diff --git a/ami/Makefile b/ami/Makefile new file mode 100644 index 0000000..1c4337c --- /dev/null +++ b/ami/Makefile @@ -0,0 +1,20 @@ +KUBERNETES_VERSION ?= 1.10.3 + +DATE ?= $(shell date +%Y-%m-%d) + +# Defaults to Amazon Linux 2 AMI +# * use the us-east-1 image +# https://aws.amazon.com/amazon-linux-2/release-notes/ +SOURCE_AMI_ID ?= ami-b70554c8 + +AWS_DEFAULT_REGION = us-east-1 + +PACKER_CONFIG_FILE = my-aws-security-arsenal-packer-config.json + +all: ami + +validate: + packer validate $(PACKER_CONFIG_FILE) + +ami: validate + packer build -var source_ami_id=$(SOURCE_AMI_ID) $(PACKER_CONFIG_FILE) diff --git a/ami/README.md b/ami/README.md new file mode 100644 index 0000000..729b384 --- /dev/null +++ b/ami/README.md @@ -0,0 +1,52 @@ +# Create an AMI with all security tools in the arsenal list + +Configuration scripts for building a custom Amazon AMI with [HashiCorp Packer](https://www.packer.io/). + +**NOT WORKING YET** +Still in development + +## Setup + +* You must have [Packer](https://www.packer.io/) installed on your local system. +For more information, see [Installing Packer](https://www.packer.io/docs/install/index.html) +in the Packer documentation. + +* You must also have AWS account credentials configured so that Packer can make +calls to AWS API operations on your behalf. For more information, see [Authentication](https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials) +in the Packer documentation. + +**Note** + +The default region used is to build this AMI is `us-east-1` and the instance +type is a `t2.medium` (4GB RAM, 2vCPUs, EBS only and $0.046400 hourly) and does +not qualify for the AWS free tier. You are charged for any instances created +when building this AMI. The base AMI used is `ami-b70554c8`, Amazon Linux 2. + +## Building the AMI + +A Makefile is provided to build the AMI, but it is just a small wrapper around +invoking Packer directly. You can initiate the build process by running the +following command in the root of this repository: + +```bash +make +``` + +The Makefile runs Packer with the `my-aws-security-arsenal-packer-config.json` +build specification template and the [amazon-ebs](https://www.packer.io/docs/builders/amazon-ebs.html) +builder. An instance is launched and the Packer [Shell +Provisioner](https://www.packer.io/docs/provisioners/shell.html) runs the +`install-tools.sh` script on the instance to install software and perform other +necessary configuration tasks. Then, Packer creates an AMI from the instance +and terminates the instance after the AMI is created. + +## Using the AMI + +If you are just getting started with security tools, visit [https://github.com/toniblyx/my-arsenal-of-aws-security-tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools) +and get familiar with every tool that you are interested in. + +Launch an instance with the new AMI ID that is returned when Packer finishes building. + +## Reference + +Some code is taken as reference from here [https://github.com/awslabs/amazon-eks-ami](https://github.com/awslabs/amazon-eks-ami) diff --git a/ami/install-tools.sh b/ami/install-tools.sh new file mode 100644 index 0000000..cf42796 --- /dev/null +++ b/ami/install-tools.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash + +set -o pipefail +set -o nounset +set -o errexit +IFS=$'\n\t' + +TEMPLATE_DIR=${TEMPLATE_DIR:-/tmp/arsenal} + +################################################################################ +### Packages ################################################################### +################################################################################ + +# Update the OS to begin with to catch up to the latest packages. +sudo yum update -y + +# Install necessary packages +sudo yum install -y \ + aws-cfn-bootstrap \ + conntrack \ + curl \ + git \ + socat \ + unzip \ + wget + +curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" +sudo python get-pip.py +rm get-pip.py +sudo pip install --upgrade awscli + +################################################################################ +### Docker ##################################################################### +################################################################################ + +sudo yum install -y yum-utils device-mapper-persistent-data lvm2 +sudo amazon-linux-extras enable docker +sudo yum install -y docker-17.06* +sudo usermod -aG docker $USER + +# Clean up yum caches to reduce the image size +sudo yum clean all + +# Enable docker daemon to start on boot. +sudo systemctl daemon-reload +sudo systemctl enable docker + +################################################################################ +### AWS Security Arsenal ####################################################### +################################################################################ +# get the latest list of tools from https://github.com/toniblyx/my-arsenal-of-aws-security-tools +# and clone them in to the /opt/arsenal directory +git clone https://github.com/toniblyx/my-arsenal-of-aws-security-tools +cd my-arsenal-of-aws-security-tools +# skipping RhinoSecurityLabs/pacu since it is not public yet and billing alerts CFN templates +TOOLS_URL_LIST=$(grep github.com README.md |awk -F '[' '{ print $2 }'| awk -F ']' '{ print $1 }' | grep -v pacu$|grep -v btkrausen) +sudo mkdir -p /opt/arsenal +cd /opt/arsenal +for tool_url in $TOOLS_URL_LIST; do + sudo git clone $tool_url +done diff --git a/ami/manifest.json b/ami/manifest.json new file mode 100644 index 0000000..101763f --- /dev/null +++ b/ami/manifest.json @@ -0,0 +1,13 @@ +{ + "builds": [ + { + "name": "amazon-ebs", + "builder_type": "amazon-ebs", + "build_time": 1533335897, + "files": null, + "artifact_id": "us-east-1:ami-05bbc777606893c06", + "packer_run_uuid": "d64c8557-ff41-86f1-c9a5-511a79216c9e" + } + ], + "last_run_uuid": "d64c8557-ff41-86f1-c9a5-511a79216c9e" +} \ No newline at end of file diff --git a/ami/my-aws-security-arsenal-packer-config.json b/ami/my-aws-security-arsenal-packer-config.json new file mode 100644 index 0000000..936d010 --- /dev/null +++ b/ami/my-aws-security-arsenal-packer-config.json @@ -0,0 +1,65 @@ +{ + "variables": { + "aws_region": "us-east-1", + "ami_name": "My-AWS-Security-Arsenal-v0.1-{{timestamp}}", + "creator": "toni@blyx.com", + "instance_type": "t2.medium", + "source_ami_id": "ami-b70554c8" + }, + + "builders": [ + { + "type": "amazon-ebs", + "region": "{{user `aws_region`}}", + "source_ami": "{{user `source_ami_id`}}", + "source_ami_filter": { + "filters": { + "architecture": "x86_64", + "name": "amzn2-ami-hvm-*", + "owner-id": "137112412989", + "root-device-type": "ebs", + "state": "available", + "virtualization-type": "hvm" + }, + "most_recent": true + }, + "instance_type": "{{user `instance_type`}}", + "launch_block_device_mappings": [ + { + "device_name": "/dev/xvda", + "volume_type": "gp2", + "volume_size": 20, + "delete_on_termination": true + } + ], + "ssh_username": "ec2-user", + "ssh_pty": true, + "run_tags": { + "creator": "{{user `creator`}}" + }, + "tags": { + "created": "{{timestamp}}" + }, + "ami_name": "{{user `ami_name`}}", + "ami_description": "My AWS Security Arsenal AMI with AmazonLinux2 image - toni@blyx.com" + } + ], + + "provisioners": [ + { + "type": "shell", + "inline": ["mkdir -p /tmp/arsenal/"] + }, + { + "type": "shell", + "script": "install-tools.sh" + } + ], + "post-processors": [ + { + "type": "manifest", + "output": "manifest.json", + "strip_path": true + } + ] +}