Getting Started - Snapshot 4n6ir Imager for Docker

SCENARIO

Your organization has a business requirement to store disk images of EC2 volumes cost-effectively for thirty days at termination for security investigations. The Cloud Watch Event “createSnapshot” for a completed EBS Snapshot will launch a Lambda that initiates the Snapshot 4n6ir Imager for Docker script.

DOCKERFILE
FROM ubuntu:20.04

WORKDIR /4n6ir

RUN apt-get update && apt-get install -y python3-pip
  	
RUN pip3 install --no-cache-dir boto3 cryptography requests

ADD https://cloud.4n6ir.com/scripts/Snapshot-4n6ir-Imager-for-Docker.py.gz /4n6ir/Snapshot-4n6ir-Imager-for-Docker.py.gz

RUN gunzip Snapshot-4n6ir-Imager-for-Docker.py.gz

CMD ["python3","Snapshot-4n6ir-Imager-for-Docker.py"]
ELASTIC CONTAINER REPOSITORY

AWS has provided the required documentation to create a container image in the Elastic Container Repository (ECR).

https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html

ELASTIC CONTAINER SERVICE CLUSTER

Creating the Elastic Container Service (ECS) Cluster is completed by choosing “Networking Only” and providing a cluster name.

select-cluster-template

ELASTIC CONTAINER SERVICE TASK DEFINITION

Creating an Elastic Container Service (ECS) Task Definition is started by selecting Fargate compatibility.

fargate-launch-compatibility

I typically use the minimum resources for my ECS task, but some extra processor and memory would definitely improve the hashing and encryption performance.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-task-definition.html

The IAM permission for the Task Role and Task Execution Role needs an Elastic Container Service Task Role with the AWS managed policy: AmazonECSTaskExecutionRolePolicy. I also add the s3:PutObject policy to this role so the forensic image can be archived to a local S3 Bucket. Plus, the EBS direct API permissions ebs:ListSnapshotBlocks and ebs:GetSnapshotBlock are required for imaging.

LAMBDA

I have provided the Lambda source code for launching the Fargate container to image an EBS Snapshot to an S3 bucket with the BOTO3 reference for additional details.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecs.html#ECS.Client.run_task

The Lambda will require the following action permissions to execute the ECS Task Definition:

  • ecs:RunTask
  • iam:PassRole
SECURITY

You may also designate AWS Systems Manager Parameter Store keys or ARNs using the ‘valueFrom’ field. ECS will inject the value into containers at run-time.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html

SOURCE CODE
import boto3
import json

def lambda_handler(event, context):
    client = boto3.client('ecs')
    response = client.run_task(
    	cluster='snapshot-4n6ir-imager',
        launchType = 'FARGATE',
        taskDefinition='snapshot-4n6ir-imager:1',
        overrides={
        	'containerOverrides': [
        		{
                	'name': 'snapshot-4n6ir-imager',
                    'environment': [
                    	{'name':'ENVAUTH','value':'local'},
                    	{'name':'ENVREGION','value':'us-east-2'},
                    	{'name':'ENVSNAPSHOT','value':'snap-056e0b1bd07ad91b2'},
                    	{'name':'ENVBUCKET','value':'mybucket.4n6ir.com'},
                    	{'name':'ENVPWD','value':'secretpassword'},
                    	{'name':'ENVSALT','value':'secretsalt'}
                    ]
                }
            ]
        },
        count = 1,
        platformVersion='LATEST',
        networkConfiguration={
        	'awsvpcConfiguration': {
            	'subnets': [
                	'subnet-01ab2cdef3456789a',
                    'subnet-02ab2cdef3456789b',
                    'subnet-03ab2cdef3456789c'
                ],
                'securityGroups': [
                	'sg-01ab2cdef3456789g'
                ],
                'assignPublicIp': 'ENABLED'
            }
        }
    )
    return {
        'statusCode': 200,
        'body': json.dumps('Running New ECS Task Now')
    }