You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Out of the box the SHARR solution does not include a number of remediations that we feel would be extremely useful. Namely, AWS foundational best practices control EC2.19. "EC2.19 Security groups should not allow unrestricted access to ports with high risk". This is a fairly difficult rule to keep compliant if it is not being checked for automatically. Describe the feature you'd like
We would love to see support for an automatic remediation for this rule. We have already deployed SHARR and implemented a number of controls and thus would like to avoid redeploying the solution with custom modified code to remediate EC2.19. A remediation that, if enabled, would close down offending security groups (as described n the control description) would be extremely useful, possible even the ability to add custom rules regarding security group configurations that we would disallow in our organization.
Additional context
If there is any simple way to add this remediation to my existing solution without modifying existing architecture, I would love to know about it.
The text was updated successfully, but these errors were encountered:
Thank you for the feature request. We will take this into account when prioritizing remediations for future releases.
The solution is designed to be extended. If you want to work within the repo and contribute back to the solution, the help is appreciated. See #67 for an example of a PR. However, it is also possible to extend the solution by only deploying new resources. The orchestrator just looks for a runbook with the correct name structure (SHARR-AFSBP_1.0.0_EC2.19) to understand if there is a remediation available. You'll also need to create the remediation runbook and the required roles. The remediations for CIS v1.2.0 4.1 and 4.2 are similar and call the AWS-owned runbook AWS-DisablePublicAccessForSecurityGroup, which you could use as a template. If you have any issues with this process feel free to update this issue. We also want to make this process easier, so if you have suggestions on documentation that is missing, please let us know.
Is your feature request related to a problem? Please describe.
Out of the box the SHARR solution does not include a number of remediations that we feel would be extremely useful. Namely, AWS foundational best practices control EC2.19. "EC2.19 Security groups should not allow unrestricted access to ports with high risk". This is a fairly difficult rule to keep compliant if it is not being checked for automatically.
Describe the feature you'd like
We would love to see support for an automatic remediation for this rule. We have already deployed SHARR and implemented a number of controls and thus would like to avoid redeploying the solution with custom modified code to remediate EC2.19. A remediation that, if enabled, would close down offending security groups (as described n the control description) would be extremely useful, possible even the ability to add custom rules regarding security group configurations that we would disallow in our organization.
Additional context
If there is any simple way to add this remediation to my existing solution without modifying existing architecture, I would love to know about it.
The text was updated successfully, but these errors were encountered: