holmes/plugins/toolsets/aws.yaml

toolsets:
  aws/security:
    description: "Set of tools to audit AWS security"
    docs_url: "https://docs.aws.amazon.com/"
    icon_url: "https://upload.wikimedia.org/wikipedia/commons/9/93/Amazon_Web_Services_Logo.svg"
    tags:
      - core
    prerequisites:
    - command: "aws sts get-caller-identity"

    tools:
    - name: "aws_cloudtrail_event_lookup"
      description: "Fetches events of a specified type from AWS CloudTrail along with the users that called them"
      user_description: "get {{ EVENT_NAME }} events"
      command: |
        echo "EventName,EventId,EventTime,Username,AccessKeyId,ip,userID"
        aws cloudtrail lookup-events \
          --lookup-attributes AttributeKey=EventName,AttributeValue="{{ EVENT_NAME }}" \
          --start-time $(date -v -7d -u +%Y-%m-%dT%H:%M:%SZ) \
          --end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
          --query 'Events[*].{EventName:EventName,EventId:EventId,EventTime:EventTime,Username:Username,AccessKeyId:AccessKeyId,ip:CloudTrailEvent.sourceIPAddress,userID:CloudTrailEvent.userIdentity.sessionContext.sessionIssuer.userName}' \
          --output table

    - name: "aws_cloudtrail_event_details"
      description: "Fetches and returns full event details for an AWS cloudtrail event in JSON format given an event ID"
      user_description: "looking up event {{ EVENT_ID }}"
      command: |
        aws cloudtrail lookup-events \
          --lookup-attributes AttributeKey=EventId,AttributeValue="{{ EVENT_ID }}" \
          --query 'Events[0]' --output json

    - name: "aws_user_audit_logs"
      description: "Fetches audit logs for a specified user from AWS CloudTrail in past 24 hours. Provide username as was outputed by aws_event_lookup or aws_event_details"
      user_description: "get audit logs for {{ UserName }}"
      command: |
        aws cloudtrail lookup-events \
        --lookup-attributes AttributeKey=Username,AttributeValue="{{ UserName }}" \
        --start-time $(date -v -1d -u +%Y-%m-%dT%H:%M:%SZ) \
        --end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
        --query 'Events[*].{EventName:EventName,EventSource:EventSource,EventId:EventId,EventTime:EventTime,Username:Username,AccessKeyId:AccessKeyId,ip:CloudTrailEvent.sourceIPAddress,userID:CloudTrailEvent.userIdentity.sessionContext.sessionIssuer.userName}' \
        --output table

  aws/rds:
    description: "Read access to Amazon RDS resources"
    docs_url: "https://docs.aws.amazon.com/rds/"
    icon_url: "https://upload.wikimedia.org/wikipedia/commons/9/93/Amazon_Web_Services_Logo.svg"
    tags:
      - core
    prerequisites:
    - command: "aws sts get-caller-identity"

    tools:
    - name: "aws_rds_describe_events"
      description: "Runs aws rds describe-events"
      user_description: "fetch rds events"
      command: "aws rds describe-events"

    - name: "aws_rds_describe_instance"
      description: "Get the configuration of a RDS instance"
      user_description: "Get the configuration of a RDS instance"
      command: "aws rds describe-db-instances --db-instance-identifier '{{ db_instance_identifier }}'"

    - name: "aws_rds_describe_instances"
      description: "Runs aws rds describe-db-instances"
      user_description: "fetch rds instances"
      command: "aws rds describe-db-instances"

    - name: "aws_rds_describe_logs"
      description: "Describe all available logs for an AWS RDS instance."
      user_description: "list available RDS logs (e.g. slow query logs)"
      command: "aws rds describe-db-log-files --db-instance-identifier '{{ db_instance_identifier }}'"

    - name: "aws_rds_fetch_log_by_name"
      description: "Fetch a specific log for an AWS RDS instance by log file name."
      user_description: "fetch a specific RDS log"
      command: "aws rds download-db-log-file-portion --db-instance-identifier '{{ db_instance_identifier }}' --log-file-name '{{ log_file_name }}' --starting-token 0"