Integrate Amazon EC2 with Google SecOps
This document describes how to integrate AWS Elastic Compute Cloud (Amazon EC2) with Google Security Operations (Google SecOps).
Integration version: 7.0
Use Cases
Secure the Amazon Elastic Compute Cloud (Amazon EC2) instances
- Create security groups to restrict inbound and outbound internet access to Amazon EC2.
- Allocate a new Elastic IP address
- Associate a new Elastic IP address
Resource management - use instance custom tags to track and identify AWS resources.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| AWS Access Key ID | String | N/A | Yes | AWS Access Key ID to use in integration. |
| AWS Secret Key | Password | N/A | Yes | AWS Secret Key to use in integration. |
| AWS Default Region | String | N/A | Yes | AWS default region to use in integration, for example us-west-2. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Authorize Security Group Egress
Adds the specified egress rule to a security group for use with a VPC. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR address ranges. Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Group IDs | String | N/A | Yes | One or more security group IDs. Separated by comma. Note for dev: every ID in a separate request |
| IP Protocol | DDL | all | No | The IP protocol name. Use 'all' to specify all protocols. Specifying 'all' allows traffic on all ports, regardless of any port range you specify. Possible values: tcp , udp , icmp, all Note for dev: 'all' equals -1 from code |
| From Port | Integer | No | The start of port range for the TCP and UDP protocols, or an ICMP type number. | |
| To Port | Integer | No | The end of port range for the TCP and UDP protocols allows traffic on all ports, regardless of any port range you specify. | |
| IP Ranges - CidrIP | String | N/A | No | The IPv4 CIDR range. To specify a single IPv4 address, use the /32 prefix length. |
| IPv6 Ranges - CidrIP | String | N/A | No | The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix length. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successfully added the specified egress rules to at least one (or all) security groups: (is_success = true): "Successfully added the specified egress rule to the following security groups: {group_ids}" if failed to add the specified egress rules because of permissions rule error (invalid port,etc): (is_success = false): "Failed to add the specified egress rule to the following security groups: {group_ids}. Reason: Invalid IP Permissions set. For more details please check the logs." if failed to add the specified egress rules because of invalid security group id: (is_success = false): "Failed to add the specified egress rule to the following security groups: {group_ids}. Reason: Invalid Security Group ID was provided. For more details please check the logs.`` If failed to add the specified egress rules to all groups: is_success=false The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Authorize Security Group Egress". Reason: {0}''.format(error.Stacktrace) |
General |
Authorize Security Group Ingress
Adds the specified ingress rule to a security group. An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address ranges. Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Group IDs | String | N/A | Yes | One or more security group IDs. Separated by comma. Note for dev: every ID in a separate request |
| IP Protocol | DDL | all | No | The IP protocol name. Use 'all' to specify all protocols. Specifying 'all' allows traffic on all ports, regardless of any port range you specify. Possible values: tcp , udp , icmp, all Note for dev: 'all' equals -1 from code |
| From Port | Integer | No | The start of port range for the TCP and UDP protocols, or an ICMP type number. | |
| To Port | Integer | No | The end of port range for the TCP and UDP protocols allows traffic on all ports, regardless of any port range you specify. | |
| IP Ranges - CidrIP | String | N/A | No | The IPv4 address in CIDR format. To specify a single IPv4 address, use the /32 prefix length. |
| IPv6 Ranges - CidrIP | String | N/A | No | The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix length. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successfully added the specified ingress rules to at least one security groups: (if all were successfully updated - is_success = true): "Successfully added the specified ingress rule to the following security groups: {group_ids}" if failed to add the specified ingress rules because of permissions rule error (invalid port,etc): (is_success =false): "Failed to add the specified ingress rule to the following security groups: {group_ids}. Reason: Invalid IP Permissions set. For more details please check the logs." if failed to add the specified ingress rules because of invalid security group id: (is_success =false): "Failed to add the specified ingress rule to the following security groups: {group_ids}. Reason: Invalid Security Group ID was provided. For more details please check the logs.`` The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Authorize Security Group Ingress". Reason: {0}''.format(error.Stacktrace) |
General |
Create Tags
A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value. You can use tags to search and filter your resources or track your AWS costs. Adds or overwrites only the specified tags for the specified Amazon EC2 resource or resources. When you specify an existing tag key, the value is overwritten with the new value. Each resource can have a maximum of 50 tags. Tag keys must be unique per resource.
For more information about tags, see Tagging Your Resources in the Amazon Elastic Compute Cloud User Guide.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Resource IDs | String | N/A | Yes | One or more resource IDs. Separated by comma. |
| Tags | String | N/A | Yes | The key-value combination of a tag to be assigned to the resource. For
example, to add to all specified resources a tag with the key You can add or overwrite the specified tags. The tag keys must be unique per resource. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful: "Successfully added {tags_list} tags to the following resources: "resource_ids" For invalid resource ids (is_success = false): "Failed to add {tag_list} tags to the following resources: {resource_ids}. Reason: Invalid resource ID If resource has more than 50 tags (is_success = false): "Failed to add {tag_list} tags to the following resources: {resource_ids}. Reason: resource can have a maximum of 50 tags. If tag key is not unique: (is_success = false): "Failed to add {tag_list} tags to the following resources: {resource_ids}. Reason: Tag keys must be unique per resource. If the given tag is in invalid format (meaning only key or only value without the full structure of key:value) (is_success = false): "Failed to add {invalid_tags} tags to the following resources: {ids}. Reason: Invalid format. Tag should include key and value. The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Tags". Reason: {0}''.format(error.Stacktrace) |
General |
List Instances
Describes the specified instances or all instances.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance IDs | String | N/A | No | One or more instance IDs. specify instance IDs, the output includes information for only the specified instances. This parameter cannot be used with the parameter 'Max Results'. 'Instance IDs' has priority over the 'Max Result' parameter. |
| Tag Filters | String | N/A | No | The key/value combination of a tag assigned to the resource. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify Owner:TeamA. Comma separated tag filters. Example: Name:Name1,Owner:TeamA. Returned instances will be fit to all filters. |
| Max Results | Integer | 50 | No | Specify how many instances to return. Default is 50. Maximum is 1000. The parameter 'Instance IDs' cannot be used with the parameter 'Max Results'. 'Instance IDs' has priority over the 'Max Result' parameter. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
"EC2_Instances": [
{
"AmiLaunchIndex":0,
"ImageId":"ami-047a51fa27710816e",
"InstanceId":"i-044c08c5bfe1a7f98",
"InstanceType":"t2.micro",
"KeyName":"\"Key\": \"Test\", \"Value\":\"Test\"",
"LaunchTime":"2021-1-30",
"Monitoring":{
"State":"disabled"
},
"Placement":{
"AvailabilityZone":"us-east-1d",
"GroupName":"",
"Tenancy":"default"
},
"PrivateDnsName":"ip-192-0-2-220.ec2.internal",
"PrivateIpAddress":"192.0.2.220",
"ProductCodes":[
],
"PublicDnsName":"ec2-192-0-2-218.compute-1.amazonaws.com",
"PublicIpAddress":"192.0.2.218",
"State":{
"Code":16,
"Name":"running"
},
"StateTransitionReason":"",
"SubnetId":"subnet-1b1fda3a",
"VpcId":"vpc-ID",
"Architecture":"x86_64",
"BlockDeviceMappings":[
{
"DeviceName":"/dev/xvda",
"Ebs":{
"AttachTime":"2021-1-30",
"DeleteOnTermination":true,
"Status":"attached",
"VolumeId":"vol-00f70681a43e5d86e"
}
}
],
"ClientToken":"",
"EbsOptimized":false,
"EnaSupport":true,
"Hypervisor":"xen",
"NetworkInterfaces":[
{
"Association":{
"IpOwnerId":"amazon",
"PublicDnsName":"ec2-192-0-2-218.compute-1.amazonaws.com",
"PublicIp":"192.0.2.218"
},
"Attachment":{
"AttachTime":"",
"AttachmentId":"eni-attach-06bc5e5901ce99ef2",
"DeleteOnTermination":true,
"DeviceIndex":0,
"Status":"attached",
"NetworkCardIndex":0
},
"Description":"",
"Groups":[
{
"GroupName":"launch-wizard-2",
"GroupId":"sg-001700ccddac4189a"
}
],
"Ipv6Addresses":[
],
"MacAddress":"12:34:56:ab:cd:ef",
"NetworkInterfaceId":"eni-020fa83efd417e32d",
"OwnerId":"ID",
"PrivateDnsName":"ip-192-0-2-220.ec2.internal",
"PrivateIpAddress":"192.0.2.220",
"PrivateIpAddresses":[
{
"Association":{
"IpOwnerId":"amazon",
"PublicDnsName":"ec2-192-0-2-218.compute-1.amazonaws.com",
"PublicIp":"192.0.2.218"
},
"Primary":true,
"PrivateDnsName":"ip-192-0-2-220.ec2.internal",
"PrivateIpAddress":"192.0.2.220"
}
],
"SourceDestCheck":true,
"Status":"in-use",
"SubnetId":"subnet-1b1fda3a",
"VpcId":"vpc-ID",
"InterfaceType":"interface"
}
],
"RootDeviceName":"/dev/xvda",
"RootDeviceType":"ebs",
"SecurityGroups":[
{
"GroupName":"launch-wizard-2",
"GroupId":"sg-001700ccddac4189a"
}
],
"SourceDestCheck":true,
"Tags":[
{
"Key":"Owner",
"Value":"Example"
},
{
"Key":"Name",
"Value":"Example test"
}
],
"VirtualizationType":"hvm",
"CpuOptions":{
"CoreCount":1,
"ThreadsPerCore":1
},
"CapacityReservationSpecification":{
"CapacityReservationPreference":"open"
},
"HibernationOptions":{
"Configured":false
},
"MetadataOptions":{
"State":"applied",
"HttpTokens":"optional",
"HttpPutResponseHopLimit":1,
"HttpEndpoint":"enabled"
},
"EnclaveOptions":{
"Enabled":false
}
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, invalid instance ID, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Instances". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: Amazon EC2 Instances Table Columns: ID State Type Availability Zone Public IPv4 DNS Public IPv4 address Monitoring Security group name Key name Launch time |
List Security Groups
Describes the specified security groups or all of your security groups. A security group is for use with instances either in the EC2-Classic platform or in a specific VPC.
For more information, see Amazon EC2 Security Groups.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Group Names | String | N/A | False | One or more security group Names [EC2-Classic and default VPC only]. Separated by comma.If you specify security group Names, the output includes information for only the specified names. |
| Security Group IDs | String | N/A | False | One or more security group IDs. Separated by comma.If you specify security group IDs, the output includes information for only the specified ids. Required for security groups in a non default VPC. |
| Tag Filters | String | N/A | False | The key-value combination of a tag assigned to the securoty group. For
example, to find all groups with a tag that includes the key |
| Max Results | Integer | 50 | False | The number of security groups to return. The default value is 50.
The maximum value is 1000.
Note: The 'Security Group IDs' and 'Security Group Names' parameters cannot be
used with the 'Max Results' parameter. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
"EC2_Security_Groups": [
{
"Description":"launch-wizard-2 created 2021-01-30T19:37:11.523+02:00",
"GroupName":"launch-wizard-2",
"IpPermissions":[
{
"FromPort":22,
"IpProtocol":"tcp",
"IpRanges":[
{
"CidrIp":"192.0.2.0/0"
}
],
"Ipv6Ranges":[
],
"PrefixListIds":[
],
"ToPort":22,
"UserIdGroupPairs":[
]
}
],
"OwnerId":"582302349248",
"GroupId":"sg-001700ccddac4189a",
"IpPermissionsEgress":[
{
"IpProtocol":"-1",
"IpRanges":[
{
"CidrIp":"192.0.2.0/0"
}
],
"Ipv6Ranges":[
],
"PrefixListIds":[
],
"UserIdGroupPairs":[
]
}
],
"Tags":[
{
"Key":"Team",
"Value":"A-Team"
},
{
"Key":"Owner",
"Value":"Example"
}
],
"VpcId":"vpc-ID"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, invalid group ID/Name, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Security Groups". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: Amazon EC2 Instances Table Columns: Security group ID Security group name VPC ID Description Owner ID |
Ping
Test the connectivity to AWS EC2.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful: "Successfully connected to the Amazon EC2 with the provided connection parameters!" The action should fail and stop a playbook execution: if not successful: "Failed to connect to the Amazon EC2 server! Error is {0}".format(exception.stacktrace) |
General |
Revoke Security Group Egress
Removes the specified egress rules (outbound rules) from a security group for EC2-VPC. This action does not apply to security groups for use in EC2-Classic. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly. Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Group IDs | String | N/A | Yes | One or more security group IDs. Separated by comma. Note for dev: every ID in a separate request |
| IP Protocol | DDL | all | No | The IP protocol name. Use 'all' to specify all protocols. Specifying 'all' allows traffic on all ports, regardless of any port range you specify. Possible values: tcp , udp , icmp, all Note for dev: 'all' equals -1 from code |
| From Port | Integer | No | The start of port range for the TCP and UDP protocols, or an ICMP type number. | |
| To Port | Integer | No | The end of port range for the TCP and UDP protocols allows traffic on all ports, regardless of any port range you specify. | |
| IP Ranges - CidrIP | String | N/A | No | The IPv4 address in CIDR format. To specify a single IPv4 address, use the /32 prefix length. |
| IPv6 Ranges - CidrIP | String | N/A | No | The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix length. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successfully revoked the specified egress rules from at least one (or all) security groups: (is_success = true): "Successfully revoked the specified egress rule from the following security groups: {group_ids}" if failed to revoke the specified egress rules because of permissions rule error (invalid port as 205,etc): (is_success =false): "Failed to revoke the specified egress rule from the following security groups: {group_ids}. Reason: Invalid IP Permissions set. For more details please check the logs." if failed to revoke the specified egress rules because of invalid security group id: (is_success =false): "Failed to revoke the specified egress rule from the following security groups: {group_ids}. Reason: Invalid Security Group ID was provided. For more details please check the logs.`` The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Revoke Security Group Egress". Reason: {0}''.format(error.Stacktrace) |
Gener |
Revoke Security Group Ingress
Removes the specified ingress rules (inbound rules) from a security group. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly. Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Group IDs | String | N/A | Yes | One or more security group IDs. Separated by comma. Note for dev: every ID in a separate request |
| IP Protocol | DDL | all | No | The IP protocol name. Use 'all' to specify all protocols. Specifying 'all' allows traffic on all ports, regardless of any port range you specify. Possible values: tcp , udp , icmp, all Note for dev: 'all' equals -1 from code |
| From Port | Integer | No | The start of port range for the TCP and UDP protocols, or an ICMP type number. | |
| To Port | Integer | No | The end of port range for the TCP and UDP protocols allows traffic on all ports, regardless of any port range you specify. | |
| IP Ranges - CidrIP | String | N/A | No | The IPv4 address in CIDR format. To specify a single IPv4 address, use the /32 prefix length. |
| IPv6 Ranges - CidrIP | String | N/A | No | The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix length. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successfully revoked the specified ingress rules to at least one (or all) security groups: (is_success = true): "Successfully revoked the specified ingress rule from the following security groups: {group_ids}" if failed to revoke the specified ingress rules because of permissions rule error (invalid port as 205,etc): (is_success =false): "Failed to revoke the specified ingress rule from the following security groups: {group_ids}. Reason: Invalid IP Permissions set. For more details please check the logs." if failed to revoke the specified ingress rules because of invalid security group id: (is_success =false): "Failed to revoke the specified ingress rule from the following security groups: {group_ids}. Reason: Invalid Security Group ID was provided. For more details please check the logs.`` The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Revoke Security Group Ingress". Reason: {0}''.format(error.Stacktrace) |
General |
Start Instanc
Starts an Amazon Elastic Block Store (Amazon EBS)-backed instance that you have previously stopped. It can take a few minutes for the instance to enter the running state. Notice that you can't start an instance store-backed instance. For more information about instance store-backed instances, see Storage for the root device.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance IDs | String | N/A | Yes | One or more instance IDs. Separated by comma |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"CurrentState": "pending",
"InstanceId": "string",
"PreviousState":"stopped"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Start Instance". Reason: {0}''.format(error.Stacktrace) |
General |
Take snapshot
Take snapshot of the instance.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance ID | String | N/A | Yes | Specify the Instance ID. |
| Description | String | N/A | No | Specify the description of the snapshot. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"EC2_Snapshot": [
{
"Description": "",
"Tags": [],
"Encrypted": false,
"VolumeId": "vol-ID",
"State": "pending",
"VolumeSize": 8,
"StartTime": "2022-11-13 15:45:44.795000+00:00",
"Progress": "",
"OwnerId": "OWNER_ID",
"SnapshotId": "snap-ID"
}
]
}
Terminate Instance
Terminates an instance.
Terminated instances cannot be restarted. Only instance store-backed instances can be terminated. For more information about instance store-backed instances, see Storage for the root device.
If you terminate an instance more than once, every call succeeds. If you specify multiple instances and the request fails (for example, because of a single incorrect instance ID), none of the instances are terminated.
Terminated instances remain visible after termination (for approximately one hour). By default, Amazon EC2 deletes all EBS volumes that were attached when the instance launched. Volumes attached after instance launch continue running. For more information, see Amazon user guide.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance IDs | String | N/A | Yes | One or more instance IDs. Separated by comma. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
"StoppingInstances": [
{
"CurrentState": "shutting-down",
"InstanceId": "string",
"PreviousState":"running"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Terminate Instance". Reason: {0}''.format(error.Stacktrace) |
General |
Need more help? Get answers from Community members and Google SecOps professionals.