Bonus Material
- Capital One Hack
- CloudFormation Deep Dive
- Threat Hunting with CloudTrail & GuardDuty
- Becoming an IAM Ninja
Lab Resources
Lab 1.1 Billing Alarms
This CloudFormation Template creates four billing alarms to alert you if your account is accruing charges beyond what is expected for this class.
- Template: https://sec545-labs.s3.amazonaws.com/cft/BillingAlarm-Template.yaml
- QuickLink - Be sure to scroll down and validate all the parameters before launching
Lab 2.2 VPC CloudFormation
Like learning long division in grade school, we do it the hard way before doing it the easy way. This CloudFormation Template has all the components needed to build a two-tier, three AZ VPC for the class.
- Template: https://sec545-labs.s3.amazonaws.com/cft/VPC-Template.yaml
- QuickLink to deploy in us-west-2
Lab 3.1 Bonus Commands
CLI Method to create the IAM User, Group and Roles:
aws iam create-user --user-name sec545-day3
aws iam create-login-profile --user-name sec545-day3 --password Passw0rd
aws iam attach-user-policy --user-name sec545-day3 --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam create-group --group-name s3-lab
aws iam add-user-to-group --user-name sec545-day3 --group-name s3-lab
Easy way to put files into your bucket:
aws s3 mb s3://sec545-3.1-YOURNAME
aws s3 sync s3://sec545-labs/Materials/lab3.1/bucket-contents/ s3://sec545-3.1-YOURNAME
Grant user access to finance folder:
aws iam put-group-policy --group-name s3-lab --policy-name finance --policy-document https://sec545-labs.s3.amazonaws.com/Materials/lab3.1/FinanceTeam.json
JSON for above Finance Access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowFinanceLevelListingOfBucket",
"Action": ["s3:ListBucket*"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::sec545-3.1-jcf"],
"Condition": {
"StringEquals": {
"s3:prefix": ["Finance/"]
}
}
}
]
}
Lab 3.2 Bonus Commands
Demo that we’re using the role:
aws sts get-caller-identity
MetaData hack:
role_name=$( curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ ) && echo $role_name
### All Your Creds Are Belong to Us!
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name}
Lab 5.1
Commands as standalone:
# This is not a bash script, but you can cut-n-paste from this
#
# Create a New Security Group
#
# Step 1: Navigate to the VPC Console and get your VPC ID or run the following command:
aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output table
aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output text
# The output of this is VPCID
# Step 2: Create a new security group with the CLI (replace the VPC ID with your own).
aws ec2 create-security-group --group-name SEC545-CLILAB --description "Basic SEC545 securitygroup" --vpc-id <VPCID>
# The output of this is GROUPID
aws ec2 describe-security-groups --group-ids --query 'SecurityGroups[?GroupName==`SEC545-CLILAB`].GroupId' --output text
# Step 3: The following command creates a rule in your security group to allow traffic in on port 22.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 22 --cidr 0.0.0.0/0
# Step 4: The following command creates a rule in your security group to allow traffic in on port 443.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 443 --cidr 0.0.0.0/0
# Step 5: Run the following command to query your security group details:
aws ec2 describe-security-groups --group-ids <GROUPID> --output table
#
# Create a New AWS EC2 Keypair (SSH Key)
#
# Step 1: Run the following command in the console to create an AWS keypair to use with EC2 instances.
aws ec2 create-key-pair --key-name SANS545Lab51 --query "KeyMaterial" --output text > SANS545Lab51.pem
chmod 600 SANS545Lab51.pem
#
# Create an EC2 Instance to Use Your New AWS EC2 Keypair
#
# Step 1: Retrieve the latest AWS EC2 Linux AMI.
aws ec2 describe-images --owners amazon --filters 'Name=description,Values=Amazon Linux AMI ????.??.? x86_64*' --query 'sort_by(Images,&CreationDate)[-1].ImageId' --output text
# Output of this is IMAGEID
# Step 2: Create an EC2 instance. Replace <SG ID> with your security group ID and <AMI ID> with the AMI ID.
aws ec2 run-instances --image-id <IMAGEID> --security-group-ids <GROUPID> --count 1 --instance-type t2.micro --key-name SANS545Lab51 --query "Instances[0].InstanceId" --output text
# Output of this is INSTANCE
aws ec2 describe-instances --instance-ids <INSTANCE>
# Step 3: Run the following command to get the public IP address, replacing <your instance ID>.
aws ec2 describe-instances --instance-ids <INSTANCE> --query "Reservations[0].Instances[0].PublicIpAddress" --output text
# Step 5: To generate a sample JSON file to create instances, try the following:
aws ec2 run-instances --generate-cli-skeleton > RunInstances.json
#
# Query EC2 Instances
#
# Step 1: Run a query to list t2.micro instances. We should have one running.
aws ec2 describe-instances --filters "Name=instance-type,Values=t2.micro"
# Step 2: Now add a tag to your running instance – Key: Quarantine, Value: Yes
aws ec2 create-tags --resources <INSTANCE> --tags 'Key=Quarantine,Value=Yes'
# Step 3: Run a filter query looking for only the Quarantine tag in place.
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine"
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine" --query "Reservations[].Instances[].InstanceId" --output text
# Step 4: Find instances running on the xen hypervisor.
aws ec2 describe-instances --filters "Name=hypervisor,Values=xen" --query "Reservations[].Instances[].InstanceId" --output text
Commands as Bash:
# This is not a bash script, but you can cut-n-paste from this
#
# Create a New Security Group
#
# Step 1: Navigate to the VPC Console and get your VPC ID or run the following command:
aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output table
VPCID=`aws ec2 describe-vpcs --filter "Name=isDefault,Values=true" --query Vpcs[].VpcId --output text`
# Step 2: Create a new security group with the CLI (replace the VPC ID with your own).
aws ec2 create-security-group --group-name SEC545-CLILAB --description "Basic SEC545 securitygroup" --vpc-id $VPCID
GROUPID=$(aws ec2 describe-security-groups --group-ids --query 'SecurityGroups[?GroupName==`SEC545-CLILAB`].GroupId' --output text) && echo $GROUPID
# Step 3: The following command creates a rule in your security group to allow traffic in on port 22.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 22 --cidr 0.0.0.0/0
# Step 4: The following command creates a rule in your security group to allow traffic in on port 443.
aws ec2 authorize-security-group-ingress --group-name SEC545-CLILAB --protocol tcp --port 443 --cidr 0.0.0.0/0
# Step 5: Run the following command to query your security group details:
aws ec2 describe-security-groups --group-ids $GROUPID --output table
#
# Create a New AWS EC2 Keypair (SSH Key)
#
# Step 1: Run the following command in the console to create an AWS keypair to use with EC2 instances.
aws ec2 create-key-pair --key-name SANS545Lab51 --query "KeyMaterial" --output text > SANS545Lab51.pem
chmod 600 SANS545Lab51.pem
#
# Create an EC2 Instance to Use Your New AWS EC2 Keypair
#
# Step 1: Retrieve the latest AWS EC2 Linux AMI.
IMAGEID=`aws ec2 describe-images --owners amazon --filters 'Name=description,Values=Amazon Linux AMI ????.??.? x86_64*' --query 'sort_by(Images,&CreationDate)[-1].ImageId' --output text ` && echo $IMAGEID
# Step 2: Create an EC2 instance. Replace <SG ID> with your security group ID and <AMI ID> with the AMI ID.
INSTANCE=`aws ec2 run-instances --image-id $IMAGEID --security-group-ids $GROUPID --count 1 --instance-type t2.micro --key-name SANS545Lab51 --query "Instances[0].InstanceId" --output text` && echo $INSTANCE
aws ec2 describe-instances --instance-ids $INSTANCE
# Step 3: Run the following command to get the public IP address, replacing <your instance ID>.
aws ec2 describe-instances --instance-ids $INSTANCE --query "Reservations[0].Instances[0].PublicIpAddress" --output text
# Step 5: To generate a sample JSON file to create instances, try the following:
aws ec2 run-instances --generate-cli-skeleton > RunInstances.json
#
# Query EC2 Instances
#
# Step 1: Run a query to list t2.micro instances. We should have one running.
aws ec2 describe-instances --filters "Name=instance-type,Values=t2.micro"
# Step 2: Now add a tag to your running instance – Key: Quarantine, Value: Yes
aws ec2 create-tags --resources $INSTANCE --tags 'Key=Quarantine,Value=Yes'
# Step 3: Run a filter query looking for only the Quarantine tag in place.
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine"
aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine" --query "Reservations[].Instances[].InstanceId" --output text
# Step 4: Find instances running on the xen hypervisor.
aws ec2 describe-instances --filters "Name=hypervisor,Values=xen" --query "Reservations[].Instances[].InstanceId" --output text
Lab 5.4
- List of CloudWatch Alarms from the CIS Benchmarks for AWS - https://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json