AWS Kill Switch: Open-source incident response tool

2023-11-27 06:00

AWS Kill Switch is an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.

"I recently left my role as Sr. Director, Security Engineering at Robinhood and have been using my free time to sharpen my skills as an individual contributor and contribute to open source. I find it stimulating and a great way to build stronger ties with the security community," Jeffrey Lyon, the creator of AWS Kill Switch, told Help Net Security.

"The SOC may receive an alert indicating that a threat actor has assumed an IAM role. The engineer can use this tool to detach all policies and delete the role immediately. There are a lot of possibilities here. Any organization that uses this solution should adapt it to its unique requirements and be cautious of the sharp edges. Removing policies, deleting roles, and applying SCPs in production is likely to break applications," Lyon concluded.

Regarding future plans, Lyon noted he'd improve the tool over time to be more flexible in terms of giving the operator more options like delete policies without deleting the role or taking other actions like setting Auto Scaling groups to zero.

You can run this client locally by manually setting AWS CLI environment variables AWS ACCESS KEY ID, AWS SECRET ACCESS KEY, and AWS SESSION TOKEN for any IAM user or assumed role with a policy that allows lambda:InvokeFunction for the ARN of the function that you created.

It will not function if you're assuming a role using the AWS PROFILE variable.

News URL

https://www.helpnetsecurity.com/2023/11/27/aws-kill-switch-open-source-incident-response-tool/

#AWS #incident #incidentresponse #opensource