aws_ir

The aws_ir tool is designed for swiftly mitigating host and key compromises in AWS environments. This Python-based command line utility is designed to automate the incident response process, ensuring minimal delay and error.

Technically, aws_ir leverages boto3 sessions to interact with AWS resources, allowing it to disable compromised access keys and isolate compromised instances. The tool uses plugins to extend its functionality, such as disabling access keys and revoking STS tokens for key compromises, and gathering forensic artifacts, isolating, and powering off instances for host compromises. The key-compromise subcommand disables access keys via the AWS API, while the instance-compromise subcommand collects artifacts, tags the instance, and powers it off, requiring SSH access and passwordless sudo for comprehensive memory capture.

Operationally, aws_ir requires careful setup, including the creation of CloudFormation stacks to set up responder roles with MFA constraints. Users must be added to the IncidentResponders group, and the tool relies on specific SSH keys and user credentials for instance access. The tool also integrates with S3 for storing collected artifacts, which can impact storage costs and data retention policies.

Key technical details include the use of boto3 sessions for AWS resource interaction, support for custom plugin execution, and the requirement for passwordless sudo for complete memory capture during instance compromise. The tool logs debug messages and supports verbose output, aiding in troubleshooting and audit trails. However, it may introduce dependencies such as trusting specific GPG keys for certain plugins, which can add to the administrative overhead.