What is this Blog About?
This blog is all about meeting and maintaining your aws resources according to aws security compliance standards or custom standards created by the organization.
For example, consider whether an organization wants all its Elastic Load Balancers ( ELB ) to have Deletion Protection Enabled or the organization wants its Users to comply with a particular IAM Password Policy.
In these scenarios we can use config rules to know which resources are non-compliant and then remediate the non-compliant resources with the help of System Manager (SSM) Documents.
Similar to this, there are many compliance policies that you can set and remediate with the help of Config Rule Auto remediation.
For demonstration purposes, in this blog we are going to remediate ELB’s that have deletion protection disabled. The blog will be divided in following steps:
- Developing SSM Document for Enabling ELB Deletion Protection.
- Creating Config Rule for Non-Compliant ELB which have deletion protection disabled.
- Auto Remediating Non-Compliant ELB Resource.
Developing SSM Document:
- So getting started with, open your AWS account console and search for System Manager and open the Documents dashboard.
- Now, click on the Create Document button and select create Automation. Name the document based on the use case you are going to remediate. In our case, it is enabling deletion protection on ELB.
- Next, add a Description to your document on what the document does, what are the parameters required for the document to work properly and what is the output/response of the document whether the document is successful in remediating the non-compliant resource.
- Adding required Input Parameters:Providing input parameters that are necessary for the remediation to work such as providing IAM Role which gives permission to the SSM Document to execute remediation on your behalf, providing ID/Arn/Name of the resource, providing other required resources such as s3 bucket for logging purposes,etc.
In most cases for remediation we mandatorily need to provide IAM Role and Resource ID/Name (AutomationAssumeRole and LoadBalancerArn in our case).As you can see in the above picture we have provided the required input parameters wherein you can also specify the type of the parameter and whether it is required or not. If you select “required as “No”, then you can also add the default value for that parameter.
The IAM Role will have following permissions:
Particular Resource Permission for which you are performing remediation(in our case elb).
IAM Passrole for the account
- Select the Target Resource from dropdown
- Adding Step in document:
Providing Name for the step, selecting Action type such executing a script or executing an API, adding Step Description.Adding Input (Script for remediation), Input Payload (Parameters that are needed for the step to execute) and Output (the output payload response returned from the script).
In the following picture we have used boto3 python script for enabling ELB Deletion Protection and in Input Payload we have passed the LoadBalancerArn as an event and in Output we have returned the StringMap response from the script.You can also configure additional and common properties as per your requirements, we have kept it default in our blog.
- Now click on Create Document and you have your Automation Document ready! You can always edit the document by creating its new version and setting it as the default version after editing.
Creating Config Rule:
- Creating config rules which will detect non-compliant resources. Open aws console and search Config and select Rules and then select Add Rule.
- Now select Aws Managed Rules or Custom Lambda Rule if your use case does not exist in Aws managed rules.
Our use case falls under Aws managed rules as elb-deletion-protection-enabled.
- Add Name and Description
- Add Trigger on which basis the config rule must evaluate the non-compliant resources
- You can also add additional Parameters if the remediation requires it such as a required tag or a s3 bucket. After reviewing, create the rule. Search for the same rule you have created and click on Actions, then Manage Remediation.
Select remediation method:
a. Auto-Remediation: If you want AWS Config to directly initiate remediation of the non-compliant resources on your behalf when they come in scope.
b. Manual Remediation: If you want to remediate each non-compliant resource on your own through the console when they come in scope.
We are going to use manual remediation for demonstration purposes but it\’s better to keep auto-remediation that will check compliance of resources and remediate based on that automatically.
- Now in Remediation Action select the ssm document we have created for remediation.
- Select which input parameter in your document acts as a Resource Id and mention the values for other parameters if necessary. You can also provide a rate limit for the rule.
- Save changes and move onto the next step remediation of resources.
Remediation of Non-Compliant Resources:
- Click on the config rule that we have created and under Resources in scope select non-compliant and you have all resources which do not comply with the rule that we have set. In our case there is only one ELB resource which does not comply with the rule.
- Select the resource and click on Remediate. After you clicked on remediation you can see the status has changed from null to Action Executed Successfully.
- We can also confirm by going to the mentioned ELB dashboard and check in the details of the resource.
- Also after reloading resources in scope the particular resource will move to compliant resources.
- Well done! Now you have successfully know how to remediate non-compliant resources as per aws or organization specific defined standards.
Hope this blog has made you understand how to create Config Rule and SSM Automation Document to remediate non-compliant resources in your AWS Account. For more info, you can check out aws docs.
For further help regarding solutions around security standards for resources, you can always reach out to us.
Happy reading 🙂
Written by – Mohammed Shahid Adoni