Awesome
AWS Auto Remediate
Open source application to instantly remediate common security issues through the use of AWS Config.
Table of Contents
About
Auto Remediate
The Auto Remediate function is triggered via an SQS Queue auto-remediate-config-compliance. The SQS Queue is populated with a compliance payload from AWS Config via a CloudWatch Event auto-remediate-config-compliance. The purpose of the CloudWatch Event is to filter out all non-compliance related messages that AWS Config generates.
Once the Lambda function has been triggered it will attempt to remediate the security concern. If the remediation was unsuccessful, the event payload will be sent to the dead letter queue (DQL) SQS Queue auto-remediate-dlq. Each time a payload is sent is sent to the DLQ, an attribute try_count is incremented to the SQS message. Once that count exceeds RETRYCOUNT variable attached to the Lambda Function, the message will no longer be sent to the DLQ.
If no remediation exists for the incoming AWS Config event, the AWS Config payload will be sent to an SNS Topic auto-remediate-missing-remediation which can be subscribed to by administrators or other AWS services.
Auto Remediate DLQ
The Auto Remediate DLQ function is triggered on a schedule (defined in the serverless.yml file). When the function is run, it will retrieve messages from SQS Queue auto-remediate-dlq and sends the message to the compliance SQS Queue auto-remediate-config-compliance.
Auto Remediate Setup
The Auto Remediate Setup function is triggered manually by the user. The purpose of this function is to invoke CloudFormation Stacks for each of the AWS Config Rules that will monitor for security issues as well as create/insert records into the DynamoDB settings table used to control the actions of the Auto Remediate function.
Setup
New Account
Proceed to the Deployment section below.
Existing Account
Auto Remediate utilises the compliance event triggers made by AWS Config. Due to the fact that AWS Config will trigger a compliance event only when the compliance status of a resource changes state (i.e., COMPLIANT to NON_COMPLIANT or vice versa) it is advised that you disable the CIS AWS Foundations compliance standards within AWS Security Hub (and ensure all AWS Config rules starting with securityhub are removed from your account) before proceeding.
Once AWS Config is cleared of all AWS Security Hub related rules, you may proceed to deploy Auto Remediate and enable the CIS AWS Foundations compliance standards within AWS Security Hub.
Deployment
- Install the Serverless Framework
npm install serverless --global
- Install AWS CLI
pip3 install awscli --upgrade --user
-
Configure the AWS CLI following the instruction at Quickly Configuring the AWS CLI. Ensure the user you're configuring has the appropriate IAM permissions to create Lambda Functions, S3 Buckets, IAM Roles, and CloudFormation Stacks. It is best for administrators to deploy Auto Remediate.
-
Install Auto Remediate
serverless create --template-url https://github.com/servian/aws-auto-remediate --path aws-auto-remediate
- Change into the Auto Remediate directory
cd aws-auto-remediate
- Install Serverless plugins needed for deployment
serverless plugin install --name serverless-python-requirements
npm install serverless-iam-roles-per-function
- Deploy Auto Remediate to your AWS account
serverless deploy [--region <AWS region>] [--aws-profile <AWS CLI profile>]
- Invoke Auto Remediate Setup for the first time to create the necessary AWS Config rules and settings
serverless invoke -f AutoRemediateSetup [--region <AWS region>] [--aws-profile <AWS CLI profile>]
- Check Auto Remediate Setup logs
serverless logs -f AutoRemediateSetup [--region <AWS region>] [--aws-profile <AWS CLI profile>]
Update
-
Remove existing Auto Remediate directory
-
Install Auto Remediate
serverless create --template-url https://github.com/servian/aws-auto-remediate --path aws-auto-remediate
- Deploy Auto Remediate update to your AWS account
serverless deploy [--region <AWS region>] [--aws-profile <AWS CLI profile>]
- Invoke Auto Remediate Setup to deploy new AWS Config rules and settings
serverless invoke --function AutoRemediateSetup [--region <AWS region>] [--aws-profile <AWS CLI profile>]
Removal
Auto Remediate is deployed using the Serverless Framework which under the hood creates an AWS CloudFormation Stack allowing for a clean and simple removal process.
To remove Auto Remediate from your AWS account, follow the below steps:
- Change into the Auto Remediate directory
cd aws-auto-remediate
- Remove Auto Remediate from your AWS account
serverless remove [--region <AWS region>] [--aws-profile <AWS CLI profile>]
Settings
Auto Remediate uses a DynamoDB settings table auto-remediate-settings that allows the user to control which rule should be remediated by the tool. Once Auto Remediate Setup has been run, head on over to DynamoDB and inspect the rules key where you can then set the remediate key to false if you'd like to disable automatic remediate.
For rules deployed by Auto Remediate Setup (e.g., auto-remediate-rds-instance-public-access-check) an extra key deploy can be found in the settings table. Although not functional at the moment, this will allow users to control which Auto Remediate deployed rules should be deployed and which should be skipped.
Config Rules
The tables below detail the auto remediated rules and scenarios.
:warning: All remediations tagged with a warning symbol may break existing functionality.
AWS Config Managed Rules
Database
| Rule | Description | Remediation |
|---|---|---|
| RDS Instance Public Access Check | Check whether the Amazon Relational Database Service instances are not publicly accessible.<br />The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item. | :warning: Sets publiclyAccessible field to False |
Storage
| Rule | Description | Remediation |
|---|---|---|
| S3 Bucket Service Side Encryption Enabled | Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption. | Enables SSE |
| S3 Bucket SSL Requests Only | Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). | Adds Bucket Policy to force SSL only connections |
AWS Security Hub Rules
Compute
| Rule | Description | Remediation |
|---|---|---|
| Restricted RDP | Checks whether the incoming RDP traffic is allowed from 0.0.0.0/0 or ::/0. This rule is compliant when incoming RDP traffic is restricted. | :warning: Deletes offending inbound rule |
| Restricted SSH | Checks whether the incoming SSH traffic is allowed from 0.0.0.0/0 or ::/0. This rule is compliant when incoming SSH traffic is restricted. | :warning: Deletes offending inbound rule |
Management and Governance
| Rule | Description | Remediation |
|---|---|---|
| CloudTrail CloudWatch Logs Enabled | Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs. | Enables CloudWatch logs to Log Group cloudtrail/<CloudTrail Name> |
| CloudTrail Encryption Enabled | Ensure CloudTrail logs are encrypted at rest using KMS CMKs. | Enables CloudWatch encryption with KMS CMK cloudtrail/<CloudTrail Name> |
| CloudTrail Log File Validation Enabled | Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled. | Enables CloudTrail Validation |
| Multi Region Cloud Trail Enabled | Checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters. | Enables Multi Region CloudTrail |
Network and Content Delivery
| Rule | Description | Remediation |
|---|---|---|
| VPC Flow Logs Enables | Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC. | Creates new S3 Bucket <Account Number>-<Region>-flow-logs for logging with a prefix of <VPC ID>/ |
| VPC Default Security Group Closed | Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic. | Deletes all egress and ingress rules |
Security, Identity & Compliance
| Rule | Description | Remediation |
|---|---|---|
| Access Keys Rotated | Checks whether the active access keys are rotated within the number of days specified in 90 days. | :warning: Deletes Access Key |
| Customer Managed Key Rotation Enabled | Checks that key rotation is enabled for customer created customer master key (CMK). | Enables key rotation |
| IAM Password Policy Ensure Expires | Checks whether the IAM password policy ensures that passwords expire. | Enables password expiration |
| IAM Password Policy Lowercase Letter Check | Checks whether the IAM password policy enforces the inclusion of a lowercase letter. | Enables "Require at least one lowercase letter" option |
| IAM Password Policy Minimum Length Check | Checks whether the IAM password policy enforces a minimum length. | Sets minimum password length to 14. |
| IAM Password Policy Number Check | Checks whether the IAM password policy enforces the inclusion of a number. | Enables "Require at least one number" option |
| IAM Password Policy Prevent Reuse Check | Checks whether the IAM password policy prevents password reuse. | Sets number of passwords to remember to 24. |
| IAM Password Policy Symbol Check | Checks whether the IAM password policy enforces the inclusion of a symbol. | Enables "Require at least one non-alphanumeric character" option |
| IAM Password Policy Uppercase Letter Check | Checks whether the account password policy for IAM users requires at least one uppercase character in password. | Enables "Require at least one uppercase letter" option |
| IAM Policy No Statements with Admin Access | Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access.<br />If any statement has "Effect": "Allow" with "Action": "*" over "Resource": "*", the rule is NON_COMPLIANT. | :warning: Creates new Policy with offending Statements removed |
| IAM User No Policies Check | Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. | Detaches Managed Policies from offending IAM User |
| IAM User Unused Credentials Check | Checks whether AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within 90 days. | :warning: Deletes Access Key / Login Profile |
| MFA Enabled for IAM Console Access | Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. | :warning: Deletes user's Login Profile only. Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. |
Storage
| Rule | Description | Remediation |
|---|---|---|
| S3 Bucket Logging Enabled | Checks whether logging is enabled for your S3 buckets. | Creates new S3 Bucket <Account Number>-<Region>-access-logs for logging with a prefix of <Bucket Name>/ |
| S3 Bucket Public Read Prohibited | Checks to see if S3 buckets are publicly readable. | :warning: Sets S3 Bucket ACL to private |
| S3 Bucket Public Write Prohibited | Checks to see if S3 buckets allow public write. | :warning: Sets S3 Bucket ACL to private |
Resources
The table below details all AWS resources created when deploying the application.
| Service | Resource ID |
|---|---|
| CloudFormation Stack | auto-remediate |
| CloudWatch Event Rule | auto-remediate-config-compliance |
| DynamoDB Table | auto-remediate-settings |
| Lambda Function | auto-remediate |
auto-remediate-dlq | |
auto-remediate-setup | |
| SNS Topic | auto-remediate-log (not functional #19) |
auto-remediate-missing-remediation | |
| SQS Queue | auto-remediate-config-compliance |
auto-remediate-dlq |
Coverage
Full list of development and automated testing coverage found here.