AWS Kill Switch: Open-source incident response tool

AWS Kill Switch is an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.

AWS Kill Switch

The solution includes a Lambda function and proof of concept client. You can either adopt this client or build your automation that calls the Lambda function to streamline containment.

“I recently left my role as Sr. Director, Security Engineering at Robinhood and have been using my free time to sharpen my skills as an individual contributor and contribute to open source. I find it stimulating and a great way to build stronger ties with the security community,” Jeffrey Lyon, the creator of AWS Kill Switch, told Help Net Security.

“The SOC may receive an alert indicating that a threat actor has assumed an IAM role. The engineer can use this tool (or borrowed code from this tool as part of their tooling) to detach all policies and delete the role immediately. There are a lot of possibilities here. Any organization that uses this solution should adapt it to its unique requirements and be cautious of the sharp edges. Removing policies, deleting roles, and applying SCPs in production is likely to break applications,” Lyon concluded.

Regarding future plans, Lyon noted he’d improve the tool over time to be more flexible in terms of giving the operator more options like delete policies without deleting the role or taking other actions like setting Auto Scaling groups to zero. Over time, this could evolve into a larger suite of containment tools if the community finds it useful or wants to contribute to the repo.


You can run this client locally by manually setting AWS CLI environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN (if applicable) for any IAM user or assumed role with a policy that allows lambda:InvokeFunction for the ARN of the function that you created. It will not function if you’re assuming a role using the AWS_PROFILE variable. You can also run this client from an EC2 instance with an instance policy that allows lambda:InvokeFunction for the ARN of the function that you created.

AWS Kill Switch is available for free on GitHub.

Must read:

Don't miss