Skip to content
A Lambda Function to Remediate Common AWS Misconfigurations
Python Makefile
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci ENG-609 Adding open source remediations Aug 27, 2019
.github ENG-609 Adding open source remediations Aug 27, 2019
docs ENG-717 Adding README (#2) Aug 28, 2019
src Update requirements, add 'update' make task, Small LICENSE format fix ( Oct 16, 2019
tests Fixing AWS.S3.EnableBucketEncryption remediation to handle different … Sep 13, 2019
.gitignore ENG-609 Adding open source remediations Aug 27, 2019
.pylintrc ENG-609 Adding open source remediations Aug 27, 2019
AUTHORS ENG-609 Adding open source remediations Aug 27, 2019
CODE_OF_CONDUCT.md ENG-609 Adding open source remediations Aug 27, 2019
CONTRIBUTING.md [Docs] README edits and add CONTRIBUTING file (#3) Sep 2, 2019
LICENSE Update requirements, add 'update' make task, Small LICENSE format fix ( Oct 16, 2019
Makefile Update requirements, add 'update' make task, Small LICENSE format fix ( Oct 16, 2019
README.md [Docs] README edits and add CONTRIBUTING file (#3) Sep 2, 2019
requirements-runtime.txt Update requirements, add 'update' make task, Small LICENSE format fix ( Oct 16, 2019
requirements-top-level.txt Update requirements, add 'update' make task, Small LICENSE format fix ( Oct 16, 2019
requirements.txt Update requirements, add 'update' make task, Small LICENSE format fix ( Oct 16, 2019
setup.cfg ENG-609 Adding open source remediations Aug 27, 2019
template-sar.yml [Docs] README edits and add CONTRIBUTING file (#3) Sep 2, 2019
template.yml [Docs] README edits and add CONTRIBUTING file (#3) Sep 2, 2019

README.md

AWS Remediations

CircleCI

AWS Serverless Application to instantly remediate common security issues in your accounts. This application provides an event-driven framework for fixing any type of misconfiguration in an account.

Architecture

The full list of available remediations can be found in the project directory.

Examples include:

  • Enable VPC Flow Logs to S3
  • Encrypt DynamoDB Tables
  • Enable S3 Bucket Encryption
  • Enable KMS Key Rotation
  • Create Missing CloudTrails

Deployment

Serverless Application Repository

This application can easily be installed from the AWS Serverless Application Repository (SAR).

  1. Navigate to the aws-remediations application page in the AWS Console
  2. Scroll down and fill out the application settings on the right side
  3. Check box acknowledging that 'this app creates custom IAM roles'
  4. Click Deploy, which will create a new CloudFormation stack in the currently logged in region

Alternatively, this can be installed on the command line from this repo with:

$ make deploy-sar region=<region-name>

Multiple Accounts

To remediate issues in multiple accounts, deploy the application in only one -master- account. In the other accounts, only setup the IAM role that the Lambda will assume to remediate issues.

The following steps demonstrate this configuration:

  1. In your master account, deploy the project from the SAR (above steps)

  2. For the satellite accounts, use the following deployment parameters (either in the template or in the Console):

PantherAWSRemediations:
  Type: AWS::Serverless::Application
  Properties:
    Location:
      ApplicationId: arn:aws:serverlessrepo:us-east-1:349240696275:applications/aws-remediations
      SemanticVersion: 0.1.0
    Parameters:
      IsMasterAccount: 'false'
      CreateSSMDocument: 'false'
      MasterAccountId: '123456789012'
      LambdaLoggingLevel: 'INFO'
      LambdaLogsRetentionDays: 365

Where MasterAccountId is the Account Id of the account where the Lambda is deployed.

Source

To build and deploy the application from source, we recommend using the AWS SAM CLI.

  1. Install the AWS CLI, Docker and SAM CLI using the following instructions.

  2. Build the project:

$ make setup
  1. Deploy the project in your account. You will need to specify an S3 bucket in your account, where the source code will be uploaded prior to deploying:
$ make deploy-master bucket=<your-bucket>

Usage

Remediation can be triggered by invoking the aws-remediate function with the following input:

{
  "action": "remediate",
  "payload": {
    "remediationId": "AWS.S3.EnableBucketLogging",
    "resource": {
        "Name": "my-bucket",
        "AccountId": "123456789012",
        "Region": "us-west-2"
    },
    "parameters": {
      "TargetBucket": "my-bucket",
      "TargetPrefix": "my-prefix"
    }
  }
}
Field Description
action The action to be performed by the application. It should always be set to remediate
payload.remediationId The unique identifier of the remediation that you want to trigger
payload.resource A JSON describing the resource you want to remediate. It needs to have Region and AccountId fields
payload.parameters A JSON with the additional parameters needed for the remediation

You can also invoke the Lambda using AWS CLI. The following command enables log file validation for an existing CloudTrail trail.

$ aws lambda invoke --function-name aws-remediation \
                    --payload '{"action":"remediate","payload":{"remediationId":"AWS.CloudTrail.EnableLogValidation","resource":{"AccountId":"123456789012","Region":"us-west-2","Name":"test-bucket"},"parameters":{}}' \
                    output.log

Using AWS Systems Manager (AWS SSM)

The CloudFormation template creates additionally a SSM Automation Document that can be used to remediate resources using AWS SSM.

Contributing

Please read the CONTRIBUTING.md before submitting pull requests.

Building

The project requires Python 3.7+. Build the project locally by running the following command:

$ make setup install

This will setup your Python virtual environment and install dependencies.

Testing

To run the test suite, including linting and formatting:

$ make ci
You can’t perform that action at this time.