{"id":18524504,"url":"https://github.com/stelligent/lockdown","last_synced_at":"2025-04-09T12:30:55.146Z","repository":{"id":145835458,"uuid":"132639301","full_name":"stelligent/lockdown","owner":"stelligent","description":"AWS Emergency Compromise Response","archived":false,"fork":false,"pushed_at":"2020-01-07T15:44:14.000Z","size":32,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-24T05:26:19.799Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stelligent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-08T16:57:58.000Z","updated_at":"2024-09-12T07:59:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"49384da8-d7e3-41a4-9716-1129831125ed","html_url":"https://github.com/stelligent/lockdown","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Flockdown","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Flockdown/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Flockdown/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Flockdown/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stelligent","download_url":"https://codeload.github.com/stelligent/lockdown/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248040088,"owners_count":21037813,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T17:42:05.914Z","updated_at":"2025-04-09T12:30:55.134Z","avatar_url":"https://github.com/stelligent.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Emergency Compromise Response\n\nThis tool `lockdown.py` is to be used in the event of aws compromise.  Unfortunately,\nfrequently we see developers commit aws keys to GitHub, and this typically results in many rogue\ninstances spun up for cryptomining and other purposes.  Other times, instances themselves may be\ncompromised. In both cases, account lockdown, while preserving as much data as possible, is the\npreferred response.\n\nThis program stands apart from other available AWS incident response software, as it leaves the\nenvironment undisturbed.  Changes are solely additive, and can be removed in `unlock` mode.\n\n\n```\nusage: lockdown.py [-h] [--all] [--lock] [--unlock] [--s3] [--nacls] [--iam]\n                   [--image] [--ssm] [--stop] [--logs]\n\noptional arguments:\n  -h, --help  show this help message and exit\n  --all       Locks account, and performs all post lockdown functions\n  --lock      Locks account via NACLs and IAM polices.\n  --unlock    Unlocks account removing NACLs and IAM policies.\n  --s3        Locks S3 with Private ACL on every bucket. CANNOT BE UNDONE.\n  --nacls     Only lock/unlock NACLs.\n  --iam       Only lock/unlock IAM.\n  --image     Image all running instances.\n  --ssm       Attempt to capture running system via SSM.\n  --stop      Stop all running instances.\n  --logs      Report account Cloudtrail and Flowlogs status\n```\n\n\nAWS profile must be set with \"root\" keys.  This means the \"AdministratorAccess\" IAM managed\npolicy must be attached to the user whose keys are executing this code.\n\n\n\"Unlock\" mode will unlock an account after is has been locked down.  Unlock reverts the\napplied IAM polices and NACLs that lock down an account.  This should only be executed after\nthe account has been verified clear of intrusion.\n\n\n### `python3 lockdown.py --lock`\n\n\n1. Cut off all network access via NACLs.\n   * NACLs are applied to prevent any and all traffic.\n   * Security groups are left intact for forensics.\n  \n\n2. Deactivate all users and roles via IAM policy.\n   * Explicit Deny policy is attached to all users and roles.\n   * Mitigates attacks such as persistant sts sessions, cross-account access, and cron'd Lambda.\n   * Existing policies are left intact for forensics.\n\n\n### `python3 lockdown.py --unlock`\n\n\n1. Remove \"lockdown\" deny all NACLs.\n   * NACLs previously applied to stop traffic are removed.\n\n\n2. Remove \"lockdown\" deny all IAM policy.\n   * Deny all IAM policy is removed from all users and roles.\n   * Deny all IAM policy is deleted.\n\n\n### `python lockdown --all`\n\n1. Lock all the things.\n   * NACLs.\n   * IAM Policies.\n\n\n2. Image all instances.\n   * All running instances are imaged.\n\n\n3. Disable public S3 access on all buckets.\n   * Add Private ACL to all buckets to disable all public reads and writes.\n   * This protects from data exfiltration and file warehousing.\n   * This is irreversible and must be restored manually, if necessary.\n\n\n4. Execute any forensic tooling via SSM.\n   * Capture running processes and system memory.\n\n\n5. Stop all running instances.\n   * Executes after ebs snapshot and ssm capture.\n   * Minimizes runtime charges.\n\n\n6. Report on Cloudtrail and Flowlogs status.\n   * If logs are available, print out location of logs.\n\n\n#### NOTE: This software will render your account unusable by anyone other than you. Please exec with care.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstelligent%2Flockdown","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstelligent%2Flockdown","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstelligent%2Flockdown/lists"}