README
¶
RISKEN AWS
RISKEN is a monitoring tool for your cloud platforms, web-site, source-code...
RISKEN AWS is a security monitoring system for AWS that searches, analyzes, evaluate, and alerts on discovered threat information.
Please check RISKEN Documentation.
Installation
Requirements
This module requires the following modules:
Install packages
This module is developed in the Go language, please run the following command after installing the Go.
$ make install
Building
Build the containers on your machine with the following command
$ make build
Running Apps
Deploy the pre-built containers to the Kubernetes environment on your local machine.
- Follow the documentation to download the Kubernetes manifest sample.
- Fix the Kubernetes object specs of the manifest file as follows and deploy it.
k8s-sample/overlays/local/aws.yaml
| service | spec | before (public images) | after (pre-build images on your machine) |
|---|---|---|---|
| accessanalyzer | spec.template.spec.containers.image | public.ecr.aws/risken/aws/accessanalyzer:latest |
aws/accessanalyzer:latest |
| adminchecker | spec.template.spec.containers.image | public.ecr.aws/risken/aws/adminchecker:latest |
aws/adminchecker:latest |
| cloudsploit | spec.template.spec.containers.image | public.ecr.aws/risken/aws/cloudsploit:latest |
aws/cloudsploit:latest |
| guardduty | spec.template.spec.containers.image | public.ecr.aws/risken/aws/guard-duty:latest |
aws/guard-duty:latest |
| portscan | spec.template.spec.containers.image | public.ecr.aws/risken/aws/portscan:latest |
aws/portscan:latest |
CloudSploit
Customize CloudSploit
You can customize several settings for CloudSploit by modifying the cloudsploit.yaml file.
# defaultScore (1-10)
# If a plugin's score is not set, this default score will be applied.
defaultScore: 3
# ignorePlugin
# Specify plugins to be ignored here.
ignorePlugin:
- EC2/ebsSnapshotPublic
- Lambda/lambdaPublicAccess
- SNS/topicPolicies
- SQS/sqsPublicAccess
# specificPluginSetting
# You can set scores, tags, recommendations, etc. for each plugin.
specificPluginSetting:
category/pluginName:
# score (1-10):
# Set the score for the plugin
score: 8
# skipResourceNamePattern:
# Specify resource name patterns to ignore resources that match these patterns.
skipResourceNamePattern:
- "arn:aws:s3:::bucket-name"
- "ignoreResourceName"
# ignoreMessagePattern:
# Specify message patterns to ignore messages that match these patterns.
ignoreMessagePattern: "Domain: .+ expires in (?:2[5-9]|[3-9]\d|\d{3,}) days"
# tags:
# You can set tags for resources.
# Tags can be used for search filters, etc.
tags:
- tag1
- tag2
# recommend:
# You can set recommendations.
recommend:
risk: "..."
remediation: "xxxxx"
This configuration allows you to customize CloudSploit's behavior, including setting default scores, ignoring specific plugins, and configuring plugin-specific settings such as scores, resource name patterns to skip, tags, and recommendations.
Generate CloudSploit YAML file
You can generate the latest CloudSploit YAML file using the following command.
$ make generate-yaml
If you want to generate the YAML file with a specific commit hash, you can use the following command.
$ COMMIT_HASH=xxxxxxx go run tool/generate-cloudsploit-yaml/main.go
Community
Info on reporting bugs, getting help, finding roadmaps, and more can be found in the RISKEN Community.
License
MIT.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
access-analyzer
command
|
|
|
admin-checker
command
|
|
|
cloudsploit
command
|
|
|
guard-duty
command
|
|
|
portscan
command
|
|
|
pkg
|
|
|
message
module
|
|
|
model
module
|
|
|
proto
|
|
|
activity
module
|
|
|
aws
module
|
|
|
src
|
|
|
access-analyzer
module
|
|
|
activity
module
|
|
|
admin-checker
module
|
|
|
aws
module
|
|
|
cloudsploit
module
|
|
|
guard-duty
module
|
|
|
portscan
module
|
|
|
tool
|
|
|
generate-cloudsploit-yaml
command
|