miztiik · awsyadav · Apr 13, 2020
diff --git a/300-Security-Account-Breached/README.MD b/300-Security-Account-Breached/README.MD
@@ -1,21 +1,38 @@
 # AWS Account Breached
 
 ## Scenario
-You are getting an email from AWS about your AWS account billing is $XXXX(_You realize that is many times over the average bill over the past year_). On logging into the portal you find there are multiple instances running in multiple regions. 
+
+You are getting an email from AWS about your AWS account billing is $XXXX(_You realize that is many times over the average bill over the past year_). On logging into the portal you find there are multiple instances running in multiple regions.
 
 ## Account Recovery
 
 1. What actions will you take to ? & What order will you take those actions?
-  - Change  AWS account root user password.
-  - Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
-  - Delete any potentially compromised IAM users, and change the password for all other IAM users.
-  - Delete any resources on your account you didn't create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users.
-  - Respond to any notifications you received from AWS Support through the AWS Support Center.
+
+- Change  AWS account root user password.
+- Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
+- Delete any potentially compromised IAM users, and change the password for all other IAM users.
+- Delete any resources on your account you didn't create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users.
+- Respond to any notifications you received from AWS Support through the AWS Support Center.
 
-2. What controls will you put in place to prevent such events?
+1. What controls will you put in place to prevent such events?
    - Amazon GuardDuty is an intelligent threat detection service that provides continuous monitoring of your AWS accounts and    workloads to protect against malicious or unauthorized activities.
-   -  we can help ensure full coverage while making it harder for a misconfiguration or an ingenious attacker to change that. When we detect something interesting, we generate a security finding and deliver it to you through the GuardDuty console and AWS CloudWatch Events. This makes it possible to simply view findings in GuardDuty or push them to an existing SIEM or workflow system. We’ve already seen customers take it a step further using AWS Lambda to automate actions such as changing security groups, isolating instances, or rotating credentials.
+   - we can help ensure full coverage while making it harder for a misconfiguration or an ingenious attacker to change that. When we detect something interesting, we generate a security finding and deliver it to you through the GuardDuty console and AWS CloudWatch Events. This makes it possible to simply view findings in GuardDuty or push them to an existing SIEM or workflow system. We’ve already seen customers take it a step further using AWS Lambda to automate actions such as changing security groups, isolating instances, or rotating credentials.
    - we should enable CloudTrail logging so you are alerted whenever instances are spun up
-
-
-
+2. #### AWS Security Hub: Provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts.
+   - With AWS Security Hub you can collect and prioritize the security problems in your accounts and resources associated with Amazon Web Service. This tool process the data with a standard format and relate the problems to find out what are the most important. 
+   - Benefits of AWS is that you can have all the security information of all your assets on the AWS cloud in just one place: the Security Hub console. There you can see the status of your resources every second and check trend of possible problem to prevent or correct them. 
+3. #### Amazon Inspector: An automated security assessment service that helps improve the security and compliance of applications deployed on EC2 instances. By default,  the Common Vulnerabilities and Exposures (CVE) package is configured to run against all EC2 instances, every Saturday at
+
+#### Attached is the Terraform template ## AWS Threat Detection Services
+* Amazon GuardDuty
+* Amazon Inspector
+* AWS Security Hub
+* AWS Cloudwatch Event
+* AWS SNS Alert
+## ?? Buy me a coffee
+
+Buy me a coffee ? through [Paypal](https://paypal.me/valaxy), _or_ You can reach out to get more details through [here](https://youtube.com/c/valaxytechnologies/about).
+
+### ?? Metadata
+
+**Level**: 300
diff --git a/300-Security-Account-Breached/aws-threat-detection-services.tf b/300-Security-Account-Breached/aws-threat-detection-services.tf
@@ -0,0 +1,195 @@
+provider "aws" {
+  region  = "eu-west-1"
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_guardduty_detector" "GuardDuty" {
+  enable = true
+}
+
+resource "aws_inspector_assessment_template" "AssessmentTemplate" {
+  name = "Inspector Assessment Template_nRS"
+  duration = 3600
+  rules_package_arns = ["arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-ubA5XvBh"]
+  target_arn = "${aws_inspector_assessment_target.AssessmentTargetForAssessmentTemplate.arn}"
+}
+
+resource "aws_inspector_assessment_target" "AssessmentTargetForAssessmentTemplate" {
+  name = "Amazon Inspector Targets"
+}
+
+
+
+resource "aws_iam_role" "IamRoleForAssessmentTemplate" {
+  name = "IamRoleForInspectorScheduledEventxVR"
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": ["events.amazonaws.com"]
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy" "IamRoleForAssessmentTemplateInlinePolicyRoleAttachment0" {
+  name = "InspectorAssessmentTrigger"
+  role = "${aws_iam_role.IamRoleForAssessmentTemplate.id}"
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "inspector:StartAssessmentRun"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+POLICY
+}
+
+
+
+resource "aws_cloudwatch_event_rule" "CwEventForAssessmentTemplate" {
+  name = "InspectorScheduledAssessmentPVP"
+  description = "Scheduled trigger for Amazon Inspector Assessment: "
+  schedule_expression = "cron(00 00 ? * SAT *)"
+}
+
+resource "aws_cloudwatch_event_target" "TargetForCwEventForAssessmentTemplate" {
+  rule = "${aws_cloudwatch_event_rule.CwEventForAssessmentTemplate.name}"
+  target_id = "AmazonInspectorAssessment"
+  arn = "${aws_inspector_assessment_template.AssessmentTemplate.arn}"
+  role_arn = "${aws_iam_role.IamRoleForAssessmentTemplate.arn}"
+}
+
+resource "aws_securityhub_account" "SecurityHub" {
+}
+
+
+resource "aws_sns_topic" "sns" {
+  name = "user-updates-topic"
+  email_address = "[email protected]"
+}
+
+
+resource "aws_cloudwatch_event_rule" "CwEvent1" {
+  name = "detect-securityhub-finding"
+  description = "A CloudWatch Event Rule that triggers on AWS Security Hub findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda."
+  is_enabled = true
+  event_pattern = <<PATTERN
+{
+  "detail-type": [
+    "Security Hub Findings - Imported"
+  ],
+  "source": [
+    "aws.securityhub"
+  ]
+}
+PATTERN
+
+}
+
+resource "aws_cloudwatch_event_target" "TargetForCwEvent1" {
+  rule = "${aws_cloudwatch_event_rule.CwEvent1.name}"
+  target_id = "target-id1"
+  arn = "${aws_sns_topic.sns.arn}"
+}
+
+data "aws_iam_policy_document" "topic-policy-PolicyForSnsTopic" {
+  policy_id = "__default_policy_ID"
+
+  statement {
+    actions = [
+      "SNS:GetTopicAttributes",
+      "SNS:SetTopicAttributes",
+      "SNS:AddPermission",
+      "SNS:RemovePermission",
+      "SNS:DeleteTopic",
+      "SNS:Subscribe",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:Publish",
+      "SNS:Receive"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+
+      values = [
+        "${data.aws_caller_identity.current.account_id}"
+      ]
+    }
+
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      "${aws_sns_topic.sns.arn}"
+    ]
+
+    sid = "__default_statement_ID"
+  }
+
+  statement {
+    actions = [
+      "sns:Publish"
+    ]
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    resources = [
+      "${aws_sns_topic.sns.arn}"
+    ]
+
+    sid = "TrustCWEToPublishEventsToMyTopic"
+  }
+}
+
+resource "aws_sns_topic_policy" "TopicPolicyForSnsTopic1" {
+  arn = "${aws_sns_topic.sns.arn}"
+  policy = "${data.aws_iam_policy_document.topic-policy-PolicyForSnsTopic.json}"
+}
+
+resource "aws_cloudwatch_event_rule" "CwEvent2" {
+  name = "detect-guardduty-finding"
+  description = "A CloudWatch Event Rule that triggers on Amazon GuardDuty findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda."
+  is_enabled = true
+  event_pattern = <<PATTERN
+{
+  "detail-type": [
+    "GuardDuty Finding"
+  ],
+  "source": [
+    "aws.guardduty"
+  ]
+}
+PATTERN
+
+}
+
+resource "aws_cloudwatch_event_target" "TargetForCwEvent2" {
+  rule = "${aws_cloudwatch_event_rule.CwEvent2.name}"
+  target_id = "target-id1"
+  arn = "${aws_sns_topic.sns.arn}"
+}