AWS Kill Switch

AWS Kill Switch

Open-source incident response tool

AWS Kill Switch is a Lambda function (and proof of concept client) that an organization can implement in a dedicated "Security" account (on AWS) to give their security engineers the ability to quickly deploy restrictions during a security incident, including:

• Apply a service control policy (SCP) to freeze the state of a targeted account
• Detach all policies and delete inline policies from a targeted IAM role
• Revoke all sessions on a targeted IAM role or ALL customer managed IAM roles in a targeted account
• Delete a targeted IAM role (which also revokes all sessions)

Prerequisites

• Go

Tested on go1.21.3 on arm64.

Preparation

This tool requires you to have roles that you can assume from a dedicated "Security" account to your organization management account (apply_scp) or to any account in your organization (actions other than apply_scp). You can use AWS CloudFormation StackSets to automate the creation of these roles.

Required permissions

Action	Required permissions	Other requirements
apply_scp	organizations:CreatePolicy, organizations:AttachPolicy	Role to assume must be in the organization management account
detach_policies	iam:ListAttachedRolePolicies, iam:DetachRolePolicy, iam:ListRolePolicies, iam:DeleteRolePolicy	Role to assume must be in the targeted account
revoke_sessions	iam:AttachRolePolicy, iam:CreatePolicy, iam:ListRoles	Role to assume must be in the targeted account
delete_role	iam:DeleteRole, iam:ListAttachedRolePolicies, iam:DetachRolePolicy, iam:ListRolePolicies, iam:DeleteRolePolicy	Role to assume must be in the targeted account

Prevent tampering

You should take steps to ensure that a threat actor cannot make modifications to the IAM role that you plan to assume during a security incident. Consider implementing a SCP like:

{    
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAccessToASpecificRole",
      "Effect": "Deny",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:DeleteRole",
        "iam:DeleteRolePermissionsBoundary",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:PutRolePolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription"
      ],
      "Resource": [
        "arn:aws:iam::*:role/security-role"
      ]
    }
  ]
}

This example assumes that you created a service managed StackSet in your organization that automatically createssecurity-role in every account. With this SCP the threat actor will be unable to tamper with your role or attached policies, even if they have elevated permissions that would otherwise allow manipulation of roles and policies.

Installation

Clone the Repository

 git clone https://github.com/secengjeff/awskillswitch.git

More details on installation and troubleshooting, here