README
¶
Uguisu 
uguisu is AWS CDK Construct to monitor suspicious activity regarding AWS resource. uguisu watches CloudTrail logs and monitors changes of AWS resources. It also have rules to detect an event of interest regarding security. A part of rules is based on AWS CIS benchmark. uguisu notifies detail to Slack channel when detecting an event of interest like following.
By the way, the name of the tool comes from uguisubari (鶯張り) that is floors to alarm someone is incoming by a chirping sound when walked upon. In English, it is called Nightingale floor. See wikipedia for more detail.
Rules
- Based on AWS CIS Benchmark
- 3.1: Unauthorized API calls monitoring
- 3.2: Management Console sign-in without MFA
- 3.3: Usage of root account
- 3.4: IAM policy changes
- 3.5: CloudTrail configuration changes
- 3.6: AWS Management Console authentication failures
- 3.7: Disabling or scheduled deletion of customer created CMKs
- 3.8: S3 bucket policy changes
- 3.9: AWS Config configuration changes
- 3.10: Security group changes
- 3.11: Network Access Control Lists (NACL)
- 3.12: Changes to network gateways
- 3.13: Route table changes
- 3.14: VPC changes
- Original
- EC2: Create and destroy an instance
- RDS: Create and destroy an instance
- ACM: Change a certification
How to use
0. Prerequisites
CDK tools
See official getting started page. https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html. Please install CDK tools.
Slack Incoming Webhook URL
See https://api.slack.com/messaging/webhooks to create your Incoming Webhook URL. You can get URL like this:
https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
Setup CloudTrail logging to S3 and SNS topic
Also CloudTrail logs are required to monitor AWS resources. uguisu requires not only CloudTrail logs but also SNS topic to notify s3:ObjectCreated:* event from S3 bucket.
- Enable CloudTrail and logging to S3: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html
- Change S3 bucket policy: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
- Configure S3 event notification to SNS: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
1. Create your new CDK project
$ mkdir your-cdk-app
$ cd your-cdk-app
$ cdk init --language typescript
2. Install Uguisu module
$ npm install uguisu
3. Write your construct
Put construct code to bin/your-cdk-app.ts like following. Please replace s3BucketName , snsTopicARN and slackWebhookURL.
#!/usr/bin/env node
import "source-map-support/register";
import * as cdk from "@aws-cdk/core";
import { UguisuStack } from "uguisu";
const app = new cdk.App();
new UguisuStack(app, "secops-uguisu", {
s3BucketName: "your-cloudtrail-logs-bucket",
snsTopicARN: "arn:aws:sns:ap-northeast-1:1234567890:your-cloudtrail-event-topic",
slackWebhookURL: "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
});
4. Deploy your construct
$ cdk deploy
License
MIT License
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Uguisu ¶
type Uguisu struct {
NewS3 adaptor.S3ClientFactory
HTTPClient adaptor.HTTPClient
Rules *models.RuleSet
Filters AlertFilters
SlackWebhookURL string `env:"SLACK_WEBHOOK_URL"`
}
Uguisu is main procedure of the package
func (*Uguisu) Start ¶
func (x *Uguisu) Start()
Start invokes lambda.Start via golambda.Start. Start() manage not only main procedure but also error handling. Then a developer to use uguisu need to configure uguisu before calling Start().
func (*Uguisu) Test ¶
func (x *Uguisu) Test(records []*models.CloudTrailRecord) []*models.CloudTrailRecord
Test invokes uguisu.run to make rule test easy
Source Files
Directories