector rule - Wait a few minutes for the lambda script to run, then verify the following:
- The security group what changes
- The role was changed
- Check that Older sessions were revoked for the old role
- Within the S3 Forensic Data bucket, a folder with the name of the instance ID contains the foresnsic data
- An AMI was created and tagged
- The instance was powered off