The goal of this walkthrough is to help you setup, create, and then test a Lambda function for your AWS service. For more information, see AWS Lambda.

A core design goal and philosophy at Evident.io is to provide our customers the most robust configuration security alerting platform on AWS and the remediation guidance to make those alerts actionable. Using our SNS integration, customers can extend that philosophy to make sure alerts are automatically remediated before you, or malicious actors, even know there’s an issue. Imagine revoking an EC2 security group rule that allows ingress traffic from the world minutes after it’s been detected by ESP.

This document will walk you through the steps to configure our SNS integration to sendEvident.io alerts as events for Lambda to remediate on your behalf.

We recommend that you select ESP alerts to remediate based one of the following criteria:

  • A constantly recurring signature with a constant solution.
  • A process that provides maximum remediation value for the potential exploitability of the alert we’ve generated.
  • Alerts where following complex, custom remediation process is appropriate. A signature in the ESP arsenal that potentially meets that criteria is our Global SSH signature. An EC2 security group that allows SSH from the world could wreak major havoc in your service by exposing your EC2 instances to malicious break-in attempts. Remediating alerts from this signature automatically provides great value and is relatively easy to fix.

Step 1: ESP SNS Integration

  1. Follow the instructions for setting up the ESP SNS Integration. When configuring, make sure you configure for only one Team and one signature. Note: If there is more than one AWS account assigned to a Team, this will not work for more than one account until a future integrations enhancement is released.
  2. In the SNS topic you’ve set up, subscribe your email address, if only on a temporary basis, for troubleshooting purposes.

Step 2: Create IAM Policy and Role

  1. The next step is to create the IAM Policy and Role that will give the Lambda function execution privileges.
  2. In the IAM Console under Policies, click Create Policy.
  3. Select Create Your Own Policy.
  4. Copy and paste the policy from the following link: https://github.com/EvidentSecurity/automation/blob/master/autoremediate/aws/policies/AWS_EC2_security_group_global_inbound_policy.json Name your policy and select Create Policy.
  5. In the IAM Console under Roles, click Create New Role.
  6. Name your role.
  7. Role type is AWS Lambda.
  8. Attach the policy created above.
  9. Additionally, attach the AWSLambdaBasicExecutionRole policy, to allow the Lambda function to send execution logs to CloudWatch Logs.

Step 3: Create the Lambda function in the AWS Console

The next step is to create the Lambda function in the AWS Console.

  1. Select the sns-message-python blueprint.
  2. Event source type is SNS.
  3. Select the SNS topic you created for the integration.
  4. In the next screen, name your function, give it a description and leave the Python runtime version as is.
  5. Copy and paste the Lambda code from the following link: https://github.com/EvidentSecurity/automation/blob/master/autoremediate/aws/lambda/AWS_EC2_security_group_global_inbound_remediate.py
  6. This sample code works across regions, so you can create the Lambda function in whichever region makes sense for your scenario.
  7. Leave the Lambda function handler as is, but select the IAM Role you created above in the drop-down menu.
  8. Under Advanced Settings, set the timeout value to 1 minute, 30 seconds. This is due to the fact that when multiple ESP alerts are sent to Lambda, it will take Lambda longer than the default 30 seconds to execute each lambda function.
  9. Select No VPC access is required.
  10. In the next screen, you can select the SNS topic above for Event Source, or leave as is and configure later once you are comfortable with the Lambda function code. If you click on Enable event source, the Lambda function will be subscribed to the SNS topic above.

Step 4: Testing and Verifying the Lambda Function

After the Lambda function is created, you will need to configure a test event to test your function.

  1. It is recommended to generate one SNS alert message to your email address per the subscription above, and copy the entire body of the message for your test event.
  2. To generate an alert, create a FAIL condition for the Global SSH signature.
  3. Create an EC2 security group, and add a rule that allows TCP port 22 to the entire internet, or “0.0.0.0/0”.
  4. Make sure no instances are associated with that security group
  5. This will be your test security group.
  6. In the Lambda function console, click on Actions -> Configure test event.
  7. Select the SNS sample test event.
  8. Replace this section "Sns: { ... }" with "Sns: { Message: { <text copied from Step #1> }}"
  9. Execution logs are sent to a CloudWatch Logs log group by the same name as your Lambda function.