Auto-remediation provides customers the ability to run self-healing Lambda functions on their infrastructure that can remediate security and governance failures in real-time. Refer to our GitHub page for a list of our supported auto-remediate Lambda functions.
For more information on implementing Auto-remediation for a large business and writing custom Lambdas to fill security gaps, see: How to add Security and Compliance Auto-remediation with the Conformity Platform.
Note
Note
Example Scenario: A user makes an S3 bucket publicly readable via S3 Access Control Lists (ACLs).

How does auto-remediation work Parent topic

Procedure

  1. Conformity identifies the risk as a rule failure
  2. Conformity sends notifications to the specified SNS Channel.
  3. SNS topic triggers the Orchestrator lambda function which in turns calls S3 bucket auto-remediate function.
  4. AutoRemediateS3-001 function updates the S3 bucket ACL and resolves the rule failure thereby closing the security gap.
    auto-remediate-y5t5mt=4d6a81ed-c67d-47bb-b74c-6c07c87e7d1e.png

Set up auto-remediation Parent topic

Follow the instructions on the official Serverless documentation to install and provide access of your AWS account to the Serverless Framework. Create a working copy of Auto-remediation repository and follow the instructions below:

Procedure

  1. Create a working copy of Auto-remediation repository:
    1. Install Git on Linux / Mac OS X / Windows if you don't have it on your system.
    2. Run the following Git command: git clone https://github.com/cloudconformity/auto-remediate.git
      step-2-set-up-auto-remediate-gszqhf=e4e13afb-1bcb-46f6-9282-0f4882947601.png
  2. Change directory to functions within the auto-remediation folder: cd auto-remediate/functions
  3. Access rule configurations using the command: nano config.js
    step-4-set-up-auto-remediate-sxxhts=cf69aff5-0526-4dd7-8541-a2f5344d5cf7.png
  4. All rules in the config.js file are set to:
    'enabled': false by default to prevent misconfigurations.
    You will need to enable the rules manually by changing the value to 'enabled': true
    step-5-set-up-auto-remediate-cgtgyl=05c4ef0c-ffa5-4947-a3e6-e0b4b7a8f4fe.png
  5. After making the changes:
    • Take keyboard action Ctrl-O to Write Out the changes
    • Press Enter to confirm the changes
    • Exit the command-line editor by taking keyboard action Ctrl-X.
  6. Run the following commands:
    • Move one level up to the "auto-remediate" folder using the command: cd ..
    • Make node:modules folder available to AWS using the command: npm install
    step-7-set-up-auto-remediate-gcsmxd=87bb6c3e-cb64-464a-87e3-81330d74979e.png
  7. Deploy auto-remediation by running the following command:
    serverless deploy --region [your AWS account region]
    For example
    serverless deploy --region us-east-2
    Note
    Note
    For self-healing capabilities, we recommend deploying auto-remediation in the same region as your AWS account. Detection of Check failures is independent of the region of deployment as it is performed by RTM and Conformity Bot.
    step-8-set-up-auto-remediate-y2seyb=0cbd4fd1-baa2-4418-bb27-9573065df150.png
  8. On successful deployment:
    • An SNS topic named CloudConformity is automatically created in your AWS account.
      step-9a-set-up-auto-remediate-vennsp=a74680fd-88a9-4b4d-bc56-b86b5081bf90.png
    • A Lambda function named autoremediate-v1-AutoRemediateOrchestrator is automatically subscribed to CloudConformity SNS topic.
      step-9b-set-up-auto-remediate-faliqv=87d65e4d-beec-4089-a03d-b32fac9b355a.png
  9. Integrate Amazon SNS Communication channel on the Conformity platform and select the notifications you wish to enable:
    • Automatic notifications - failed checks are automatically resolved when a message is published to your SNS channel.
    • Manual notifications - you can view the Send via SNS button on Check failures. Click on the button to resolve the failure.

Enable or disable rules after deploying auto-remediation Parent topic

Procedure

  1. On your AWS Console, go to: Services Compute Lambda Functions
  2. Search and select: auto-remediate-v1-AutoRemediateOrchestrator
    step-2-enable-rules-d3pv6x=9e6eef4e-fb69-4f98-a595-4dc0946dc46b.png
  3. Make changes to the configuration
    1. Go to Configuration Function code Environment auto-remediate-v1 functions.
  4. Select config.js and modify your auto-remediate rule configurations.
    step-4-enable-rules-ij5zyy=c5e6d2eb-e40f-4e78-8057-76527e52fc2d.png

Testing auto-remediation deployment Parent topic

Procedure

  1. Verify that the Communication trigger that you selected while configuring an Amazon SNS channel is:
    1. Either set to default to send notifications for All Checks, or
    2. You can specifically select EC2-002 under Rules
  2. Verify that AutoRemediateEC2-002 rule is enabled by following the instructions on enabling a rule.
    step-2-test-deployment-f4xygj=d3a8deff-492b-46b8-b0f3-a6bbaeddddd9.png
  3. On your AWS Console, go to: Services Compute EC2 Security Groups
    step-3-test-deployment-bydcts=ac7dd898-6d67-460b-be29-d7f6ca5491a9.png
  4. Click Create Security Group
    1. Enter name, description, and select VPC
    2. Under Security group rules Inbound, click Add Rule:
      • Select Type: SSH
      • Source: Anywhere
      • Click Create !!! note ""

Resolution using Manual notifications Parent topic

If you have only enabled Manual notifications, follow the steps below to resolve the failure:

Procedure

  1. Go to All Checks report and filter rules by:
    • Rules: EC2-002 (Unrestricted SSH Access)
    • Only show checks created less than: 1day
  2. On the Check failure, click on Send via SNS.

Verify the auto-remediation resolution Parent topic

Procedure

  1. On your AWS Console, go to Services Compute EC2 Security Groups. You'll see that the Security Group that you created on Step 4 is not available anymore.
    step-1-verify-resolution-y1iv54=e87aa49d-1d96-4e8e-9a00-54fb6b8b31e9.png
  2. On your AWS Console, go to **Services > Compute > Lambda > Functions > Select {auto-remediate function} > Monitoring.**You can also check lambda monitoring charts to understand whether auto-remediate-v1-AutoRemediateOrchestrator and its sub-functions are getting triggered.
    step-2-verify-resolution-ljjg9w=dec11435-6382-48cf-89d2-926cb50955af.png

Contribution to Auto-remediation project Parent topic

You can fork and modify our own auto-remediation code, but Conformity will not provide support on forked codes. However, you can submit pull requests to our auto-remediation code, and if approved, the code will be supported by our Customer Success team.