Peter Matra Design

AWS Solutions Architect and IT Consultant

PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# get available name of OpenSSH
PS C:\Users\Administrator> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' 

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

# install OpenSSH Server
PS C:\Users\Administrator> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 

Path          :
Online        : True
RestartNeeded : False

# start sshd service
PS C:\Users\Administrator> Start-Service -Name "sshd" 

# set [Automatic] for Startup
PS C:\Users\Administrator> Set-Service -Name "sshd" -StartupType Automatic 

# verify settings
PS C:\Users\Administrator> Get-Service -Name "sshd" | Select-Object * 

Name                : sshd
RequiredServices    : {}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : True
DisplayName         : OpenSSH SSH Server
DependentServices   : {}
MachineName         : .
ServiceName         : sshd
ServicesDependedOn  : {}
ServiceHandle       : SafeServiceHandle
Status              : Running
ServiceType         : Win32OwnProcess
StartType           : Automatic
Site                :
Container           :


# if Windows Firewall is running, allow 22/TCP
# however, 22/TCP is generally allowed by OpenSSH installer, so it does not need to do the follows manually
PS C:\Users\Administrator> New-NetFirewallRule -Name "SSH" `
-DisplayName "SSH" `
-Description "Allow SSH" `
-Profile Any `
-Direction Inbound `
-Action Allow `
-Protocol TCP `
-Program Any `
-LocalAddress Any `
-RemoteAddress Any `
-LocalPort 22 `
-RemotePort Any 

Name                          : SSH
DisplayName                   : SSH
Description                   : Allow SSH
DisplayGroup                  :
Group                         :
Enabled                       : True
Profile                       : Any
Platform                      : {}
Direction                     : Inbound
Action                        : Allow
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : The rule was parsed successfully from the store. (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}

AWS Certified Security Study Guide: Specialty (SCS-C01) Exam (p. 309). Wiley. Kindle Edition.

As you can see in Figure 8.4, GuardDuty produces a finding that an instance is communicating with an IP address that is an entry node for the TOR Anonymization network. With a simple Amazon CloudWatch Events rule that looks for the UnauthorizedAccess:EC2/TorClient event and triggers an AWS Lambda function that isolates the compromised instance, we can automatically contain the threat. As you can see in Example 8.2, the Python code sets the variable “security_group_id” to a value received as a parameter from the AWS Lambda Function, an environment variable called QUARANTINE_SG, which contains the identifier of the security group that closes all outgoing access to the instance and allows incoming traffic only from the Incident Forensics IP address. Therefore, the code is changing the security groups for that Amazon EC2 instance.

Code is here: https://gitlab.petermatra.design/gitlab-instance-5e679b60/aws-guardduty-lamda-auto-isolate-mailicious-instance

https://aws.amazon.com/blogs/security/automated-response-and-remediation-with-aws-security-hub/

AWS Security Hub is a service that gives you aggregated visibility into your security and compliance status across multiple AWS accounts. In addition to consuming findings from Amazon services and integrated partners, Security Hub gives you the option to create custom actions, which allow a customer to manually invoke a specific response or remediation action on a specific finding. You can send custom actions to Amazon CloudWatch Events as a specific event pattern, allowing you to create a CloudWatch Events rule that listens for these actions and sends them to a target service, such as a Lambda function or Amazon SQS queue

https://github.com/awsdocs/aws-security-hub-user-guide/blob/master/doc_source/securityhub-cloudwatch-events.md

With Amazon EventBridge, you can automate your AWS services to respond automatically to system events such as application availability issues or resource changes. Events from AWS services are delivered to EventBridge in near-real time and on a guaranteed basis. You can write simple rules to indicate which events you are interested in and what automated actions to take when an event matches a rule. The actions that can be automatically triggered include the following:

  • Invoking an AWS Lambda function
  • Invoking the Amazon EC2 run command
  • Relaying the event to Amazon Kinesis Data Streams
  • Activating an AWS Step Functions state machine
  • Notifying an Amazon SNS topic or an Amazon SQS queue
  • Sending a finding to a third-party ticketing, chat, SIEM, or incident response and management tool

Security Hub automatically sends all new findings and all updates to existing findings to EventBridge as EventBridge events. You can also create custom actions that allow you to send selected findings and insight results to EventBridge.

You then configure EventBridge rules to respond to each type of event.

For more information about using EventBridge, see the https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html.

In this blog post, https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web-application-firewall-to-automatically-block-suspicious-hosts/ we’ll show you how to use Amazon GuardDuty to automatically update the AWS Web Application Firewall Web Access Control Lists (WebACLs) and VPC Network Access Control Lists (NACLs) in response to GuardDuty findings. After GuardDuty detects a suspicious activity, the solution updates these resources to block communication from the suspicious host while you perform additional investigation and remediation. Once communication has been blocked, further occurrences of a finding are reduced, allowing security and operations teams to focus more on higher priority tasks. 

https://github.com/patrickchugh/terravision

TerraVision is a CLI tool that converts Terraform code into Professional Cloud Architecture Diagrams and solves the problem of keeping the most important document in cloud projects, the architecture document, up to date. With high velocity releases the norm now, machine generated architecture diagrams are more accurate than relying on the freestyle diagram drawn by the cloud architect that doesn't match reality anymore. Terravision securely runs 100% Client Side without any dependency on Terraform or access to your Cloud environment, to dynamically parse your conditionally created resources and variables and generate an automatic visual of your architecture. Terravision is designed to be a 'Docs as Code' (DaC) tool that can be included in your CI/CD pipeline to update architecture diagrams after your build/test/release pipeline phases and supplement other document generators like readthedocs.io alongside it. It currently Supports AWS and soon Google and Azure cloud.

Now you can replace your bastion hosts and use EC2 Instance Connect Endpoint. This blog entry explains it https://aws.amazon.com/blogs/compute/secure-connectivity-from-public-to-private-introducing-ec2-instance-connect-endpoint-june-13-2023/Security groups are important, you must open port 22 to the CIDR of the subnet of the endpoint on the EC2 security group. Read the white papers. Also a policy must be added to the user to allow access to the endpoint. You can find that information here. https://docs.aws.amazon.com/aws-managed-policy/latest/reference/EC2InstanceConnect.html

"In this post https://aws.amazon.com/blogs/compute/adding-approval-notifications-to-ec2-image-builder-before-sharing-amis-2/?trk=global_employee_advocacy&sc_channel=sm&advocacy_source=everyonesocial&es_id=38f88ae532, we will walk through the steps to enable approval notifications before AMIs are shared with other AWS accounts. Image Builder supports automated image testing using test components. The recommended best practice is to automate test steps, however situations can arise where test steps become either challenging to automate or internal compliance policies mandate manual checks be conducted prior to distributing images. In such situations, having a manual approval step is useful if you would like to verify the AMI configuration before it is shared to other AWS accounts or an AWS Organization."

figure1 architecture diagram 1

Page 1 of 4