# Incident Response Playbook with Jupyter - AWS IAM 

## Authors

- Byron Pogson, Solutions Architect, AWS
- Ben Potter, Security Lead, Well-Architected, AWS

## Contents

1. [Getting Started](#getting_started)
2. [Access Key Investigation](#access_key)
3. [User Investigation](#user)
4. [Role Investigation](#role)
5. [Containment](#containment)
6. [Interesting API Requests](#other_investigations)

# 1. Getting Started <a name="getting_Started"></a>

## 1.1 Understanding Jupyter Notebooks

Juypyter notebooks are a tool that allow us to combine instructions, easily editable incident response process, and the code we need to investigate a potential incident.

A notebook is made up of a series of "cells". These cells allow us to enter discrete pieces of content which can be executed. Each cell has a type of content and can be executed, for example markdown or code. Read the instructions for each cell, modify the variables or even the code and click Run.

## 1.2 Prerequisites

Python 3  
Python modules required:
[Jupyter](https://jupyter.org/install) for the runbook itself, [Boto3](https://boto3.amazonaws.com) AWS SDK for Python, [Pandas](https://pandas.pydata.org/) for output.


In [None]:
# Import required Python modules
import boto3
import pandas as pd
import json
from datetime import datetime, timedelta
import time
import incident_response_helpers as helpers
import platform

# Set AWS Region
region = 'ap-southeast-2'

# Set Pandas column width
pd.set_option('max_colwidth', 800)
pd.set_option('max_rows', 500)

#Prints Python version, 3.7.x recommended    
print ('Python:  ' + platform.python_version())

# Prints Boto 3 version
print ('Boto 3:  ' + boto3.__version__)

## 1.3 Find your CloudTrail Log Group Name

[Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) can be used to monitor, store, and access your log files from many different sources including AWS CloudTrail. The following API call lists all your log groups so you can find yours, then enter the name you used for your log group in the next step.

In [None]:
# Prints all CloudWatch Log groups
client = boto3.client('logs', region_name=region)
response = client.describe_log_groups(limit=50)
print(json.dumps(response, indent=1, default=str))

Set your CloudTrail log group name as a variable for future use, note the default log group is already entered:

In [None]:
cloudtrail_log_group = 'CloudTrail/DefaultLogGroup'


# 2. Access Key Investigation <a name="access_key"></a>

This section performs searches based on an access key. Modify the example access key variable e.g. `AKIAIOSFODNN7EXAMPLE` and the number of days to search back from today.

In [None]:
access_key_to_investigate = 'AKIAIOSFODNN7EXAMPLE'
previous_days_to_search = 31

## 2.1 Access Key Last Use & Owner

Search for the user who owns an access key, and the last time it was used. If the ServiceName and Region return as 'N/A' the access key has not been used in last 365 days.

In [None]:
client = boto3.client('iam', region_name=region)
response = client.get_access_key_last_used(AccessKeyId=access_key_to_investigate)
print (json.dumps(response, indent=1, default=str))

## 2.2 Access Key Created By

Search for who created the access key.

In [None]:
query = 'filter responseElements.accessKey.accessKeyId ="' + access_key_to_investigate + '" | fields eventTime, userIdentity.arn, eventSource, eventName, sourceIPAddress, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

## 2.3 Actions Performed By Access Key

Search for actions performed by the access key.

In [None]:
query = 'filter userIdentity.accessKeyId ="' + access_key_to_investigate + '" | fields eventTime, awsRegion, eventSource, eventName, sourceIPAddress, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

# 3. User Investigation <a name="user"></a>

This section performs searches based on a user. Modify the example username variable e.g. `test` and the number of days to search back from today.

In [None]:
username = 'test'
previous_days_to_search = 31

## 3.1 Actions Performed By Username

Search for actions performed by the `username`.

In [None]:
query = 'filter userIdentity.userName like "' + username + '" | fields eventTime, awsRegion, eventSource, eventName, errorCode, errorMessage, sourceIPAddress, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)

formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

## 3.2 Users Recently Created

Searches for users recently created.

In [None]:
query = 'filter eventName="CreateUser" | fields eventTime, requestParameters.userName, responseElements.user.arn, userIdentity.arn, responseElements.role.arn, sourceIPAddress, errorCode, userAgent, errorMessage'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

# 4. Role Investigation <a name="role"></a>

This section performs searches based on a role. Modify the example rolename variable e.g. `test-role` and the number of days to search back from today.

In [None]:
rolename = 'test-role'
previous_days_to_search = 31

## 4.1 Actions Performed By Role

Search for actions performed by the `rolename`.

In [None]:
query = 'filter userIdentity.sessionContext.sessionIssuer.userName = "' + rolename + '" | fields eventTime, awsRegion, eventSource, eventName, errorCode, errorMessage, sourceIPAddress, userAgent'  
#Alternate based on arn: query = 'filter userIdentity.sessionContext.sessionIssuer.arn = "' + rolearn + '" | fields eventTime, awsRegion, eventName, eventSource, errorCode, errorMessage, sourceIPAddress, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

## 4.2 Roles Recently Created

Searches for roles recently created.

In [None]:
query = 'filter eventName="CreateRole" | fields eventTime, requestParameters.userName, responseElements.user.arn, userIdentity.arn, responseElements.role.arn, sourceIPAddress, errorCode, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)


# 5. Containment <a name="containment"></a>

## 5.1 Access Key Deactivate

Modify the example access key variable e.g. `AKIAIOSFODNN7EXAMPLE` and username variable e.g. `test` to disable an access key associated with a user from being used.

In [None]:
access_key_to_deactivate='AKIAIOSFODNN7EXAMPLE'
username='test'

iam = boto3.resource('iam', region_name=region)
access_key = iam.AccessKey(username,access_key_to_deactivate)
response_status = access_key.deactivate()
status_code = response_status['ResponseMetadata']['HTTPStatusCode']
if status_code == 200:
    print("Key Disabled Successfully")
else:
    print("Key deactivation failed")

## 5.2 Block User Access

Modify the username variable e.g. `test` to apply a policy that denies user actions.

In [None]:
username='test'

iam = boto3.client('iam', region_name=region)
response = iam.put_user_policy(UserName=username,PolicyName='Block',PolicyDocument='{"Version":"2012-10-17","Statement":{"Effect":"Deny","Action":"*","Resource":"*"}}')
status_code = response['ResponseMetadata']['HTTPStatusCode']
if status_code == 200:
    print("Policy attached successfully")
else:
    print("Policy attachment failed")

## 5.3 Block Role Access

Modify the rolename variable e.g. `test-role` to apply a policy that denies role actions.

In [None]:
rolename='test-role'

iam = boto3.client('iam', region_name=region)
response = iam.put_role_policy(RoleName=rolename,PolicyName='Block',PolicyDocument='{"Version":"2012-10-17","Statement":{"Effect":"Deny","Action":"*","Resource":"*"}}')
status_code = response['ResponseMetadata']['HTTPStatusCode']
if status_code == 200:
    print("Policy attached successfully")
else:
    print("Policy attachment failed")

# 6. Other Investigations <a name="other_investigations"></a>

Some API requests can reveal reconnaissance being performed.


## 6.1 Who Has Listed S3 Buckets

The listing of all S3 buckets can indicate someone performing reconnaissance.

In [None]:
previous_days_to_search = 1
query = 'filter eventName ="ListBuckets" | fields awsRegion, eventSource, eventName, sourceIPAddress, userAgent, eventTime'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

## 6.2 Actions From Specific IP

In [None]:
previous_days_to_search = 31
ip = '10.10.10.10'

query = 'filter sourceIPAddress = "' + ip + '" | fields awsRegion, userIdentity.arn, eventSource, eventName, sourceIPAddress, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

## 6.3 Recent Access Denied Attempts

In [None]:
previous_days_to_search = 1

query = 'filter errorCode like /Unauthorized|Denied|Forbidden/ | fields awsRegion, userIdentity.arn, eventSource, eventName, sourceIPAddress, userAgent'  
response = helpers.execute_log_query(cloudtrail_log_group, query, previous_days_to_search)
formatted_results = [helpers.convert_dictionary_to_object(r) for r in response['results']]
pd.DataFrame(formatted_results)

### Test Cell

In [None]:
#test cell
# Retrieve the list of existing buckets
s3 = boto3.client('s3', region_name=region)
response = s3.list_buckets()

# Output the bucket names
print('Existing buckets:')
for bucket in response['Buckets']:
    print(f'  {bucket["Name"]}')


## License

Licensed under the Apache 2.0 and MITnoAttr License.

Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at

    https://aws.amazon.com/apache2.0/

or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.