#Selfie
Selfie (part of the DevSecOps Toolkit) is a simple tool that takes snapshots of instances in an AWS account and copies these to another account, e.g., the incident response account. Selfie implements the DevSecOps control plane pattern for AWS to access target and IR accounts, see https://github.com/devsecops/controlplane.
"Hey, let's investigate what's going on in this instance, but first let me take a selfie..."
Selfie takes snapshots of AWS instances.
Snapshotting Support:
- EC2 Instances and associated EBS Volumes
- Must have dependencies installed:
bundle install - The Account being snapshotted must have the Incident Responder role (This role can only be pushed by an IAM Admin) 'arn:aws:iam::010101010101:role/human/dso/TGT-dso-IncidentResponse'.
- Your IAM user must be able to assume-role against that role
Example Selfie use:
$ ./selfie
Usage: selfie [options]
-r, --region REGION AWS Region (default: us-west-2)
-a, --target-account ACCOUNT Target AWS account to snapshot, without dashes
-R, --target-role ROLE Incident response target account role name
-n INSTANCEID, Comma-separated list of instances to snapshot
--target-instance-list
-i, --ir ACCOUNT The incident response (IR) account to copy snapshots into
-A, --control-account ACCOUNT The control plane account number
-c, --control-role ROLE Incident response control account role name
-u, --username USERNAME Your IAM username, used to grab MFA serial number
-t, --ticket-id TICKETID The ticket ID, will be added to snapshot description
-f, --file-path FILEPATH The file path to load and resume from
-p, --profile-name NAME The AWS credentials profile name
-b, --bucket BUCKET The bucket in incident response account for saving security configuration
-h, --help Show this message
--version Show version