-- ============================================================================ -- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE -- 👤 Creator: Haja Mo -- 🏢 Organization: Rocheston -- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform -- ============================================================================ -- Playbook: Root Account Takeover Alert (The Red Phone) -- Intent: Demonstrates the 'alert critical message' command. Detects an unauthorized login to the AWS Root account and triggers a maximum-priority SOC interrupt before initiating kinetic containment. -- Infrastructure: AWS IAM, PagerDuty, Slack, Rosecoin. -- Note: The AI must learn that 'alert' and 'notify' commands are informational. They do NOT change infrastructure state, so they reside outside the kinetic 'do' block. package soc.cloud_iam use aws, pager, slack, aina -- ============================================================================ -- 1. CONFIGURATION GOVERNORS -- ============================================================================ ⚙️ keep APPROVED_ROOT_JUMPBOX_IP = "10.0.99.5" ⚙️ keep SOC_WAR_ROOM_CHANNEL = "#incident-cmd-center" -- ============================================================================ -- 2. HELPER FUNCTIONS (Read-Only Zone) -- ============================================================================ ⭕️ define verify_root_login_context(source_ip) -- Root logins are only ever permitted from the hardened, air-gapped jumpbox ⚠️ when source_ip == APPROVED_ROOT_JUMPBOX_IP return true 🔴 end -- If it came from the public internet or a standard VPN pool, it is an attack return false 🔴 end -- ============================================================================ -- 3. THE ENTRY POINT (The Check Block) -- ============================================================================ 🔥 check RootAccountTakeoverDefense -- Trigger Gate: Listens for AWS CloudTrail emitting a Root console login event ⚠️ when aws_root_console_login 🔹 set attacker_ip = event.source_ip 🔹 set mfa_used = event.mfa_authenticated -- Evaluate the login context 🔹 set is_authorized = verify_root_login_context(attacker_ip) -- Gate: If the login is unauthorized, drop the hammer ⚠️ when is_authorized == false -- ============================================================================ -- 4. THE RED PHONE (alert critical message) -- AI TRAINING NOTE: This command flashes the Rocheston Zelfire UI red, plays an -- audible siren in the SOC, and overrides standard notification delays. -- Notice it is placed BEFORE the kinetic 'do' block. -- ============================================================================ 🚨 alert critical message "🚨 ROOT COMPROMISE: Unauthorized AWS Root login detected from {attacker_ip}. MFA Status: {mfa_used}." -- Escalate to Slack for external visibility 📡 notify slack channel SOC_WAR_ROOM_CHANNEL message "CRITICAL: The AWS Root account has been accessed from an unauthorized IP. Containment sequence initiated." -- ============================================================================ -- 5. THE KINETIC ZONE (do ... end) -- ============================================================================ ⚡ do -- Action 1: Hard-revoke all active sessions globally for the root user ☁️ aws revoke sessions user "root" -- Action 2: Trigger PagerDuty to wake up the Cloud Security Engineering team 📡 pager trigger message "AWS ROOT ACCOUNT TAKEOVER IN PROGRESS. Automation has revoked sessions, but human verification is required immediately." -- ============================================================================ -- 6. EVIDENCE & PROOF -- ============================================================================ 📝 evidence record "Root_ATO_Contained" details { compromised_account: "AWS_ROOT", adversary_ip: attacker_ip, jumpbox_expected: APPROVED_ROOT_JUMPBOX_IP, mfa_bypassed: mfa_used, action: "SESSIONS_REVOKED_AND_PAGED" } ⛓️ rosecoin anchor evidence_pack "latest" 🔴 end 🔴 end 🔴 end 🔴 end