AWS Incident Response Kit (AIRK)
The idea of this is to have a module (plugin) based AWS response tool.
Using
Installation
If preferred, set up a virtualenv:
virtualenv -p python3 venv
source venv/bin/activate
- Install boto3 -
pip install boto3
Help
python .\aws_respond.py --help
usage: aws_respond.py [-h] [--module MODULE] [--listmodules] [--moduledetails]
[--dryrun DRYRUN]
[--instanceids INSTANCEIDS [INSTANCEIDS ...]]
[--sgids SGIDS [SGIDS ...]]
[--vpcids VPCIDS [VPCIDS ...]]
[--usernames USERNAMES [USERNAMES ...]]
[--accesskeyids ACCESSKEYIDS [ACCESSKEYIDS ...]]
[--values VALUES [VALUES ...]]
AWS Incident Response Kit (AIRK).
optional arguments:
-h, --help show this help message and exit
--module MODULE Specify the module (action) you want to run.
--listmodules Lists all of the available modules (actions).
--moduledetails Lists descriptions of the available modules.
--dryrun DRYRUN If you want to run a dryrun first before going live
with a module.
--instanceids INSTANCEIDS [INSTANCEIDS ...]
Instance ID(s).
--sgids SGIDS [SGIDS ...]
Security Group ID(s).
--vpcids VPCIDS [VPCIDS ...]
VPC ID(s).
--usernames USERNAMES [USERNAMES ...]
Username(s)
--accesskeyids ACCESSKEYIDS [ACCESSKEYIDS ...]
Access key(s) ID.
--values VALUES [VALUES ...]
These are values that are needed for modules to work
properly. This can be anything.
List Modules
python .\aws_respond.py --listmodules
disableaccesskeys
ec2profiler
secgprofiler
userlogins
Get Module Details
python .\aws_respond.py --moduledetails
USERLOGINS
Module: userlogins
Author: Patrick Olsen
Version: 0.1
Date: 2018-09-13
Description: Lists the user logins. Includes username, userid, created date and password last used date.
Running a module:
This is an example of running the userlogins module. The modules can be anything you create and then just pass them as --module <module_name>
Each module should have a .module description file as well. This gives information about the module.
I will develop more as time goes on. Feel free to add any you find interesting.
python .\aws_respond.py --module userlogins --dryrun False
[
{
"UserName": "dfir",
"UserId": "AID<snip>HKW",
"CreateDate": "2018-08-13T20:47:17+00:00",
"PasswordLastUsed": null
},
{
"UserName": "polsen",
"UserId": "AID<snip>KWUY",
"CreateDate": "2017-10-12T18:38:32+00:00",
"PasswordLastUsed": "2018-09-17T11:23:22+00:00"
}
]
It's possible to disable all of the access keys for one or more users using the disableaccesskeys module.
python .\aws_respond.py --module disableaccesskeys --usernames dfirtest polsen
[
{
"UserName": "dfirtest",
"AccessKeyId": "AK<snip>DQ",
"Result": "Successful"
},
{
"UserName": "dfirtest",
"AccessKeyId": "AK<snip>7A",
"Result": "Successful"
},
{
"UserName": "polsen",
"AccessKeyId": "AK<snip>CA",
"Result": "Successful"
},
{
"UserName": "polsen",
"AccessKeyId": "AK<snip>DQ",
"Result": "Successful"
}
]
Security Group Profiler. Enumerates instances, then enumerates the ENIs and returns From/To Ports and Protcols along with the allowed Cidr address ranges.
Needs more testing on a larger AWS environment. Only tested in my lab.
python .\aws_respond.py --module secgprofiler --dryrun False
[
{
"ENI": "eni-0c2<snip>b1fcc",
"InstID": "i-0c<snip>77216",
"PublicIP": "x.x.x.x",
"PrivateIP": "10.0.0.51",
"SGId": "sg-0de<snip>f342ffc",
"FromPort": "80",
"Protocol": "tcp",
"ToPort": "80",
"CidrRanges": "[{'CidrIp': '0.0.0.0/0'}]"
},
{
"ENI": "eni-0c2<snip>1b1fcc",
"InstID": "i-0ca<snip>77216",
"PublicIP": "x.x.x.x",
"PrivateIP": "10.0.0.51",
"SGId": "sg-0de5<snip>ef342ffc",
"FromPort": "22",
"Protocol": "tcp",
"ToPort": "22",
"CidrRanges": "[{'CidrIp': 'x.x.x.x/32'}, {'CidrIp': 'x.x.x.x/32'}, {'CidrIp': '0.0.0.0/0'}]"
},
{
"ENI": "eni-0c2<snip>1b1fcc",
"InstID": "i-0ca<snip>7216",
"PublicIP": "x.x.x.x",
"PrivateIP": "10.0.0.51",
"SGId": "sg-0de<snip>f342ffc",
"FromPort": "443",
"Protocol": "tcp",
"ToPort": "443",
"CidrRanges": "[{'CidrIp': '0.0.0.0/0'}]"
},
{
"ENI": "eni-0ce3<snip>2e6610",
"InstID": "i-02bb<snip>633b3",
"PublicIP": "x.x.x.x",
"PrivateIP": "10.0.0.62",
"SGId": "sg-b9ddc1cb",
"FromPort": "443",
"Protocol": "All",
"ToPort": "443",
"CidrRanges": "[]"
},
{
"ENI": "eni-03<snip>0b7fa2",
"InstID": "i-02b<snip>633b3",
"PublicIP": "No Association",
"PrivateIP": "10.0.0.44",
"SGId": "sg-b9ddc1cb",
"FromPort": "443",
"Protocol": "All",
"ToPort": "443",
"CidrRanges": "[]"
}
]