Skip to main content

One-click Remediation

This feature is currently available for AWS only.

Configuring One-click Remediation

To enable a Remediation Role ARN, follow these steps:

  1. From GravityZone Cloud Security, select the Scan Configuration page.

  2. From the Scan Group column, select the account for which you want to enable the remediation.

  3. Click the Edit icon.

    CSPM_AWS_remediation_edit_cp_459280_en.png

    The Account Details panel is displayed.

  4. In the Account Details panel, click the Configure remediation link.

    CSPM_AWS_configure_remediation_cp_459280_en.png

    The Remediation Configuration page is displayed.

There are two available methods to add a remediation role:

CloudFormation method (Recommended)

Follow these steps to enable a Remediation Role ARN using the CloudFormation method:

  1. Under Select a connection method, select the CloudFormation method.

    Important

    Do not close the creation screen during the AWS installation.

  2. Open a new browser tab or window and log in to AWS Account with an administrator account.

  3. Go back to the GravityZone Cloud Security Remediation Configuration browser page.

  4. Click Launch CloudFormation Stack.

    The Create stack page will be displayed in a new browser window. The information is automatically filled in for multiple sections of the page.

  5. In the Create stack page, scroll down to the Capabilities section.

  6. Check the I acknowledge that AWS CloudFormation might create IAM resources. checkbox.

    CSPM_AWS_remediation_capabilities_cp_459280_en.png
  7. Click Create Stack.

    The Stack will now appear in your AWS account:

    CSPM_AWS_remediation_stacks_cp_459280_en.png
  8. Wait until the CloudFormation Stack status shows CREATE_COMPLETE.

  9. Go to the Outputs tab.

  10. Copy the information from the Value column.

    CSPM_AWS_remediation_stacks_value_cp_459280_en.png
  11. Go back to the Remediation Configuration browser page.

  12. Paste the value under the Paste Role ARN here field.

  13. Click Add.

Manual method

You can adjust and limit to what degree you want GravityZone Cloud Security to remediate your AWS cloud assets.

Create a customer managed policy

To create a customer managed policy from you AWS Management Console, follow these steps:

  1. Under Select a connection method, select the Manual method.

    Important

    Do not close the creation screen during the AWS installation.

  2. Open a new browser tab or window and log in to AWS Account with an administrator account.

  3. Go to the IAM > Policies section and click Create policy.

  4. Select the JSON tab.

  5. Copy the following parameters and paste it in the Policy editor:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowWardenRemediation",
                "Effect": "Allow",
                "Action": [
                    "cloudtrail:AddTags",
                    "cloudtrail:CreateTrail",
                    "cloudtrail:DescribeTrails",
                    "cloudtrail:GetEventSelectors",
                    "cloudtrail:GetTrail",
                    "cloudtrail:GetTrailStatus",
                    "cloudtrail:PutEventSelectors",
                    "cloudtrail:StartLogging",
                    "cloudwatch:DescribeAlarms",
                    "cloudwatch:DescribeAlarmsForMetric",
                    "cloudwatch:EnableAlarmActions",
                    "cloudwatch:PutMetricAlarm",
                    "ec2:CopyImage",
                    "ec2:CreateFlowLogs",
                    "ec2:DescribeFlowLogs",
                    "ec2:DescribeImages",
                    "ec2:DescribeSnapshotAttribute",
                    "ec2:DescribeSnapshots",
                    "ec2:ModifyImageAttribute",
                    "ec2:ModifySnapshotAttribute",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:ModifyLoadBalancerAttributes",
                    "iam:CreateRole",
                    "iam:DeactivateMFADevice",
                    "iam:DeleteAccessKey",
                    "iam:DeleteLoginProfile",
                    "iam:DeleteServiceSpecificCredential",
                    "iam:DeleteSigningCertificate",
                    "iam:DeleteSSHPublicKey",
                    "iam:DeleteUser",
                    "iam:DeleteUserPolicy",
                    "iam:DeleteVirtualMFADevice",
                    "iam:DetachUserPolicy",
                    "iam:GetAccessKeyLastUsed",
                    "iam:GetAccountPasswordPolicy",
                    "iam:GetLoginProfile",
                    "iam:GetRole",
                    "iam:GetUser",
                    "iam:ListAccessKeys",
                    "iam:ListAttachedUserPolicies",
                    "iam:ListGroupsForUser",
                    "iam:ListMFADevices",
                    "iam:ListServiceSpecificCredentials",
                    "iam:ListSigningCertificates",
                    "iam:ListSSHPublicKeys",
                    "iam:ListUserPolicies",
                    "iam:PutRolePolicy",
                    "iam:RemoveUserFromGroup",
                    "iam:UpdateAccountPasswordPolicy",
                    "kinesis:DescribeStream",
                    "kinesis:StartStreamEncryption",
                    "kms:DescribeKey",
                    "kms:EnableKeyRotation",
                    "kms:GetKeyRotationStatus",
                    "logs:CreateLogGroup",
                    "logs:DescribeLogGroups",
                    "logs:DescribeMetricFilters",
                    "logs:PutMetricFilter",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBSnapshotAttributes",
                    "rds:DescribeDBSnapshots",
                    "rds:ModifyDBInstance",
                    "rds:ModifyDBSnapshotAttribute",
                    "s3:CreateBucket",
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:GetBucketPolicy",
                    "s3:GetEncryptionConfiguration",
                    "s3:ListBucket",
                    "s3:PutBucketAcl",
                    "s3:PutBucketLogging",
                    "s3:PutBucketPolicy",
                    "s3:PutBucketTagging",
                    "s3:PutEncryptionConfiguration",
                    "sns:CreateTopic",
                    "sns:GetTopicAttributes",
                    "sns:ListSubscriptions",
                    "sns:ListSubscriptionsByTopic",
                    "sns:SetTopicAttributes",
                    "sns:Subscribe",
                    "sns:TagResource",
                    "sqs:GetQueueAttributes",
                    "sqs:GetQueueUrl",
                    "sqs:SetQueueAttributes"
                ],
                "Resource": "*"
            }
        ]
    }

    Note

    For more information on Actions, check the official documentation.

  6. Click Next.

    The Review and create window is displayed.

  7. Fill in the information under the Policy details section:

    • Under Policy name type in a descriptive name such as gravityzone-cloud-remediation-policy.

    • Type in a clear description for the policy.

  8. Click Create policy.

    The new policy is created and you can search for it by name under IAM > Policies.

Create a role using the newly created customer managed policy

Follow the steps below:

  1. Go to the IAM > Roles section and click Create role.

    The Select trusted entity window is displayed.

  2. Under Trusted entity type, select AWS Account.

  3. In the An AWS account section, select Another AWS account.

  4. Go back to the Remediation Configuration browser page and copy the Account ID.

  5. Under Account ID, paste the information copied at step 4.

  6. Under the Options section, check the Require external ID box.

  7. Go back to the Remediation Configuration browser page and copy the External ID.

  8. In the External ID box, paste the information copied at step 7.

    Note

    Make sure the Require MFA checkbox is unchecked.

  9. Click Next.

    CSPM_AWS_remediation_external_ID_cp_459280_en.png

    The Add permissions window is displayed.

  10. Under Permission policies, search for the newly created policy by name and select it.

  11. Click Next.

    CSPM_AWS_remediation_permissions_policies_cp_459280_en.png

    The Create Role window will be displayed.

  12. Fill in the information under the Role details section:

    • Under Role name, type in a descriptive name such as gravityzone-cloud-remediation.

    • Type in a clear description for the role.

  13. Scroll down to the bottom of the page and click Create role.

    The Roles page is displayed.

  14. Search for the newly created role by name and click it.

    CSPM_AWS_remediation_roles_cp_459280_en.png

    The Roles page is displayed.

  15. Click the Edit button from the Summary section.

    CSPM_AWS_remediation_summary_edit_459280_en.png

    The Edit description and session duration window is displayed.

  16. Set the Maximum session duration to 4 hours and click Save changes.

    CSPM_AWS_remediation_session_duration_459280_en.png
  17. Click the Copy button under ARN in the the Summary section.

    CSPM_AWS_remediation_ARN_role_copy_459280_en.png
  18. Go back to the Remediation Configuration browser page.

  19. In the Paste Role ARN here field, paste the ARN you copied at step 17.

  20. Click Add.

    The Remediation Role ARN can now be displayed in the Account Details panel.

Using the One-click remediation process

Refer to the following steps to perform the remediation process:

  1. Go to Posture Management > Rules page.

  2. From the Rules page, you can either select one from the list, or search for a specific rule using the search field.

    You can easily identify the rules for which one-click remediation was configured by the icon available on the same row as the rule title.

    CSPM_AWS_remediation_icon_cp_459280_en.png

    Note

    Where the icon is missing, it means the remediation process is not available. The remediation icon may be present for a specific rule but not applicable to all the accounts listed below that specific rule.

  3. Click the rule you want to remediate and expand the details.

    CSPM_AWS_remediation_rule_expanded_cp_459280_en.png
  4. Click on any row to access the Check Details panel.

  5. Click the Remediation tab.

    CSPM_AWS_remediation_one_click_button_cp_459280_en.png

    The Playbook Code remediation option is selected by default.

    Note

    One-click remediation is not specific to Playbook Code in general, but only to a subset of rules.

  6. Click the One-click remediate button.

    The following pop-up will be displayed.

    CSPM_AWS_remediation_remediate-button_response_cp_459280_en.png

    After a few moments, a message is displayed informing you if your remediation was successful or failed. You can check the details by accessing the AWS console or directly by clicking the link from the Check Details panel, next to the resource name. For you to see the status change in GravityZone Cloud Security, you need to process a new scan.

You can find the entries in both the History tab, under Check Details, and the Activity Log under Settings.

CSPM_AWS_remediation_history_cp_459280_en.png

One-click remediation rules

  • Kinesis Server Side Encryption Not Enabled

  • AWS S3 Bucket with Public Write ACP Permission

  • IAM Password Policy - Numbers Required Not Configured

  • IAM Password Policy - Expiration Period of 90 Days or Less Not Configured

  • AWS RDS Snapshot Not Private

  • IAM Password Policy - Lowercase Characters Required Not Configured

  • IAM Password Policy - Minimum Password Length of at Least 14 Characters Not Configured

  • AWS S3 Bucket with Public Read ACP Permission

  • IAM Password Policy - Symbols Required Not Configured

  • IAM Password Policy - Prevent Reuse of Last 24 Passwords Not Configured

  • AWS EBS Volume Snapshot Not Private

  • AWS EC2 AMI Not Private

  • SQS Server Side Encryption Not Enabled

  • IAM Password Policy - Uppercase Characters Required Not Configured

  • AWS S3 Bucket with Authenticated Write ACP Permission

  • Access Keys for IAM Users Created During Initial Setup

  • AWS S3 Bucket with Authenticated Read ACP Permission

  • Customer Managed CMKs Automatic Key Rotation Not Enabled

  • AWS S3 Bucket with Authenticated Write Permission

  • AWS S3 Bucket with Public Full Control Permission

  • S3 Bucket Default Server-Side Encryption Not Enabled

  • AWS S3 Bucket with Authenticated Read Permission

  • S3 Secure Transport Not Enabled

  • AWS S3 Bucket with Authenticated Full Control Permission

  • AWS S3 Bucket with Public Write Permission

  • AWS S3 Bucket with Public Read Permission

  • SNS Topic Server-Side Encryption Not Enabled