To run macOS on AWS you need to create AWS EC2 dedicated hosts of instance type mac1.metal
. By default, you can only create 0
instances of this type. You will need to submit a request to AWS to get this increased from 0
to 3
.
By default AWS limits your account to 32 vCPUs but this environment requires 72 (see table below). You will need to submit a request to AWS to get this increased from 32
to 72
.
By default you get 5 Elastic IPs per region for an account but this project needs 9 Elatic IPs. Breakdown:
- 1 Elastic IP for the VPC NAT gateway
- 1 Elastic IP for the VPC Internet gateway
- 1 Elastic IP for the jumpbox
- 2 Elastic IP for the red team boxes
- 1 Elastic IP for the Graylog SIEM
- 1 Elastic IP for the Splunk SIEM
- 1 Elastic IP for the Elastic SIEM
- 1 Elastic IP for the Arkmie/NSM box
Below is a table of all the AWS compute resources needed for this workshop. Depending your target audience size you can adjsut the size allocations for each machine. The SIEM machines and NSM/Arkmie use r5
machines to provide as much memory as possible to keep search times minimal.
It should be noted at the time of this writing that if you plan on running this setup in AWS including the macOS machines even before they are turned on it's $25 per macOS instance. The macOS license states that each instance must be used at least 24 hours. Even, if you use macOS machines for 3 seconds you still end up paying for 24 hours worth of use.
Let's discuss the hour pricing listed in the table below. It should be noted that hourly price listed is only the EC2 computing, the pricing does not include:
- networking (ingress/egress) charges
- Storage which is $0.10 per GB-month = $74.88
- macOS up-front license cost which is $25 per instance = $75
- Elastic IPs
- API costs
- Etc
# | EC2 type | vCPU | Memory | SSD | Rate per hour | Description |
---|---|---|---|---|---|---|
1 | r5.2xlarge | 8 | 64GB | 100GB | $0.504 | Elastic server |
2 | r5.2xlarge | 8 | 64GB | 100GB | $0.504 | Graylog server |
3 | r5.2xlarge | 8 | 64GB | 100GB | $0.504 | Splunk server |
4 | r5.2xlarge | 4 | 16GB | 100GB | $0.1856 | NSM server |
5 | t2.small | 1 | 2GB | 8GB | $0.023 | Jumpbox |
6 | t2.small | 1 | 2GB | 20GB | $0.023 | red team box - alpha |
7 | t2.small | 1 | 2GB | 20GB | $0.023 | red team box - beta |
8 | t2.large | 2 | 8GB | 20GB | $0.0928 | Logstah ingestor server |
9 | t2.small | 1 | 2GB | 20GB | $0.023 | wiki server |
10 | t2.small | 1 | 2GB | 20GB | $0.0234 | file server |
11 | t2.small | 1 | 2GB | 60GB | $0.0234 | Windows server |
12 | mac1.metal | 12 | 32GB | 60GB | $1.083 | macOS client - alpha |
13 | mac1.metal | 12 | 32GB | 60GB | $1.083 | macOS client - beta |
14 | mac1.metal | 12 | 32GB | 60GB | $1.083 | macOS client - charlie |
15 | dedicated host | - | - | - | $1.083 | Dedicate host for macOS alpha |
15 | dedicated host | - | - | - | $1.083 | Dedicate host for macOS beta |
15 | dedicated host | - | - | - | $1.083 | Dedicate host for macOS charlie |
Total | 72 | 320GB | 748GB | $8.426/hr |
# | Username | Pasword | account type | Description |
---|---|---|---|---|
1 | [email protected] | <group_vars/corp.yml - user_list > |
mail account | e-mail account |
2 | [email protected] | <group_vars/corp.yml - user_list > |
mail account | e-mail account |
3 | [email protected] | <group_vars/corp.yml - user_list > |
mail account | e-mail admin account |
4 | jso-yeon | <group_vars/corp.yml - user_list > |
SMB share | smb://172.16.50.20/public |
5 | lmanoban | <group_vars/corp.yml - user_list > |
SMB share | smb://172.16.50.20/public |
6 | dengziqi | <group_vars/corp.yml - user_list > |
SMB share | smb://172.16.50.20/private - admin |
7 | jso-yeon | <group_vars/corp.yml - user_list > |
macos Alpha VNC | vnc://172.16.50.130 |
8 | lmanoban | <group_vars/corp.yml - user_list > |
macos Beta VNC | vnc://172.16.50.131 |
9 | dengziqi | <group_vars/corp.yml - user_list > |
macos Charlie VNC | vnc://172.16.50.132 |
10 | ec2-user | <group_vars/corp.yml - vnc_admin_password > |
macos Alpha VNC | vnc://172.16.50.130 |
11 | ec2-user | <group_vars/corp.yml - vnc_admin_password > |
macos Beta VNC | vnc://172.16.50.131 |
12 | ec2-user | <group_vars/corp.yml - vnc_admin_password > |
macos Charlie VNC | vnc://172.16.50.132 |
cd macos-workshop
ssh-keygen -t rsa -b 2048 -C "[email protected]" -f files/comp_ssh_keys/id_rsa -q -N ""
- AWS + Terraform
- Setup management subnet
- Init Ansible playbooks
- Setup corp subnet
- Setup macOS clients
The playbook instructions for these instances assume they are publicaly facing and that these instances have public DNS A records that can be used by Let's Encrypt to generate an HTTPS certificate for NGINX.
The playbook instructions for these instances are to setup
- docker_stack – docker stack module
- ansible.windows.win_user – Manages local Windows user accounts
- TALES OF A RED TEAMER: DEPLOYING SHENANIGANS TO WINDOWS WITH ANSIBLE
- CptOfEvilMinions/RedTeaming-Public - windows.yml
- ansible.windows.win_file – Creates, touches or removes files or directories
- ansible.windows.win_share – Manage Windows shares
- Ansible - how to remove an item from a list?
- community.crypto.openssl_privatekey – Generate OpenSSL private keys
- Generate OpenSSL Self-Signed Certificates with Ansible
- Ansible Debug: Print Variable & List All Variables – Playbook
- Checking if a File Exists in Ansible
- Configure Network Cards by PCI Address with Ansible Facts
- ansible.builtin.expect – Executes a command and responds to prompts
- How to assign an empty value to a variable in Ansible?
- How to inspect a json response from Ansible URI call
- ansible.builtin.expect – Executes a command and responds to prompts
- ansible.builtin.lineinfile – Manage lines in text files
- ansible.builtin.uri – Interacts with webservices
- Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
- How To Acquire a Let's Encrypt Certificate Using Ansible on Ubuntu 18.04
- community.crypto.openssl_csr – Generate OpenSSL Certificate Signing Request (CSR)
- community.crypto.openssl_privatekey – Generate OpenSSL private keys
- community.crypto.acme_certificate – Create SSL/TLS certificates with the ACME protocol
- ansible.builtin.slurp – Slurps a file from remote nodes
- community.docker.docker_config – Manage docker configs.
- Install Chocolatey With Ansible On Windows Hosts
- chocolatey.chocolatey.win_chocolatey – Manage packages using chocolatey
- Ansible - Only do something if another action changed
- community.general.launchd – Manage macOS services
- ansible.posix.authorized_key – Adds or removes an SSH authorized key
- How to make Ansible run one certain task only on one host?
- ansible-playbooks/roles/new-user/tasks/create-user.yml
- ansible.builtin.fileglob – list files matching a pattern
- How To Install and Use Docker on Ubuntu 20.04
- CptOfEvilMinions/GuardiansOfTheNetwork - Install Docker with Ansible
- DockerHub - NGINX
- CptOfEvilMinions/ChooseYourSIEMAdventure - docker-compose-swarm-elastic.yml
- DockerHub - Atlassian Confluence
- Docker-compose file for the official Atlassian Confluence Server
- Setting hostname with Ansible