diff --git a/clouds/aws/README.md b/clouds/aws/README.md index f4f887c..83abc60 100644 --- a/clouds/aws/README.md +++ b/clouds/aws/README.md @@ -3,9 +3,15 @@ - **`disruptCloudTrailByS3Lambda.py`** - This script attempts to disrupt CloudTrail by planting a Lambda function that will delete every object created in S3 bucket bound to a trail. As soon as CloudTrail creates a new object in S3 bucket, Lambda will kick in and delete that object. No object, no logs. No logs, no Incident Response :-) -One will need to pass AWS credentials to this tool. Also, the account affected should have a bunch of required permissions. +One will need to pass AWS credentials to this tool. Also, the account affected should have at least following permissions: +- `iam:CreateRole` +- `iam:CreatePolicy` +- `iam:AttachRolePolicy` +- `lambda:CreateFunction` +- `lambda:AddPermission` +- `s3:PutBucketNotification` -Following changes are introduced to a specified AWS account: +These are the changes to be introduced within a specified AWS account: - IAM role will be created, by default with name: `cloudtrail_helper_role` - IAM policy will be created, by default with name: `cloudtrail_helper_policy` - Lambda function will be created, by default with name: `cloudtrail_helper_function` diff --git a/clouds/aws/disruptCloudTrailByS3Lambda.py b/clouds/aws/disruptCloudTrailByS3Lambda.py index eef4f8c..a34825c 100755 --- a/clouds/aws/disruptCloudTrailByS3Lambda.py +++ b/clouds/aws/disruptCloudTrailByS3Lambda.py @@ -1,4 +1,45 @@ #!/usr/bin/python3 +# +# This script attempts to disrupt CloudTrail by planting a Lambda function that will delete every object created in S3 bucket +# bound to a trail. As soon as CloudTrail creates a new object in S3 bucket, Lambda will kick in and delete that object. +# No object, no logs. No logs, no Incident Response :-) +# +# One will need to pass AWS credentials to this tool. Also, the account affected should have at least following permissions: +# - `iam:CreateRole` +# - `iam:CreatePolicy` +# - `iam:AttachRolePolicy` +# - `lambda:CreateFunction` +# - `lambda:AddPermission` +# - `s3:PutBucketNotification` +# +# These are the changes to be introduced within a specified AWS account: +# - IAM role will be created, by default with name: `cloudtrail_helper_role` +# - IAM policy will be created, by default with name: `cloudtrail_helper_policy` +# - Lambda function will be created, by default with name: `cloudtrail_helper_function` +# - Put Event notification will be configured on affected CloudTrail S3 buckets. +# +# This tool will fail upon first execution with the following exception: +# +# ``` +# [-] Could not create a Lambda function: An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: +# The role defined for the function cannot be assumed by Lambda. +# ``` +# +# At the moment I did not find an explanation for that, but running the tool again with the same set of parameters - get the job done. +# +# Afterwards, one should see following logs in CloudWatch traces for planted Lambda function - if no `--disrupt` option was specified: +# +# ``` +# [*] Following S3 object could be removed: (Bucket=90112981864022885796153088027941100000000000000000000000, +# Key=cloudtrail/AWSLogs/712800000000/CloudTrail/us-west-2/2019/03/20/712800000000_CloudTrail_us-west-2_20190320T1000Z_oxxxxxxxxxxxxc.json.gz) +# ``` +# +# Requirements: +# - boto3 +# +# Author: Mariusz B. / mgeeky '19, +# + import io import sys