By: Shimon Brathwaite
October 5, 2021
Python Programming For AWS Security Automation
By: Shimon Brathwaite
October 5, 2021
Amazon Web Services (AWS) is one of the most popular cloud service providers for easy to access IT infrastructure. Especially for smaller companies trying to launch a web application, most founders would much rather pay for services like AWS to handle the infrastructure for them rather than having to buy the IT equipment necessary for launching a tech company (e.g., servers). The convenience and low cost that services like AWS, Azure, or Google Cloud provide has caused them to increase in popularity in the last ten years.
AWS has set itself apart with a unique feature that allows you to automate many of your security features. A python library called boto3 will enable you to directly create, update, and delete AWS resources. It allows you to create scripts that can directly interact with AWS resources. For example, here is a script I made that can automatically create EC2 instances.
Next, I will highlight some of the most important AWS resources from a security perspective and how you can use boto3 to manipulate them.
Cloudwatch is a log management system. It collects monitoring and operational data in logs, metrics, and events; and allows you to visualize it using automated dashboards. From an incident response point of view, you have a record of all the events in your environment. This lets you scan if anything malicious has happened.
This tool is used for ensuring compliance among your AWS resources. It is a service that lets you assess, audit, and monitor that the configurations comply with your desired configurations.
This tool is an assessment/vulnerability scanner. It scans resources to detect potential vulnerabilities and is kept up to date by an Amazon security team.
AWS simple notification service (SNS)
AWS SNS is a fully managed messaging service for application (A2A) and application to person (A2P) communication. This service can be combined with other AWS services to send alerts via text or email in response to certain thresholds. For example, suppose you are running a web server on an EC2 instance, and its usage is at a dangerously high level (95%). In that case, you can set up SNS to send your administrator an alert so that they can spin up another EC2 instance before the first one is overwhelmed.
Lambda is a serverless computing platform that allows you to run code without setting up an EC2 instance. This is where you will be running all of your boto3 python scripts that will allow you to automate security remediation.
How boto3 bring these tools together
Now that you understand the AWS tools at your disposal, you can take advantage of boto3. On their own, these online tools provide notifications and information to you that will need to be acted on by a security administrator. If you find vulnerabilities with the inspector, non-compliant resources in AWS config, or get a notification by SNS, you need someone to log in and fix the mistake. However, with boto3, you can create scripts and use lambda to have those scripts run as soon as an SNS notification is created. This way, you can schedule tools like inspector or AWS config to run periodically, and if they find an issue, you can set a script to run and correct it immediately.
The benefits of using boto3 to make corrections are that these fixes are applied much faster. It's much cheaper because you don't have to pay a script for overtime like you would a person, and it's more consistent. To get started learning boto3, you can find the official amazon guide here. Suppose you would like a more interactive, video, and example-driven tutorial, with the ability to practice in a live AWS environment. In that case, you can also try Linux academy or a cloud guru.