This project is part of the workshop Building Incident Response Playbooks for AWS. Follow the workshop directions for optimal use of this repository contents.

• This is a sandbox environment for learning purposes only. You will take the learnings from building a playbook in this controlled environment and adapt to your own environment.
• GuardDuty, CloudTrail, VPC Flow, and DNS logs are the fundamental pillars for threat detection and incident response in AWS. Focus on learning how to interpret them based on the activity generated.

• This project builds an environment in an AWS Account facilitating the development of playbooks enhancing customer's capability to respond to security events.
• Amazon Athena provides analytical capabilities with pre-configured tables for querying AWS CloudTrail logs, Amazon VPC Flow logs, and Amazon Route53 VPC DNS logs centralized in An Amazon S3 Bucket.
• Includes two (2) sample playbook addressing the IAM credential exposure, and EC2 crypto mining threats, plus a template for you to develop additional scenarios.
• Includes Linux bash scripts to simulate the threats and practice the response laid out by the sample playbooks. Create your own scripts in Linux bash or other languages to support the development and testing of your own security event scenarios.

An AWS CDK application creates one stack named WorkshopStack containing the minimum environment required to support the development of Incident Response Playbooks. The components are listed in the next section.

• Amazon S3 Bucket centralizing all required log sources
• Amazon S3 Bucket for Athena queries results
• A VPC with public and private subnets, internet gateway, NAT gateway, and one EC2 instance
• CloudTrail trail logging management and data events streaming to S3 bucket
• VPC DNS logs enabled for VPC streaming to S3 bucket
• VPC Flow logs enabled for VPC streaming to S3 bucket
• Athena Workgroup
• Glue database and tables
• Security analyst IAM Role to run Athena queries
• Athena administrator IAM Role to configure Athena and Glue
• Security break glass IAM Role for containment, eradication, and recovery
• Security deploy IAM Role for CloudFormation deployment of SimulationStack
• IAM User Access Key for EC2 crypto mining simulation
• IAM User Access Key for IAM credential exposure simulation
• AWS GuardDuty for alerting (enabled manually)

• Clone this repository and choose between AWS CDK or AWS CloudFormation for deployment of stacks.

Preferred deployment method for those with little coding and AWS experience.

• Login to your AWS Account
• Go to the AWS CloudFormation console
• Create stack using cdk/cdk.out/WorkshopStack.yaml from the cloned repository

Refer to this page for getting started with AWS CloudFormation.

We recommend this method for those with excellent coding and AWS experience.

• Install node.js 10.13.0 or later
• Install Python 3.8 or later
• Configure a python virtual environment
  • change directory to the root of the cloned repository
  • run python -m venv .venv
  • run source .venv/bin/activate
  • run python -m pip install -r stacks/requirements.txt
• Install AWS CLI v2
• Create IAM credentials with permission to deploy AWS resources using CloudFormation
• Configure IAM credentials
  • run aws configure
  • verify by running aws sts get-caller-identity
• Install AWS CDK
  • change directory to the root of the cloned repository
  • run npm install -g aws-cdk
  • verify by running cdk --version to check version installed
• Deploy the AWS CDK app
  • run cdk bootstrap
  • run cdk synth
  • run cdk deploy

Refer to this page for getting started with AWS CDK

Consider the costs involved in deploying this solution beyond what is included with AWS Free Tier, if applicable:

• Amazon Athena: https://aws.amazon.com/athena/pricing/
• Amazon S3: https://aws.amazon.com/s3/pricing/
• Amazon EC2: https://aws.amazon.com/ec2/pricing
• AWS CloudTrail: https://aws.amazon.com/cloudtrail/pricing/
• AWS Glue: https://aws.amazon.com/glue/pricing/
• AWS GuardDuty (manual install): https://docs.aws.amazon.com/guardduty/latest/ug/monitoring_costs.html

• AWS Customer Playbook Framework
• AWS re:invent 2020: Building your cloud incident response program
• AWS Incident Response Playbook Samples (process only)
• AWS Cloud Adoption Framework Security Perspective
• AWS Well-Architected labs - Security
• AWS Security Analytics Bootstrap
• AWS API Guides and Documentation
• CloudTrail User Guide
• Amazon VPC Flow Logs
• Amazon Route53 VPC DNS resolver logs

• NIST Computer Security Incident Handling Guide (Special Publication 800-61 Revision 2)