|   Trend Micro Cloud One™
Open menu

Auto-remediation

Auto-remediation provides customers the ability to run self-healing Lambda functions on their infrastructure that can remediate security and governance failures in real-time. Refer to our GitHub page for a list of our supported auto-remediate Lambda functions.

For more information on implementing Auto-remediation for a large business and writing custom Lambdas to fill security gaps, see: How to add Security and Compliance Auto-remediation with the Cloud Conformity Platform.

Example Scenario: A user makes an S3 bucket publicly readable via S3 Access Control Lists (ACLs).

Content

How does auto-remediation work

  1. Cloud Conformity identifies the risk as a rule failure
  2. Cloud Conformity sends notifications to the specified SNS Channel.
  3. SNS topic triggers the Orchestrator lambda function which in turns calls S3 bucket auto-remediate function.
  4. AutoRemediateS3-001 function updates the S3 bucket ACL and resolves the rule failure thereby closing the security gap.

Set up auto-remediation

  1. Follow the instructions on the official Serverless documentation to install and provide access of your AWS account to the Serverless Framework
  2. Create a working copy of Auto-remediation repository:
    1. Install Git on Linux / Mac OS X / Windows if you don’t have it on your system
    2. Run the following Git command:

      git clone https://github.com/cloudconformity/auto-remediate.git

    3. Change directory to functions within the auto-remediation folder:

      cd auto-remediate/functions

    4. Access rule configurations using the command:

      nano config.js

    5. All rules in the config.js file are set to

      ’enabled’: false by default to prevent misconfigurations. You will need to enable the rules manually by changing the value to

      ’enabled’: true.

    6. After making the changes:
      1. Take keyboard action Ctrl-O to Write Out the changes.
      2. Press Enter to confirm the changes.
      3. Exit the command-line editor by taking keyboard action Ctrl-X.
    7. Run the following commands:
      1. Move one level up to the “auto-remediate” folder using the command:

        cd ..

      2. Make node:modules folder available to AWS using the command:

        npm install

    8. Deploy auto-remediation by running the following command:

      serverless deploy –region [your AWS account region]

      For example,

      serverless deploy –region us-east-2


      Note: For self-healing capabilities, we recommend deploying auto-remediation in the same region as your AWS account. Detection of Check failures is independent of the region of deployment as it is performed by RTM and Conformity Bot.

    9. On successful deployment:
      1. An SNS topic named CloudConformity is automatically created in your AWS account.
      2. A Lambda function named autoremediate-v1-AutoRemediateOrchestrator is automatically subscribed to CloudConformity SNS topic.
    10. Integrate Amazon SNS Communication channel on the Cloud Conformity platform and select the notifications you wish to enable:
      • Automatic notifications - failed checks are automatically resolved when a message is published to your SNS channel.
      • Manual notifications - you can view the Send via SNS button on Check failures. Click on the button to resolve the failure.

Enable or disable rules after deploying auto-remediation

  1. On your AWS Console, go to: Services > Compute > Lambda > Functions
  2. Search and select: auto-remediate-v1-AutoRemediateOrchestrator
  3. Make changes to the configuration
    1. Go to Configuration > Function code > Environment > auto-remediate-v1 > functions.
  4. Select config.js and modify your auto-remediate rule configurations.

Testing auto-remediation deployment

  1. Verify that the Communication trigger that you selected while configuring an Amazon SNS channel is:
    1. Either set to default to send notifications for All Checks, or
    2. You can specifically select EC2-002 under Rules
  2. Verify that AutoRemediateEC2-002 rule is enabled by following the instructions on enabling a rule.
  3. On your AWS Console, go to: Services > Compute > EC2 > Security Groups
  4. Click Create Security Group
    1. Enter name, description, and select VPC
    2. Under Security group rules > Inbound, click Add Rule:
      • Select Type: SSH
      • Source: Anywhere
      • Click Create

  1. If you have enabled Real-Time Threat Monitoring you will instantly see an entry in the Activity Dashboard and Monitoring Dashboard when Auto-remediation kicks in.
  2. If you have only enabled Automatic notifications, the Check failure will be automatically resolved.

Resolution using Manual notifications

If you have only enabled Manual notifications, follow the steps below to resolve the failure:

  1. Go to All Checks report and filter rules by:
    • Rules: EC2-002 (Unrestricted SSH Access)
    • Only show checks created less than: 1day
  2. On the Check failure, click on Send via SNS.

Verify the auto-remediation resolution

  1. On your AWS Console, go to Services > Compute > EC2 > Security Groups. You’ll see that the Security Group that you created on Step 4 is not available anymore.
  2. On your AWS Console, go to Services > Compute > Lambda > Functions > Select {auto-remediate function} > Monitoring.

    You can also check lambda monitoring charts to understand whether auto-remediate-v1-AutoRemediateOrchestrator and its sub-functions are getting triggered.

Contribution to Auto-remediation project

You can fork and modify our own auto-remediation code, but Cloud Conformity will not provide support on forked codes. However, you can submit pull requests to our auto-remediation code, and if approved, the code will be supported by our Customer Success team.