Serverless Security Group Sentry
If one of your staff members (inadvertently | mischievously) modifies your VPC security group to allow SSH access to the world, you want the change to be automatically reverted and then receive a notification that the change to the security group was automatically reverted.
Automatically Revert and Receive Notifications About Changes to Your Amazon VPC Security Groups
Here is how the process works,
- Someone adds a new
ingress
rule to any security group - A CloudWatch event that continually monitors changes to your security groups detects the new ingress rule and invokes Lambda function
- Lambda function determines whether you are monitoring this security group
- Reverts the new security group ingress rule.
- Optionally: Sends you an SNS Notification email to let you know what the change was, who made it, and that the change was reverted
Pre-Requisities
We will need the following pre-requisites to successfully complete this activity,
AWS CloudTrail
must be enabled in the AWS Region where the solution is deployed- IAM Role - i.e
Lambda Service Role
- withEC2FullAccess
permissions- You may use an
Inline
policy with more restrictive permissions
- You may use an
The image above shows the execution order, that should not be confused with the numbering of steps given here
SG-Sentry-Bot
Step 1 - Configure Lambda Function- The below script is written in Python 2.7
. Remember to choose the same in AWS Lambda Functions.
Change the global variables at the top of the script to suit your needs.
Environment variables:
...
slack_channel = os.environ['slack_channel']
slack_hook_url = os.environ['slack_hook_url']
...
After pasting the code, Scroll down to create a environment variable Key as security_group_id
and Value as the Security Group ID
that we need to monitor. Save
the lambda function
Step 2 - Configure Lambda Triggers
We are going to use Cloudwatch Events that will be triggered by CloudTrail API
- Choose
Create a new Rule
- Fill the
Rule Name
&Rule Description
- For
Rule Type
- ChooseEvent pattern
- Below that, Choose
EC2
Service - In the next field, Choose
AWS API call via CloudTrail
- Below that, Choose
- Check the
Operation
box,- In below field, Type/Choose both
AuthorizeSecurityGroupIngress
&AuthorizeSecurityGroupEgress
- In below field, Type/Choose both
Enable
Trigger byChecking
the box- Click on
Add
andSave
the Lambda Function
Step 3 - Testing the solution
Navigate to the EC2 console
and choose Security Groups
and Choose the security group that we are monitoring.
Add a new Inbound
rule, for example SSH
on port 22
from 0.0.0.0/0
.
Adding this rule creates an EC2 AuthorizeSecurityGroupIngress
service event, which triggers the Lambda function.
After a few moments, choose the refresh button ( The "refresh" icon ) to see that the new ingress rule that you just created has been retrict to the specific IP(IPv6 is google DNS) by the solution.
Summary
Restrict/revert security change and add description for it then send notification to Slack.