AWS Enrichment and Remediation

Automation to determine which interface on an EC2 instance has an over-permissive security group, determine which security groups have over-permissive rules, and replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.

Determine AWS account hierarchy by looking up parent objects until the organization level is reached.

Replace current security groups with limited access security groups.

The playbook sends a HTTP get response to the hostname and validates if there is missing bucket information.

This playbook automates the removal of an AWS Lambda function and its associated resources used for managing resources within an Amazon EKS cluster. It ensures all related roles, policies, and security configurations are properly detached and deleted.

Resource Detachment and Deletion

• Get the Lambda Role: Retrieve the IAM role associated with the Lambda function.
• Detach Policy from Lambda Role: Remove the policy attached to the Lambda role.
• Delete IAM Role: Delete the IAM role that was used for the Lambda function.
• Delete Lambda Policy: Remove the policy specifically created for the Lambda function.
• Delete Security Group: Delete the security group that was managing the Lambda function's traffic.

Access Entry Check

• Check if Access Entry was Created: Verify if the access entry for the EKS cluster was created.
  • If YES: Proceed to delete additional resources.
  • If NO: Skip the deletion of additional resources.

Additional Resource Deletion

• Delete Kubernetes Layer: Remove the Kubernetes layer that was used by the Lambda function.
• Delete Lambda Function: Delete the Lambda function itself, ensuring all related code and configurations are removed.

Resolution

• Final Cleanup: Ensure all specified resources have been deleted successfully.
• Completion: Confirm that the removal process is complete, providing a clean environment free from the previously deployed Lambda function and its configurations.

This playbook provides a comprehensive, automated approach to removing an AWS Lambda function and its related resources, ensuring all configurations and dependencies are properly managed and deleted.

Required Integration

AWS IAM (Identity and Access Management)

• AWS IAM API Documentation
• Cortex XSOAR AWS IAM Integration

AWS EC2 (Elastic Compute Cloud)

• AWS EC2 API Documentation
• Cortex XSOAR AWS EC2 Integration

AWS Lambda

• AWS Lambda API Documentation
• Cortex XSOAR AWS Lambda Integration.

This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.

Given the IP address this playbook enriches EC2 and IAM information.

AWS Credentials Rotation Playbook

Identity Remediation

Secure compromised accounts by taking swift action:

• Reset Password: Resets the user password to halt any unauthorized access.

• Access Key Deactivation: Deactivate any suspicious or known-compromised access keys.

• Combo Action: In some cases, you may want to reset both the password and deactivate the access key for absolute security.

Role Remediation

If a role is suspected to be compromised:

• Deny Policy Implementation: Attach a deny-all policy to the compromised role, thus preventing it from performing any further actions.

• Role Cloning: Before outright remediation, clone the role. This ensures that you have a backup with the same permissions, making transition smoother.

This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:

• Failed login attempt
• Suspicious activities
• API access denied
• Administrative user activities
• Security rules and policies changes
• Access keys and access token activities
• Script-based user agent usage
• User role changes activities
• MFA device changes activities

This playbook automates the deployment of an AWS Lambda function to manage resources within an Amazon EKS cluster. It ensures that all necessary configurations are created, updated, and verified.

Setup

• Describe EKS Cluster: Gather essential details of the EKS cluster.
• Create IAM Role: Set up a new IAM role for the Lambda function.
• Create and Attach Policy: Define and attach a policy to the IAM role to grant necessary permissions.

Authentication Mode Check

• Verify Authentication Mode: Ensure the current authentication mode allows API access.
  • If not: Update the cluster authentication mode to permit API access.

Access Entry Configuration

• Create Access Entry: Establish a new access entry in the EKS cluster.
• Associate Access Policy: Link the access policy with the created access entry.
• Update Access Entry: Apply the latest configurations to the access entry.

VPC and Security Group Setup

• Describe VPCs: Identify the appropriate VPC for the Lambda function.
• Create Security Group: Define a security group to manage Lambda function traffic.
• Set Ingress Rules: Configure ingress rules for the security group.

VPC Endpoint Creation

• Create VPC Endpoint for eks-auth: Establish a VPC endpoint for EKS authentication.
• Check for Errors: Verify if there are any errors during the creation of the VPC endpoint.
  • If errors: Handle and log them.
• Verify VPC Endpoint Existence: Ensure the VPC endpoint already exists.
  • If exists: Proceed with the next steps.

Lambda Function Deployment

• Download Kubernetes Library: Fetch the necessary Kubernetes library.
• Publish AWS Lambda Layer: Publish a new layer version for the AWS Lambda function.
• Create Lambda Code: Develop the Lambda function code.
• Zip Lambda Code: Compress the Lambda function code for deployment.
• Create AWS Lambda Function: Deploy the Lambda function using the zipped code.

Resolution

• Final Verification: Ensure all operations have been successfully completed.
• Completion: Confirm the deployment process is finished, ensuring robust management of EKS authentication through AWS Lambda.

This playbook provides a comprehensive, automated approach to deploying an AWS Lambda function for managing resources within an EKS cluster, efficiently handling all configurations and potential errors.

Required Integration

AWS IAM (Identity and Access Management)

• AWS IAM API Documentation
• Cortex XSOAR AWS IAM Integration

AWS EC2 (Elastic Compute Cloud)

• AWS EC2 API Documentation
• Cortex XSOAR AWS EC2 Integration

AWS EKS (Elastic Kubernetes Service)

• AWS EKS API Documentation
• Cortex XSOAR AWS EKS Integration

AWS Lambda

• AWS Lambda API Documentation
• Cortex XSOAR AWS Lambda Integration.

The playbook will create the unclaimed S3 bucket.

This playbook provides response actions to AWS. The following are available for execution automatically/manually:

• Resource remediation:
  • Terminate the instance
  • Stop the instance
• Identity remediation:
  • Delete the user
  • Revoke the user's credentials
  • Access key remediation:
  • Disable the access key
  • Delete the access key
  • Block indicators.

Automation to determine which interface on an EC2 instance has an over-permissive security group, determine which security groups have over-permissive rules, and replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.

Determine AWS account hierarchy by looking up parent objects until the organization level is reached.

This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.

Given the IP address this playbook enriches EC2 and IAM information.

This playbook automates the removal of an AWS Lambda function and its associated resources used for managing resources within an Amazon EKS cluster. It ensures all related roles, policies, and security configurations are properly detached and deleted.

Resource Detachment and Deletion

• Get the Lambda Role: Retrieve the IAM role associated with the Lambda function.
• Detach Policy from Lambda Role: Remove the policy attached to the Lambda role.
• Delete IAM Role: Delete the IAM role that was used for the Lambda function.
• Delete Lambda Policy: Remove the policy specifically created for the Lambda function.
• Delete Security Group: Delete the security group that was managing the Lambda function's traffic.

Access Entry Check

• Check if Access Entry was Created: Verify if the access entry for the EKS cluster was created.
  • If YES: Proceed to delete additional resources.
  • If NO: Skip the deletion of additional resources.

Additional Resource Deletion

• Delete Kubernetes Layer: Remove the Kubernetes layer that was used by the Lambda function.
• Delete Lambda Function: Delete the Lambda function itself, ensuring all related code and configurations are removed.

Resolution

• Final Cleanup: Ensure all specified resources have been deleted successfully.
• Completion: Confirm that the removal process is complete, providing a clean environment free from the previously deployed Lambda function and its configurations.

This playbook provides a comprehensive, automated approach to removing an AWS Lambda function and its related resources, ensuring all configurations and dependencies are properly managed and deleted.

Required Integration

AWS IAM (Identity and Access Management)

• AWS IAM API Documentation
• Cortex XSIAM AWS IAM Integration

AWS EC2 (Elastic Compute Cloud)

• AWS EC2 API Documentation
• Cortex XSIAM AWS EC2 Integration

AWS Lambda

• AWS Lambda API Documentation
• Cortex XSIAM AWS Lambda Integration.

AWS Credentials Rotation Playbook

Identity Remediation

Secure compromised accounts by taking swift action:

• Reset Password: Resets the user password to halt any unauthorized access.

• Access Key Deactivation: Deactivate any suspicious or known-compromised access keys.

• Combo Action: In some cases, you may want to reset both the password and deactivate the access key for absolute security.

Role Remediation

If a role is suspected to be compromised:

• Deny Policy Implementation: Attach a deny-all policy to the compromised role, thus preventing it from performing any further actions.

• Role Cloning: Before outright remediation, clone the role. This ensures that you have a backup with the same permissions, making transition smoother.

This playbook provides response actions to AWS. The following are available for execution automatically/manually:

• Resource remediation:
  • Terminate the instance
  • Stop the instance
• Identity remediation:
  • Delete the user
  • Revoke the user's credentials
  • Access key remediation:
  • Disable the access key
  • Delete the access key
  • Block indicators.

The playbook sends a HTTP get response to the hostname and validates if there is missing bucket information.

Replace current security groups with limited access security groups.

This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:

• Failed login attempt
• Suspicious activities
• API access denied
• Administrative user activities
• Security rules and policies changes
• Access keys and access token activities
• Script-based user agent usage
• User role changes activities
• MFA device changes activities

This playbook automates the deployment of an AWS Lambda function to manage resources within an Amazon EKS cluster. It ensures that all necessary configurations are created, updated, and verified.

Setup

• Describe EKS Cluster: Gather essential details of the EKS cluster.
• Create IAM Role: Set up a new IAM role for the Lambda function.
• Create and Attach Policy: Define and attach a policy to the IAM role to grant necessary permissions.

Authentication Mode Check

• Verify Authentication Mode: Ensure the current authentication mode allows API access.
  • If not: Update the cluster authentication mode to permit API access.

Access Entry Configuration

• Create Access Entry: Establish a new access entry in the EKS cluster.
• Associate Access Policy: Link the access policy with the created access entry.
• Update Access Entry: Apply the latest configurations to the access entry.

VPC and Security Group Setup

• Describe VPCs: Identify the appropriate VPC for the Lambda function.
• Create Security Group: Define a security group to manage Lambda function traffic.
• Set Ingress Rules: Configure ingress rules for the security group.

VPC Endpoint Creation

• Create VPC Endpoint for eks-auth: Establish a VPC endpoint for EKS authentication.
• Check for Errors: Verify if there are any errors during the creation of the VPC endpoint.
  • If errors: Handle and log them.
• Verify VPC Endpoint Existence: Ensure the VPC endpoint already exists.
  • If exists: Proceed with the next steps.

Lambda Function Deployment

• Download Kubernetes Library: Fetch the necessary Kubernetes library.
• Publish AWS Lambda Layer: Publish a new layer version for the AWS Lambda function.
• Create Lambda Code: Develop the Lambda function code.
• Zip Lambda Code: Compress the Lambda function code for deployment.
• Create AWS Lambda Function: Deploy the Lambda function using the zipped code.

Resolution

• Final Verification: Ensure all operations have been successfully completed.
• Completion: Confirm the deployment process is finished, ensuring robust management of EKS authentication through AWS Lambda.

This playbook provides a comprehensive, automated approach to deploying an AWS Lambda function for managing resources within an EKS cluster, efficiently handling all configurations and potential errors.

Required Integration

AWS IAM (Identity and Access Management)

• AWS IAM API Documentation
• Cortex XSIAM AWS IAM Integration

AWS EC2 (Elastic Compute Cloud)

• AWS EC2 API Documentation
• Cortex XSIAM AWS EC2 Integration

AWS EKS (Elastic Kubernetes Service)

• AWS EKS API Documentation
• Cortex XSIAM AWS EKS Integration

AWS Lambda

• AWS Lambda API Documentation
• Cortex XSIAM AWS Lambda Integration.

The playbook will create the unclaimed S3 bucket.