Amazon Elastic Compute Cloud (EC2) provides computing resources that can easily and rapidly deploy virtual machines and web applications as instances in the cloud. Administrators and developers can then configure AWS security groups to act as a firewall for the deployed instances.
The AWS EC2 Quarantine bundle enables the Reveal(x) system to modify the AWS security groups associated with an EC2 instance to quarantine network interfaces when a detection identifies a security threat on an EC2 instance.
The bundle includes a trigger that sends a request through the EC2 REST API for detections with a high risk score, a dashboard that provides charts to track activity and quarantined interfaces, and a record format that enables you to query for quarantined events.
## Bundle Contents
- (1) Applications
- AWS Quarantine
- (1) Dashboards
- AWS EC2 Quarantine
- (1) Record Formats
- AWS Quarantine Events
- (1) Triggers
- AWS EC2 Quarantine
RequirementsNote that if you install this bundle on a Command appliance, you must configure ODS targets for each connected Discover appliance and modify the trigger included in the bundle.
- Your ExtraHop Reveal(x) system must have firmware version 7.8 or later.
- You must have a connection to the cloud-based ExtraHop Machine Learning Service.
- You must have administrator privileges on both your ExtraHop appliance and your Amazon Web Services account.
Create IAM user for Amazon Web Services authentication
The AWS EC2 Quarantine trigger in this bundle requires authentication to the Amazon Web Services REST API endpoint for EC2. We recommend that you control how users access EC2 resources with AWS Identity and Access Management (IAM). The IAM user for this bundle must have permissions to complete the following actions:
You will need the Access Key and Secret Key for this IAM user when configuring your Reveal(x) system for this bundle. For more information, see Amazon's documentation about IAM Policies for Amazon EC2.
### Create EC2 security group for quarantined interfaces The AWS EC2 Quarantine trigger replaces the EC2 instance's security groups with a security group of your choice, such as a "quarantine" security group with no inbound rules and no outbound rules. You will need the ID of this security group when configuring the trigger. For more information, see Amazon's documentation about Security Groups for Your VPC.
- Download the bundle on this page.
- Upload and apply the bundle.
Configure the ExtraHop appliance
- Log into the Admin UI on the Discover or Command appliance where you installed the bundle.
- Configure an open data stream (ODS) for HTTP with the following parameters:
- Name: A name to identify the EC2 API server.
- Host: ec2.amazonaws.com or other EC2 API endpoint; see AWS documentation for the full list of endpoints for your region.
- Port: 443
- Type: HTTPS
- Authentication: Amazon Web Services
- Access key ID: Your IAM user access key ID
- Secret key: Your IAM user secret key
- Service: ec2
- Region: Your EC2 API endpoint region; for example, "us-west-2"
The following figure shows an example of the ODS target configuration.
- In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon, and then click Triggers.
- In the list of triggers, click AWS EC2 Quarantine.
- Click the Editor tab.
- Change the default string value in the "QUARANTINE_SECURITYGROUP" variable to the ID of the EC2 security group, similar to the following example:
const QUARANTINE_SECURITYGROUP = "sg-123456789";
- Change the default string value in the "EC2_ODS_TARGET" variable to the name of the ODS target for the EC2 API server, similar to the following example:
const EC2_ODS_TARGET = "ec2";
- Optional: Change the default integer value in the "RISK_THRESHOLD" to the desired risk score threshold for this trigger. Detections with risk scores at or exceeding this value will result in aan ttempted quarantine of participants. For example:
const RISK_THRESHOLD = 81;
- Click Save and Close.
- Select the checkbox next to the AWS EC2 Quarantine trigger and then click Enable.