forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
/
AWS_-_Security_Group_Remediation_v2.yml
254 lines (254 loc) · 6.59 KB
/
AWS_-_Security_Group_Remediation_v2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
id: AWS - Security Group Remediation v2
version: -1
name: AWS - Security Group Remediation v2
description: |-
This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
starttaskid: "0"
tasks:
"0":
id: "0"
taskid: 7aeccd71-8a2e-47a8-8ba0-b91bac919bf4
type: start
task:
id: 7aeccd71-8a2e-47a8-8ba0-b91bac919bf4
version: -1
name: ""
iscommand: false
brand: ""
description: ''
nexttasks:
'#none#':
- "31"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 420,
"y": -470
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"2":
id: "2"
taskid: 57209409-3b96-48f9-865d-61de73bd6309
type: title
task:
id: 57209409-3b96-48f9-865d-61de73bd6309
version: -1
name: Done
type: title
iscommand: false
brand: ""
description: ''
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 130,
"y": 140
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"31":
id: "31"
taskid: fe8c7803-f99e-4ee6-8481-fa710b622cd7
type: condition
task:
id: fe8c7803-f99e-4ee6-8481-fa710b622cd7
version: -1
name: Is AWS - EC2 enabled and are input values defined?
description: Determines if the AWS - EC2 integration instance is configured and input values are defined in order to continue with remediating security groups.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "2"
"yes":
- "32"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isExists
left:
value:
complex:
root: modules
filters:
- - operator: isEqualString
left:
value:
simple: modules.brand
iscontext: true
right:
value:
simple: AWS - EC2
- - operator: isEqualString
left:
value:
simple: modules.state
iscontext: true
right:
value:
simple: active
iscontext: true
right:
value: {}
- - operator: isExists
left:
value:
complex:
root: inputs.InstanceID
iscontext: true
- - operator: isExists
left:
value:
complex:
root: inputs.Port
iscontext: true
- - operator: isExists
left:
value:
complex:
root: inputs.Protocol
iscontext: true
- - operator: isExists
left:
value:
complex:
root: inputs.PublicIP
iscontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 420,
"y": -290
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 2
isoversize: false
isautoswitchedtoquietmode: false
"32":
id: "32"
taskid: d2488b84-78ba-4f31-8b35-c47e61425dd9
type: regular
task:
id: d2488b84-78ba-4f31-8b35-c47e61425dd9
version: -1
name: Create Security Group automation
description: Automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
scriptName: AWSRecreateSG
type: regular
iscommand: false
brand: ""
nexttasks:
'#none#':
- "2"
scriptarguments:
assume_role:
complex:
root: inputs.AWSAssumeArn
instance_id:
complex:
root: inputs.InstanceID
port:
complex:
root: inputs.Port
protocol:
complex:
root: inputs.Protocol
public_ip:
complex:
root: inputs.PublicIP
region:
complex:
root: inputs.Region
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 420,
"y": -70
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
view: |-
{
"linkLabelsPosition": {},
"paper": {
"dimensions": {
"height": 675,
"width": 670,
"x": 130,
"y": -470
}
}
}
inputs:
- key: InstanceID
value: {}
required: true
description: ID of the AWS EC2 instance.
playbookInputQuery:
- key: Port
value:
complex:
root: alert
accessor: remoteport
required: true
description: TCP/UDP port to be restricted.
playbookInputQuery:
- key: Protocol
value: {}
required: true
description: Protocol of the port to be restricted.
playbookInputQuery:
- key: PublicIP
value:
complex:
root: alert
accessor: remoteip
required: true
description: Public IP address of the EC2 instance.
playbookInputQuery:
- key: AWSAssumeArn
value: {}
required: false
description: Name of an AWS role to assume (should be the same for all organizations).
playbookInputQuery:
- key: Region
value: {}
required: false
description: Region where EC2 instance is present.
playbookInputQuery:
outputs: []
tests:
- No tests (auto formatted)
fromversion: 6.5.0