Views:
Auto-remediation provides customers the ability to run self-healing Lambda functions on their infrastructure that can remediate security and governance failures in real-time. Refer to our GitHub page for a list of our supported auto-remediate Lambda functions.
For more information on implementing Auto-remediation for a large business and writing custom Lambdas to fill security gaps, see: How to add Security and Compliance Auto-remediation with the Cloud Posture Platform.
Note
Note
Example Scenario: A user makes an S3 bucket publicly readable via S3 Access Control Lists (ACLs).

How does auto-remediation work Parent topic

Procedure

  1. Cloud Posture identifies the risk as a rule failure
  2. Cloud Posture sends notifications to the specified SNS Channel.
  3. SNS topic triggers the Orchestrator lambda function which in turns calls S3 bucket auto-remediate function.
  4. AutoRemediateS3-001 function updates the S3 bucket ACL and resolves the rule failure thereby closing the security gap.

What to do next

auto-remediate-y5t5mt=985a7f48-3a9e-4c13-847a-16665b7e885b.png

Set up auto-remediation Parent topic

Procedure

  1. Follow the instructions on the official Serverless documentation to install and provide access of your AWS account to the Serverless Framework. Create a working copy of Auto-remediation repository and followt the instructions below:
  2. Create a working copy of Auto-remediation repository:
    1. Install Git on Linux / Mac OS X / Windows if you don't have it on your system
    2. Run the following Git command: git clone https://github.com/cloudconformity/auto-remediate.git
    step-2-set-up-auto-remediate-gszqhf=8dcfead7-491a-47c6-9ab7-29f80fe14a4c.png
    3. Change directory to functions within the auto-remediation folder: cd auto-remediate/functions
    4. Access rule configurations using the command: nano config.js
    step-4-set-up-auto-remediate-sxxhts=4984f86d-5d6d-4459-979c-18f09138ead2.png
    {.zoom}
    5. All rules in the config.js file are set to
    'enabled': false by default to prevent misconfigurations. You will need to enable the rules manually by changing the value to
    'enabled': true
    step-5-set-up-auto-remediate-cgtgyl=d1164a6c-e6dc-4f0b-b1f1-68b25bddd478.png
    6. After making the changes:
    • Take keyboard action Ctrl-O to Write Out the changes
    • Press Enter to confirm the changes
    • Exit the command-line editor by taking keyboard action Ctrl-X.
    7. Run the following commands:
    -  Move one level up to the "auto-remediate" folder using the command:
     `cd ..`
    -  Make node:modules folder available to AWS using the command:
    `npm install`  
    
    ![](img/rules/step-7=25759750-007c-4e3c-9a01-e896e23815a1-set-up-auto-remediate-gcsmxd=3df4e1ab-863d-4cf9-b019-43fb485f8103.png){.zoom}
    
    8. Deploy auto-remediation by running the following command:
    serverless deploy --region [your AWS account region]
    For example
    serverless deploy --region us-east-2
    Note
    Note
    !!! note "" For self-healing capabilities, we recommend deploying auto-remediation in the same region as your AWS account. Detection of Check failures is independent of the region of deployment as it is performed by RTM and Cloud Posture Bot.
    step-8-set-up-auto-remediate-y2seyb=cffae1c6-588f-43e4-a758-d01603986b62.png
    9. On successful deployment:
    - An SNS topic named **CloudConformity** is automatically created in your AWS account.  
    
    step-9a-set-up-auto-remediate-vennsp=a5d8e742-1d6c-45f1-85cd-93426f9cf25a.png
    • A Lambda function named autoremediate-v1-AutoRemediateOrchestrator is automatically subscribed to CloudConformity SNS topic.
    step-9b-set-up-auto-remediate-faliqv=2ec7630e-2fad-4187-b16d-4dc0c69b51e1.png
    10. Integrate Amazon SNS Communication channel on the Cloud Posture platform and select the notifications you wish to enable:
    - [Automatic notifications](toggle-automatic-notifications.xml) - failed checks are automatically resolved when a message is published to your SNS channel.
    - [Manual notifications](toggle-manual-notifications.xml) - you can view the **Send via SNS** button on Check failures. Click on the button to resolve the failure.
    

What to do next

Enable or disable rules after deploying auto-remediation Parent topic

Procedure

  1. On your AWS Console, go to: Services Compute Lambda Functions
  2. Search and select: auto-remediate-v1-AutoRemediateOrchestrator
    step-2-enable-rules-d3pv6x=63a048ba-b6f4-4472-9a89-1075cb8e6090.png
  3. Make changes to the configuration:
    Go to Configuration Function code Environment auto-remediate-v1 functions.
  4. Select config.js and modify your auto-remediate rule configurations.
    step-4-enable-rules-ij5zyy=0eb1ba5f-f4b2-4814-83c7-386d16f0efdb.png

Testing auto-remediation deployment Parent topic

Procedure

  1. Verify that the Communication trigger that you selected while configuring an Amazon SNS channel is:
    Either set to default to send notifications for All Checks, or
    You can specifically select EC2-002 under Rules
  2. Verify that AutoRemediateEC2-002 rule is enabled by following the instructions on enabling a rule.
    step-2-test-deployment-f4xygj=8d6a2ded-6c72-440c-9ea1-617a2b6d9673.png
  3. On your AWS Console, go to: Services Compute EC2 Security Groups
    step-3-test-deployment-bydcts=73d91ddc-c13d-4a28-84e3-7c3c295097ab.png
  4. Click Create Security Group
    1. Enter name, description, and select VPC
    2. Under Security group rules Inbound, click Add Rule:
      • Select Type: SSH
      • Source: Anywhere
      • Click Create !!! note ""

Resolution using Manual notifications Parent topic

If you have only enabled Manual notifications, follow the steps below to resolve the failure:

Procedure

  1. Go to All Checks report and filter rules by:
    • Rules: EC2-002 (Unrestricted SSH Access)
    • Only show checks created less than: 1day
  2. On the Check failure, click on Send via SNS.

Verify the auto-remediation resolution Parent topic

Procedure

  1. On your AWS Console, go to Services Compute EC2 Security Groups. You'll see that the Security Group that you created on Step 4 is not available anymore.
    step-1-verify-resolution-y1iv54=e1e0a43c-ba7b-4eb0-b9f0-2a6b811617d4.png
  2. On your AWS Console, go to **Services > Compute > Lambda > Functions > Select {auto-remediate function} > Monitoring.**You can also check lambda monitoring charts to understand whether auto-remediate-v1-AutoRemediateOrchestrator and its sub-functions are getting triggered.
    step-2-verify-resolution-ljjg9w=9d6d5c2c-f4fd-467d-8e6c-4e7f3e12fa4e.png

Contribution to Auto-remediation project Parent topic

You can fork and modify our own auto-remediation code, but Cloud Posture will not provide support on forked codes. However, you can submit pull requests to our auto-remediation code, and if approved, the code will be supported by our Customer Success team.