{"id":20697416,"url":"https://github.com/epomatti/aws-security-operations","last_synced_at":"2026-05-19T09:06:44.246Z","repository":{"id":239573854,"uuid":"798051271","full_name":"epomatti/aws-security-operations","owner":"epomatti","description":"Security operations scenarios in a simulated AWS environment","archived":false,"fork":false,"pushed_at":"2024-06-02T13:00:18.000Z","size":833,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-18T05:48:03.611Z","etag":null,"topics":["aws","aws-security","ec2","fargate","guardduty","secops","security","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-09T02:02:24.000Z","updated_at":"2024-10-09T19:38:45.000Z","dependencies_parsed_at":"2024-06-02T00:37:54.703Z","dependency_job_id":"34a2b678-b81d-4c3d-8ab6-62571a3d7297","html_url":"https://github.com/epomatti/aws-security-operations","commit_stats":null,"previous_names":["epomatti/aws-security-operations"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/epomatti/aws-security-operations","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-security-operations","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-security-operations/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-security-operations/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-security-operations/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/aws-security-operations/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-security-operations/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33209476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-19T07:54:09.561Z","status":"ssl_error","status_checked_at":"2026-05-19T07:54:08.508Z","response_time":58,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","ec2","fargate","guardduty","secops","security","terraform"],"created_at":"2024-11-17T00:17:56.631Z","updated_at":"2026-05-19T09:06:44.231Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Security Operations\n\nSimulation of detection, containment, and remediation techniques in AWS as part of a SOC approach.\n\n\u003cimg src=\".assets/aws-secops.png\" /\u003e\n\n## ๐Ÿš€ Roadmap\n\nStuff that I need to do:\n\n- [x] Application infrastructure\n- [x] Security infrastructure\n- [x] GuardDuty Runtime Monitoring\n- [x] Route 53 DNS Firewall\n- [x] Auto Scaling Group\n- [x] Fargate Cluster\n- [ ] WAF\n- [ ] S3 data exfiltration\n- [ ] Macie\n- [ ] Inspector\n- [ ] Detective\n- [ ] Security Lake\n- [ ] Honeypot\n- [ ] Lateral movement\n- [ ] NAC\n\n## ๐Ÿ—๏ธ Setup\n\nSet up the `.auto.tfvars` file:\n\n```sh\ncp config/template.tfvars .auto.tfvars\n```\n\nAt a minimum, set the `sns_email` variable to your test email. This will be used for a GuardDuty subscription and will require an approval after creation.\n\n```terraform\nsns_email = \"subscriber@example.com\"\n```\n\nThe default `workload_type` is set to `ASG`, which will deploy the application workload in an Auto Scaling Group.\n\nTo start with an EC2 configuration, set this to true:\n\n```terraform\nenable_ec2 = true\n```\n\nCreate the infrastructure:\n\n```sh\nterraform init\nterraform apply -auto-approve\n```\n\nCheck your email and approve the SNS subscription.\n\nConnect to the instances and confirm that the setup was complete successfully:\n\n```sh\n# Connect using Session Manager\naws ssm start-session --target i-00000000000000000\n\n# Elevate to super user\nsudo su -\n\n# Check the init script\ncloud-init status\nsystemctl status amazon-cloudwatch-agent\n\n# Update and upgrade if required\ndnf check-update\ndnf update\ndnf upgrade\n```\n\n## Scenario 1: GuardDuty Runtime Monitoring for EC2 instances\n\nGuidelines for remediating potentially compromised Amazon EC2 instances can be found [here][10].\n\n### ๐Ÿšจ 1.1 Detection\n\nConnect to the application instance and test a [GuardDuty Runtime Monitoring][3] finding. Example:\n\n```sh\ndig guarddutyc2activityb.com\n```\n\nThis will force a [Backdoor:Runtime/C\u0026CActivity.B!DNS][2] finding to be triggered.\n\nIn this simple example, the event will be captured in EventBridge and sent to an SNS topic. In a production use case, additional integration options may be implemented, not only notification, but also with a SOAR.\n\n### ๐Ÿ›ก๏ธ 1.2 Containment\n\nUpon detecting the threat, a security operations team may choose to quarantine the instance to protected the data.\n\nIn this exemple, run the [AWS-QuarantineEC2Instance][1] runbook. The security group `isolated-security-group` has been pre-created by Terraform to be in scope of the `destroy` stage.\n\n\u003e [!TIP]\n\u003e The instance should be kept running in quarantine as to provide a better inspection scenario.\n\nQuarantining the instance directly can affect the service availability. Increasing the Auto Scaling Group size an allow additional instances to start would help mitigate such scenarios.\n\n\u003e [!IMPORTANT]\n\u003e A robust containment plan would include a remediation action that does minimal impact to production. One option in this case would be having a pre-baked AMI which could then be used to create a new server (assuming the AMI is not infected as well). A design based on Auto Scaling Groups is a good approach. If using standalone instances, this would likely require an integrated DevSecOps approach with the application and infrastructure teams, which is complex in planning and execution. When implementing Infrastructure as Code, the design should also consider such scenarios.\n\n### ๐Ÿ•ต๏ธ 1.3 Inspection\n\nAn engineer would now be able to inspect the infected instance by logging into the security jump server, which is in a peered VPC.\n\nConnectivity could be done via SSH, for example, by copying the application instance private key from Parameter Store:\n\n```sh\naws ssm get-parameter \\\n --name \"wms-private-key-openssh\" \\\n --with-decryption \\\n --query 'Parameter.Value' \\\n --output text \u003e rsa_private_key\n```\n\nSet the appropriate private key file permissions:\n\n```sh\nchmod 600 ~/.ssh/id_rsa\n```\n\nConnect to the infected instance via SSH:\n\n```sh\nssh -i ./rsa_private_key ec2-user@infected.intranet.wms.com\n```\n\n## Scenario 2: GuardDuty Runtime Monitoring for ECS Fargate\n\nTo test GuardDuty capabilities for containers, set the project to create the ECS Fargate cluster.\n\n\u003e [!NOTE]\n\u003e Check the GuardDuty Runtime Monitoring [requirements][5] for AWS Fargate.\n\nThe architecture adds to the existing base VPC and workload resources:\n\n\u003cimg src=\".assets/aws-secops-fargate-waf.png\" /\u003e\n\nStart by creating the cluster, ECR, and other resources:\n\n```terraform\nenable_fargate = true\nenable_fargate_service = false\n```\n\nApply the Terraform configuration.\n\nUpload the test images:\n\n```sh\n# Custom vulnerable app\nbash apps/vulnerapp/ecr-push.bash\n\n# Malware Crypto-miner container - https://artifacthub.io/packages/container/malware-cryptominer-container/malware-cryptominer-container\nbash apps/cryptominer/ecr-push.bash\n```\n\nSet the project to create the ECS Fargate service:\n\n```terraform\nenable_fargate = true\nenable_fargate_service = true\n```\n\nApply the Terraform configuration again. Confirm that the GuardDuty agent has been initiated as a sidecar for the task.\n\n\u003e [!IMPORTANT]\n\u003e Open the GuardDuty Runtime Monitoring console and confirm the coverage status, but also if the container instances are being covered. Check the [coverage troubleshooting][6] guide for help in identifying any technical issues, and also [troubleshooting FAQs][4].\n\nAs it is documented in the [coverage statistics considerations][7]:\n\n\u003e If your Amazon ECS cluster contains only Fargate tasks, the count appears as **0/0**.\n\n\u003cimg src=\".assets/aws-fargate-tasks-guardduty-coverage.png\" /\u003e\n\nTest a malicious call running in the test image:\n\n```sh\ncurl http://\u003celb-public-endpoint\u003e/guardduty/trigger\n```\n\nAnother approach is to use a [honeypot container][8].\n\n## Scenario 3: WAF\n\nTo enable WAF, first deploy the ECS Fargate cluster. Once that is done, enable WAF in the configuration.\n\n\u003e [!TIP]\n\u003e Change the `waf_allowed_country_codes` and other parameters to the desired region.\n\n```terraform\nenable_waf = true\nwaf_allowed_country_codes = [\"US\"]\n```\n\nThen, `apply` the configuration again to activate the changes.\n\nLogs and metrics are enabled, and managed rules have been associated with the WAF ACL. CloudWatch Logs [log anomaly detection][14] is currently [not supported][13] by the Terraform provider. Enable it manually.\n\nTo test the WAF rules:\n\n```sh\ncd test\nbash loop.sh lb-fargate-012345678.us-east-2.elb.amazonaws.com\n```\n\n## Scenario 4: Bucket data exfiltration\n\nThe infrastructure for the application resources will be provisioned with S3 Buckets and VPC Endpoints (VPCE) of type `Gateway` and `Interface`.\n\nThe VPCE DNS configuration is set using both `Enable DNS name` and `Enable private DNS only for inbound endpoints`, following guidelines from the [documentation][11].\n\nThe application bucket is configured with a policy to accept connections only from the VPCE, and the VPCE accepts connections only to the specific S3 Buckets.\n\n\u003e [!TIP]\n\u003e Access to resources using VPC Endpoints must be declared explicitly, as it is explained in this [section][12] of the documentation. Example using the AWS CLI: `aws s3api delete-bucket-policy --bucket \u003cbucket\u003e --region \u003cregion\u003e --endpoint-url https://bucket.\u003cvpce-1a2b3c4d-5e6f\u003e.s3.\u003cregion\u003e.vpce.amazonaws.com`\n\nDetecting data exfiltration in such scenarios is challenging, giving that connectivity would go through the trusted VPCE Interface for the application bucket, but would be going through the VPCE Gateway fora malicious/attacker bucket.\n\nI'm looking to ways of further closing this type of scenario with this sandbox, and as well adding a firewall and IDPS/SIEM.\n\n## Other scenarios\n\n### Port scanning\n\nTo trigger a finding based on VPC Flow Logs, run a port scanning from the infected instance:\n\n```sh\nnmap 10.0.10.x\n```\n\n### Common findings\n\nAWS offers a sample finding generator for [common GuardDuty findings][9].\n\n---\n\n### ๐Ÿงน Clean-up\n\nDelete any snapshots created by quarantine automation.\n\nDestroy the Terraform resources:\n\n```sh\nterraform destroy -auto-approve\n```\n\n## Reference\n\n```\nhttps://www.youtube.com/watch?v=fpShCxD8kFA\nhttps://github.com/awslabs/amazon-guardduty-tester\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html\nhttps://dev.to/aws-builders/aws-incident-response-how-to-contain-an-ec2-instance-pjk\nhttps://github.com/epomatti/aws-cloudwatch-subscriptions\nhttps://sysdig.com/blog/triaging-malicious-docker-container/\nhttps://docs.aws.amazon.com/guardduty/latest/ug/sample_findings.html#guardduty_findings-scripts\n```\n\n[1]: https://console.aws.amazon.com/systems-manager/automation/execute/AWS-QuarantineEC2Instance\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivitybdns\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html\n[4]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-guard-duty-troubleshooting.html#verify-ecs-runtime-ec2-run\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-assess-coverage-ecs.html\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/gdu-assess-coverage-ecs.html#ecs-review-coverage-statistics-ecs-runtime-monitoring\n[8]: https://sysdig.com/blog/triaging-malicious-docker-container/\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/sample_findings.html#guardduty_findings-scripts\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/compromised-ec2.html\n[11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#private-dns\n[12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#accessing-bucket-and-aps-from-interface-endpoints\n[13]: https://github.com/hashicorp/terraform-provider-aws/issues/34788\n[14]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/LogsAnomalyDetection.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-security-operations","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Faws-security-operations","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-security-operations/lists"}