Skip to content

cdaniluk/securityautomation-demo-project

 
 

Repository files navigation

securityautomation-demo-project

tflint tfsec yamllint misspell pre-commit-check

A terraform repository based on the securityautomation-demo-project example repository maintained by Rhythmic. This project maps to the included PowerPoint presentation demonstrating how to use Terraform to drive and manage AWS native security functions.

Pre-requisites

The demo integrates with PagerDuty, Jira and Slack. Webhooks for PagerDuty and Slack are required. Jira requires a Secret Manager secret to be created with an API token, along with a series of environment variables. This demo will still work if the integrations are not in place, though obviously its usefulness as a demo will be reduced.

Initial Setup

There is a handy setup script at bin/setup.sh which will create a terraform s3 backend with locking via DynamoDB and add it's resources to your remote state.

  1. Have an AWS account that is relatively unconfigured.
  2. Install the prerequisites
    • git
    • terraform (We use tfenv to manage terraform versions)
    • pre-commit
    • GNUMake
  3. Provide authentication for the AWS provider
  4. Set environment variables (or update account/default.tfvars):
    export TF_VAR_alert_webhook="[PAGERDUTY WEBHOOK]"
    export TF_VAR_notify_webhook="[SLACK WEBHOOK]"
    export TF_VAR_monitoring_jira_api_token_secret_name="[SECRET_NAME]" # use the name of the secret, not the ARN
    export TF_VAR_monitoring_jira_issue_type="[JIRA_ISSUE_TYPE]"
    export TF_VAR_monitoring_jira_project="[JIRA_PROJECT]"
    export TF_VAR_monitoring_jira_url="[JIRA_URL]"
    export TF_VAR_monitoring_jira_username="[JIRA_USERNAME]"
    export TF_VAR_slack_channel="[SLACK_CHANNEL]" # include the hash in the channel name
    
  5. Clone the repo: git clone https://github.com/cdaniluk/securityautomation-demo-project.git
  6. Update the values for the backend in account/backend.auto.tfvars
  7. Run the setup with make setup
  8. Run make apply in the account, demo and security projects.

What It Does

Once fully applied, the following will be in place:

  • CloudTrail logging to an S3 bucket and CloudWatch Log Group
  • An IAM password policy
  • An S3 bucket for bucket access logging
  • An EC2 keypair that can be used if running GuardDuty Tester
  • A simple Lambda that logs random strings, along with a CloudWatch Event that triggers it every minute
  • GuardDuty with notifications routing to PagerDuty
  • CloudWatch Metric Filters/Alerts for all CIS required search strings routing to Slack
  • AWS Config with notifications routing to Jira (note that no rules are created, so no notifications will actually occur)
  • CloudWatch Metric Filter/Alert looking for the string INVALID AUTHENTICATION ATTEMPT is found
  • SecurityHub with notifications routing to Slack (this is quite noisy)

About

All of your organization's infrastructure in one place

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 60.7%
  • Shell 29.0%
  • Makefile 10.3%