Dynamodb and tines security automation

Dynamodb and tines security automation

An increasingly popular database choice amongst security teams is AWS DynamoDB. The key-value storage, simplicity, scalability and security offered by DynamoDB make it suitable for the kinds of data storage tasks common in security operations and incident response, especially if they already use AWS.

In this post we’ll explore how security teams can use DynamoDB in their automation stories.

Authenticating to AWS DynamoDB from Tines

To begin integrating Tines with AWS DynamoDB, we first need to create a credential. In your AWS console, create an IAM user with the appropriate permissions to perform actions in DynamoDB. Take the access key and access secret for the user and enter them into a new Tines AWS mode credential.

Next, specify a name for the credential and choose the AWS region you will be working with. Finally, under service name enter ‘dynamodb’.

When finished your Tines AWS credential should look like the below:

Creating a Tines AWS credential

Using the AWS Credential

AWS credentials work a little differently to the other credential modes in Tines. When a HTTP Request Agent with an AWS mode credential included in a header called “Authorization” runs, Tines will use the AWS Signature Version 4 Signing Process and include the corresponding auth headers in the request before submitting it to AWS.

For example, the below HTTP Request agent uses an AWS mode credential (aws_cloudtrail) to list cloudtrails in the us-east-1 region.

{
  "url": "https://cloudtrail.us-east-1.amazonaws.com",
  "method": "get",
  "content_type": "form",
  "payload": {
    "Action": "DescribeTrails",
    "Version": "2013-11-01"
  },
  "headers": {
    "Authorization": "{% credential aws_cloudtrail %}"
  },
  "expected_update_period_in_days": 1
}

When this agent runs, the request will be signed and will be converted to the following before being sent to AWS:

{
  "url": "https://cloudtrail.us-east-1.amazonaws.com",
  "method": "get",
  "content_type": "form",
  "payload": {
    "Action": "DescribeTrails",
    "Version": "2013-11-01"
  },
  "headers": {
    "X-Amz-Date": "20190403T212241Z",
    "Authorization": "AWS4-HMAC-SHA256, Credential=AKIAJQPQOWURT6TXRN5Q/20190403/us-east-1/cloudtrail/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=57d317eaa8e9f17883a828385782dc069fd04391c0e335642785bfd99452cc44",
    "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
  }
}

DynamoDB Tines Agents

Tines can perform all available DynamoDB actions. The following agent examples cover a selection of the cost common.

List Amazon AWS DynamoDB Tables

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {},
    "headers": {
      "Authorization": "{% credential Aws_DynamoDB %}",
      "X-Amz-Target": "DynamoDB_20120810.ListTables"
    }
  }
  

Scan an Amazon AWS DynamoDB table with a filter

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "application/json",
    "payload": {
      "TableName": "tines_test",
      "FilterExpression": "age > :val",
      "ExpressionAttributeValues": {
        ":val": {
          "N": "10"
        }
      }
    },
    "headers": {
      "Authorization": "{% credential aws_dynamodb %}",
      "X-Amz-Target": "DynamoDB_20120810.Scan"
    }
  }
  

Scan an Amazon AWS DynamoDB Table

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {
      "TableName": "TestTable",
      "AttributesToGet": [
        "Id"
      ]
    },
    "headers": {
      "Authorization": "{% credential Aws_DynamoDB %}",
      "X-Amz-Target": "DynamoDB_20120810.Scan"
    },
    "expected_update_period_in_days": 1
  }

Delete an Amazon AWS DynamoDB table

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {
      "TableName": "tines_test"
    },
    "headers": {
      "Authorization": "{% credential aws_dynamodb %}",
      "X-Amz-Target": "DynamoDB_20120810.DeleteTable"
    }
  }

Create an Amazon AWS DynamoDB Table

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {
      "KeySchema": [
        {
          "KeyType": "HASH",
          "AttributeName": "Id"
        }
      ],
      "TableName": "TestTable",
      "AttributeDefinitions": [
        {
          "AttributeName": "Id",
          "AttributeType": "S"
        }
      ],
      "ProvisionedThroughput": {
        "WriteCapacityUnits": 5,
        "ReadCapacityUnits": 5
      }
    },
    "headers": {
      "Authorization": "{% credential Aws_DynamoDB %}",
      "X-Amz-Target": "DynamoDB_20120810.CreateTable"
    }
  }

Add an item to Amazon AWS DynamoDB table

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {
      "Item": {
        "job": {
          "S": "engineer"
        },
        "name": {
          "S": "fred"
        },
        "age": {
          "N": "20"
        }
      },
      "TableName": "tines_test"
    },
    "headers": {
      "Authorization": "{% credential aws_dynamodb %}",
      "X-Amz-Target": "DynamoDB_20120810.PutItem"
    }

Get an item from an Amazon AWS DynamoDB table

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {
      "Key": {
        "name": {
          "S": "alice"
        }
      },
      "TableName": "tines_test"
    },
    "headers": {
      "Authorization": "{% credential aws_dynamodb %}",
      "X-Amz-Target": "DynamoDB_20120810.GetItem"
    }
  }
  

Delete an item from an Amazon AWS DynamoDB table

{
    "url": "https://dynamodb.eu-west-1.amazonaws.com",
    "method": "post",
    "content_type": "json",
    "payload": {
      "Key": {
        "name": {
          "S": "fred"
        }
      },
      "TableName": "tines_test"
    },
    "headers": {
      "Authorization": "{% credential aws_dynamodb %}",
      "X-Amz-Target": "DynamoDB_20120810.DeleteItem"
    }
  }

Summary

By including DynamoDB actions in Tines automation stories, security teams can quickly and reliably fetch and store important data, allowing them enrich security incidents and make better decisions around incident investigation and remediation.

If you’re unsure what’s next on your own automation journey why not experiment with a free, no strings, fully-functional trial? We can also show you a quick demo or if you’re just beginning your automation story, why not ask us about how to start with your specific use case?

Eoin Hinchy
Eoin Hinchy
Founder, Tines