This early "Auto Remediation" is subject to change. Cloud Conformity will use commercially reasonable efforts to support the previous version of the project. This project is provided on an ‘AS IS’ and ‘WHEN AVAILABLE’ basis. Cloud Conformity has no liability to user as a result of any changes made to their AWS infrastructure by installing this project.
The following image shows how Cloud Conformity Auto Remediation works:
Here's an example:
- A user makes an S3 bucket publicly readable via S3 Access Control Lists (ACLs)
- Cloud Conformity identifies the risk in real-time
- Cloud Conformity publishes a message to the specified SNS Topic
- SNS topic triggers the Orchestrator lambda function which in turns calls S3 bucket auto-remediate function
- S3 BucketPublicReadAccess Auto Remediate Function (AutoRemediateS3-001) updates the S3 bucket ACL and closes the security gap
- Go to the official Serverless Framework and follow the instructions to install the framework
- Create a working copy of "Cloud Conformity Auto Remediation" repository by running the following command:
git clone https://github.com/cloudconformity/auto-remediate.git- Change directory to auto-remediation:
cd auto-remediateIMPORTANTUpdatefunctions/config.jswith required configurations.IMPORTANTMake any other necessary adjustments before deployment.- Run
npm installbefore deploying so that the node_modules folder would be available to AWS
npm install- Finally deploy
serverless deploy --region us-west-2The table below gives more information about SNS Message format:
| Name | Values |
|---|---|
| organisationId | Your Cloud Conformity Organisation Id |
| accountId | Your Cloud Conformity Account Id |
| accountName | Your Cloud Conformity Account Name |
| service | AutoScaling | CloudFormation | CloudFront | CloudTrail | CloudWatch | CloudWatchEvents | CloudWatchLogs | Config | DynamoDB | EBS | EC2 | ElastiCache | Elasticsearch | ELB | IAM | KMS | RDS | Redshift | ResourceGroup | Route53 | S3 | SES | SNS | SQS | VPC | WAF | ACM | Inspector | TrustedAdvisor | Shield | EMR | Lambda | Support | Organizations | Kinesis | EFS For more information about services, please refer to Cloud Conformity Services Endpoint |
| region | global | us-east-2 | us-east-1 | us-west-1 | us-west-2 | ap-south-1 | ap-northeast-2 | ap-southeast-1 | ap-southeast-2 | ap-northeast-1 | ca-central-1 | eu-central-1 | eu-west-1 | eu-west-2 | sa-east-1 For more information about regions, please refer to Cloud Conformity Region Endpoint |
| id | Check Id |
| resource | AWS Resource |
| ccrn | Cloud Conformity Resource Name |
| ruleId | e.g. S3-001 For more information about rules, please refer to Cloud Conformity Services Endpoint |
| ruleTitle | e.g. BucketPublicReadAccess For more information about rules, please refer to Cloud Conformity Services Endpoint |
| statuses | SUCCESS | FAILURE |
| categories | security | cost-optimisation | reliability | performance-efficiency | operational-excellence For more information about categories, please refer to Cloud Conformity Services Endpoint |
| riskLevels | LOW| MEDIUM | HIGH | VERY_HIGH | EXTREME For more information about risk levels, please refer to Cloud Conformity Services Endpoint |
| message | e.g. Bucket my-bucket-name allows public 'READ' access |
| createdDate | The date when the check was created The numeric value of the specified date as the number of milliseconds since January 1, 1970, 00:00:00 UTC |
| failureDiscoveryDate | The date when the check the failure was discovered The numeric value of the specified date as the number of milliseconds since January 1, 1970, 00:00:00 UTC |
| tags | Any assigned metadata tags to your AWS resources |
The table below lists the supported auto auto-remediate functions:
| Service | Rule Id | Description |
|---|---|---|
| CloudFormation | CFM-005 | Ensure Termination Protection feature is enabled for your AWS CloudFormation stacks |
| Config | Config-001 | Ensure AWS Config is enabled in all regions |
| S3 | S3-001 | Ensure S3 buckets do not allow public READ access |
| S3 | S3-012 | Enable versioning for AWS S3 buckets |
| RDS | RDS-008 | Ensure RDS instances are not public facing to minimise security risks |
| CloudTrail | CT-001 | Ensure CloudTrail API logging is activated for all Regions |
| Redshift | RS-001 | Ensure Redshift clusters are not publicly accessible to minimise security risks |
| IAM | IAM-001 | Ensure that all your IAM user access keys are rotated every month |
For more information about Rule Id, please refer to Cloud Conformity Services Endpoint
You are welcome to contribute to "Cloud Conformity Auto Remediation"
- Fork the project
- Make a well commented and clean commit to the repository
- Create a pull request