Investigating a Cloud Security breach on AWS E2 Instance

Project Description

In this project, I was tasked with investigating a security breach on an AWS EC2 instance. The instance had been compromised by a user who had gained access to and removed a rule and possibly caused interruption to the system.

To conduct the investigation

1. Identify the scope of the breach: The first step I determine the extent of the breach and what data may have been compromised. I analyze the logs, network traffic, and any other relevant information to identify the source and type of the attack.
2. Isolate the affected instance: Once the scope of the breach has been identified, I collect evidence related to the breach, including logs, system images, and any other relevant data. This evidence would be used to identify the source of the attack and determine what actions the attacker may have taken.
3. Identify the root cause: Once the evidence has been collected, I analyze it to determine the root cause of the breach. This involved analyzing the system configuration, events history on cloudtrail.
4. Remediate the issue: After identifying the root cause, I take steps to remediate the issue and prevent future breaches. This involved applying security patches, changing system configurations, and implementing new security measures.
5. Report the findings: Once the investigation is complete, I report my findings to the Cloud Security Architect and any other teams. The report detailed the extent of the breach, the root cause, and any actions taken to remediate the issue.

STEPS INVOLVED IN THIS PROJECT

1. Log in to AWS Console

• Go to AWS Console and log in with your credentials.

2. Go to EC2 Dashboard

• Once logged in, type “EC2” in the search bar at the top and click on “EC2” to open the EC2 dashboard.

3. Launch Instance

• In the EC2 dashboard, click on the blue “Launch Instance” button.

4. Configure the Basics

• Name your instance: Give it a meaningful name.
• Select an Amazon Machine Image (AMI): This is like choosing the operating system for your virtual machine. For example, you can select "Amazon Linux" or "Ubuntu".
• Select Instance Type: Choose how powerful you want your virtual machine to be. "t2.micro" is free tier eligible and suitable for small workloads.

5. Key Pair (for SSH Access)

• Select a key pair, or create a new one if you don't have one. This will allow you to securely connect to your EC2 instance later. Be sure to download the .pem file and keep it safe.

6. Network Settings

• VPC and Subnet: By default, it selects your default VPC and subnet. You can leave these settings as is unless you need something specific.
• Auto-assign Public IP: Ensure it is enabled, so your instance gets a public IP address for remote access.

7. Security Group (Firewall)

• Set the rules for who can access the instance. Typically, allow SSH (port 22) for secure access and HTTP (port 80) if you are running a web server. For now, keep SSH open only to your IP for security.

8. Storage

• Configure storage (hard drive size). The default (8 GB) is usually fine for basic tasks.

9. Review and Launch

• Review your configuration and click on "Launch". Your instance will be created in a few seconds or minutes.

10. Access Your EC2 Instance

2. Install Apache web-server (httpd).

# Update package list

   sudo apt update -y         

# Install Apache

 sudo apt install apache2 -y         

# Start Apache service

 sudo systemctl start apache2         

# Enable Apache to start on boot

 sudo systemctl enable apache2        

#Check the status of apache

sudo systemctl status apache2        

3. Edit the inbound security rules and added “http” on port 80 to allow us to the Apache server.

• In the left-hand menu, click on Security Groups under Network & Security.
• Find the Security Group attached to your EC2 instance (the one hosting the Apache server) and click on it.
• Select the Inbound rules tab and click on Edit inbound rules.
• Click Add Rule.

Type: Select HTTP from the dropdown (this will automatically set the port to 80).

Protocol: Set to TCP (automatically chosen for HTTP).

Port Range: Set to 80 (automatically chosen).

• Source: Choose Anywhere (0.0.0.0/0) to allow access from any IP, or set a specific IP range if you want restricted access.
• Click Save rules.

4. Added a user on the client side using the IAM feature in AWS. The user has been give an administrative access.

1. Navigate to IAM:

• In the services menu, search for IAM (Identity and Access Management) and click on it.

2. Add a New User:

• In the IAM dashboard, on the left-hand side, click on Users.
• Click Add users.

3. Set User Details:

• Username: Enter the name for the new user (e.g., "new_admin_user").
• Access type: Check AWS Management Console access to allow the user to log in via the AWS console.
• Set a custom password, or allow AWS to auto-generate one.

4. Assign Permissions:

• On the Set permissions page, choose Attach policies directly.
• In the list of policies, search for AdministratorAccess.
• Check the box next to AdministratorAccess to grant full admin rights.

5. Review and Create User:

• Review the user details.1. Navigate to IAM:

• In the services menu, search for IAM (Identity and Access Management) and click on it.

2. Add a New User:

• In the IAM dashboard, on the left-hand side, click on Users.
• Click Add users.

3. Set User Details:

• Username: Enter the name for the new user (e.g., "new_admin_user").
• Access type: Check AWS Management Console access to allow the user to log in via the AWS console.
• Set a custom password, or allow AWS to auto-generate one.

4. Assign Permissions:

• On the Set permissions page, choose Attach policies directly.
• In the list of policies, search for AdministratorAccess.
• Check the box next to AdministratorAccess to grant full admin rights.

5. Review and Create User:

• Review the user details.
• Click Create user.
• Click Create user.

5. Investigated the issues to find out who revoked the access port security ground ingress using the CloudTrail. I use the resource name of the EC2 instance to filter the events on the CloudTrail and was able to detect who revoked the inbound rule. The investigation revealed that, new user then change the inbound rules and remove http port 80, making it impossible to access the Apache web-server.

6. The inbound rule has been resolved and http on port 80 was added. The client customers can now access the web server.

Finally, a written report with evidence of who was responsible for service interruption was present to the Cloud Security Architecture.

#Cloud Security #AWS #CloudTrail