Skip to main content

Lockdown for AWS - Part 1

·398 words·2 mins· loading · loading · ·
Cloud Security AWS Security Lockdown for AWS Python
Craig Simon
Author
Craig Simon
I have been securing the cloud since 2008.
Table of Contents

Lockdown for AWS
#

The genesis of Lockdown
#

While I was at Vectra.ai, I had the opportunity to work on some small software projects for the customers of Vectra. All the code was to solve a specific problem or issue that customers were facing. One of my favorite projects was Lockdown for AWS. This project was deployed as three Lambda functions and some SQS queues. The idea was that when a Vectra appliance would generate a security detection on the infrastructure that is running in the customers AWS account, lockdown would action on that detection, and isolate the host, automatically.

It worked very well, and we used that code in a few customer engagements and posted it to Vectra’s GitHub for customers to use as they saw fit. However it’s been over four years since I have worked with that code, so I decided to upgrade Lockdown for AWS, and expand it’s capabilities as well. I’ll then post and maintain this going forward on my own Github account so others can again use it.

Digging into the old version - Architecture
#

Here is the architecture of the current solution.

Lockdown architecture

If we follow the path that an event takes, it first comes in to Security Hub as a third party finding. That finding has all teh information that Lockdown needs to take an action. That event will wake up and execute the router lambda. The router lambda will look at the severity and type of the event. The customer could set the high and low watermark that they want Lockdown to take action. If the event requires action, then a remediation JSON event is sent to the Lockdown SQS queue. If no action is needed, the execution stops here.

When a remediation event hits the Lockdown queue, router lambda will execute and determine what remediation action is needed and send the event to that queue. Once the event is in either the block or terminate queue, that action will be carried out by the respective lambda.

Fixes / Changes that I would like to make.

  1. Upgrade the code from python 3.8 to 3.11 or 3.12 (depending on Lambda support)
  2. Refactor the underlying code using current best practices with python.
  3. Make better use of my xray integration.
  4. Determine what other AWS services could be used to expand functionality.
  5. Address logging and monitoring of Lockdown execution.
  6. TBD. . .