fbpx

How to auto-remediate web accessible ports with AWS AWS and Config Program Manager

With the AWS Config service, it is possible to assess, audit, and measure the configuration of one’s Amazon Web Services (AWS) resources. AWS Config monitors and information your aws useful resource configurations changes continuously, and allows you to automate the assessment of these recordings against preferred configurations. Not merely can AWS Config identify and keep track of deviations from preferred configurations, but it may be used as well as other services also, such as for example AWS Techniques Manager , to remediate such deviations if they are detected automatically. These remediation activities are declared in Techniques Manager automation paperwork, which are usually invoked by AWS Config whenever a resource is available to end up being noncompliant. This turns AWS Config into not just a detection mechanism, but a near-real-time automated response one also.

AWS recommends that you utilize our Properly Architected guidelines for site dependability engineering (SRE) and DevOps-specifically, that you put into action the principle of minimum privilege and restrict network usage of only essential IP addresses and ports. But we’re furthermore pragmatic and recognize that there are several use cases where clients have a have to open extra ports or resources on Security Groupings to troubleshoot issues. This might bring about insecure configurations that deviate from your own expected or desired configuration. The utilization case in this website post addresses a real-life instance on how to record and manage the required or expected construction of your AWS assets with tags, along with how to make use of AWS Config to measure the compliance of your construction against your organization’s described specifications by leveraging these tags. For instance, you can record the desired configuration for the AWS resources inside a tag for every resource, and you will make use of AWS Config to detect and remediate any inconsistencies between your tag documentation and the existing configuration.

Remedy overview

 

A best practice would be to automate deployment of resources with program code. Within the automatic deployment of an Amazon Elastic Compute Cloud (Amazon EC2) example, it is possible to assign tags to your example. These tags may be used to reveal what ports ought to be open up at the host degree, which would define what the anticipated configuration for that example is definitely. If the ports are usually then changed never to match the expected construction described within the tags, then that could indicate the EC2 instance is in an ongoing state of non-compliance. Within this solution, you’ll create an AWS Config custom made principle to detect ports that aren’t likely to most probably in security groups mounted on Amazon EC2 situations, and remediate by isolating that safety group and eliminating the noncompliant ports.

You can find managed AWS Config rules that accomplish similar tasks, such as for example vpc-sg-open-only-to-authorized-ports . Nevertheless, the AWS Config customized guideline described in this article is used to:

    1. Demonstrate ways to use customized logic to create your personal AWS Config custom guidelines.

 

    1. Focus on EC2 instances, instead of security organizations, because it’s most likely your EC2 example has a lot more context than a person security group, that allows for much better tagging. For example, if your EC2 example is running a internet exposes and application interface 443 to the web, you can place the corresponding tag to point this truth on the EC2 example directly, and any security group mounted on this expectation should be accompanied by the instance.

 

 

The remediation action will perform these actions:

    • If the EC2 example has several security group attached, the remediation will detach the protection team with the noncompliant guidelines simply, while maintaining the compliant security groupings attached.

 

    • If the EC2 instance includes a single security team connected, the remediation will quarantine the security team by developing a clone of the safety team (prefixed with the string QUARANTINED ), and removing any noncompliant ports or rules. The initial security group will be detached, and the quarantined protection group will be attached.

 

 

The solution in this article encompasses three from the four the different parts of the AWS Cloud Adoption Framework (CAF) Protection Perspective :

    • Directive : Handling governance and compliance definitions within the AWS source configuration through the use of tagging.

 

    • Detective : Identifying noncompliant EC2 situations with ports obtainable to the internet which should not be available, through the use of AWS Config.

 

    • Responsive : Immediately remediating, through Systems Supervisor Automation, security groups mounted on EC2 instances which are considered noncompliant by the AWS Config principle.

 

 

Create the AWS Config guideline

 

To simplify the procedure of creating a customized AWS Config principle, it really is highly recommended that you utilize the AWS Config Rule Growth Kit (RDK) . Utilizing the kit, you can concentrate on the logic of one’s AWS Config rule exclusively, while the developed template handles the others.

In this illustration, we made the next assumptions whenever we built the supplied code (in the event that you don’t have these things already configured, it is possible to create and configure them as you proceed through each area of the task):

    • You have EC2 situations running with attached safety groups

 

    • Tagging will be implemented to point which ports available to the internet are obtainable, and the tagging comes after a format such as for example Essential: AllowedPorts; Worth: 80 or Important: AllowedPorts; Worth: 80, 443, 8080

 

    • Noncompliant protection groups are in spot to demonstrate the remediation activity

 

 

The code because of this blog post are available in the next GitHub repository . Specifically, the code is included by the repository for the customized AWS Config rule, Systems Manager record, and AWS Identity and Access Administration (IAM) plan documents which will be utilized throughout the post.

To download the code useful for the solution

 

  1. Clone the repository (or choose the Download ZIP option) utilizing the following command.

     

         git clone https://github.com/aws-samples/aws-blog-security-group-ingress-remediation.git
     
  2. Open up the repository in the written text editor of one’s choice. The folder will be in exactly the same directory that you cloned the repository. You won’t have to make any adjustments to the data files to check out this blog, however the following methods in this area will review some of the considerations that are taking place in the program code.
  3. The program code for the customized AWS Config rule can be in the SECURITY_Team_INGRESS_REMEDIATION folder. First, open up the parameters.json document in the Safety_Team_INGRESS_REMEDIATION subdirectory:
         
    

    “Version”: “1.0”,
    “Parameters”:
    “RuleName”: “SECURITY_Team_INGRESS_REMEDIATION”,
    “SourceRuntime”: “python3.7”,
    “CodeKey”: “SECURITY_Team_INGRESS_REMEDIATION.zip”,
    “InputParameters”: “”,
    “OptionalParameters”: “”,
    “SourceEvents”: “AWS::EC2::Example”
    ,
    “Tags”: “[]”

     
  4. This document contains details that the RDK shall make use of when it deploys the AWS Config rule. In particular, you’ll start to see the AWS Config rule title, the runtime, the program code place, parameters for the AWS Config guideline, and the foundation event that creates the AWS Config principle (this could be predicated on a configuration modification, or take place on a scheduled schedule).

In this full case, you’ll realize that SourceEvents is defined to AWS::EC2::Instance , meaning this AWS Config rule shall run when an EC2 instance in your environment changes. This is important, as you want to make certain this rule functions to a preventative handle similarly, that may remediate noncompliant open ports whenever the instance configuration changes automatically. Although you could decide on a periodic SourceEvent , such as for example every 24 hours, this might imply that noncompliant open ports could possibly be open for 24 hours. Based on your risk appetite, this delay may be acceptable, but also for this use case with public Internet exposure, you might want to remediate these open ports as as you possibly can quickly.

 

 

  • Next, go through the main code because of this AWS Config rule, in the SECURITY_GROUP_INGRESS_REMEDIATION.py file, and demand evaluate_compliance function. You will notice the comment Add your custom logic here , that is where the most the logic is situated because of this AWS Config rule.

 

Almost anything else in the file is supplied by the generated RDK template. The RDK template manages a lot of the complexity of developing new AWS Config rules, and you may immediately see difference between your relative lines of code modified by one to develop the rule logic, set alongside the entirety of the code in the file. Feel absolve to flick through this function to comprehend how validation is conducted to find out whether a port is available to the internet, and when the open port is acceptable in line with the instance’s AllowedPorts tag.

Next, you’ll deploy this AWS Config rule to your environment with RDK. Again, it’s recommended to have a look at the code to at least one 1) know how the compliance has been determined and 2) validate that the code is safe to perform before deployment – not absolutely all code shared on the net is safe! Make sure to follow the preceding RDK link to properly install and initialize RDK in your environment.

 

To deploy the AWS Config rule

 

  1. Run the next RDK command.

     

         rdk deploy SECURITY_GROUP_INGRESS_REMEDIATION
     
  2. Following the code is deployed, register to the AWS Management Console and navigate to AWS Config .
  3. Navigate to rules , and you ought to start to see the AWS Config rule SECURITY_GROUP_INGRESS_REMEDIATION . Following the rule is deployed, it’ll trigger an assessment automatically, and you ought to see evaluation results after deployment shortly.
  4. When you have any noncompliant resources, they must be seen by you appear. If not, it is possible to develop a noncompliant security group with the addition of within an internet-accessible port.
    1. Develop a new security group and add an inbound rule with the Source as Anywhere or 0.0.0.0/0 having an open port of one’s choosing.

      Figure 1: Configure a noncompliant security group

      Figure 1: Configure a noncompliant security group

    2. Following the security group is established, attach that security group to a running EC2 instance. Within minutes, the change you made should trigger the AWS Config rule you deployed and you’ll start to see the EC2 instance as noncompliant. Alternatively, it is possible to navigate back again to the AWS Config rule in the console and choose Re-evaluate manually, that will re-evaluate all of your resources (in cases like this, EC2 instances).

That’s it because of this section-you’ve successfully deployed a custom AWS Config rule for detecting security groups with unexpected internet-accessible ports. Within the next section, you’ll learn to automatically remediate these noncompliant deviations to increase this known degree of detection.

 

Develop a remediation action

As mentioned previously, AWS Config remediation actions are declared in Systems Manager automation documents , which are invoked for identified noncompliant resources. Which means that in order to develop a custom remediation action, you’ll have to develop a custom Systems Manger automation document. As in the last steps, you’ll use Python because the language of preference for the remediation action in this website post.

In the cloned GitHub repository , you’ll discover the SECURITY_GROUP_INGRESS_REMEDIATION.yaml file, which provides the template useful for the automation document. Automation documents are written in YAML or JSON; however, the document can simply be generated utilizing the Systems Manager Automation console to generate your remediation action. For the purposes of following along in this article, you’ll simply utilize this file and the AWS Command Line Interface (CLI) to generate your document.

 

To generate the remediation action and accompanying infrastructure

 

  1. In the directory with the YAML remediation document, run the next command to generate the automation document.

     

         aws ssm create-document --content file://SECURITY_GROUP_INGRESS_REMEDIATION.yaml --name "security-group-ingress-remediation-quarantine" --document-type "Automation" --document-format YAML
     
  2. Following the document is created, you will see it in your Systems Manager Documents in the console, or by running the next CLI command.
         aws ssm list-documents --filters Key=Owner,Values=Self
     
  3. Before you move ahead to establishing the AWS Config rule to utilize this document, you will need to offer Systems Manager the correct IAM permissions in order to perform the commands specified in the document. You need to start to see the file security-group-ingress-remediation-quarantine-policy.json in the cloned GitHub repository. That policy document provides the necessary permissions. To make a new policy with those permissions, run the next command.
         aws iam create-policy --policy-name security-group-ingress-remediation-quarantine-policy --policy-document file://security-group-ingress-remediation-quarantine-policy.json
     
  4. Observe the Arn type in the response, because you’ll need this value in step 7 below.
  5. You also have to create an IAM role and assign the newly created policy to it. You can certainly do that by running the next command (remember that the mandatory trust policy document can be provided, named security-group-ingress-remediation-quarantine-trust-policy.json ).
         aws iam create-role --role-name security-group-ingress-remediation-quarantine-role --assume-role-policy-document file://security-group-ingress-remediation-quarantine-trust-policy.json
     
  6. Observe the Arn type in the response, because you’ll require it in step 5 of another section.
  7. Lastly, assign the created policy to your newly created role (replace POLICY_ARN with the policy Arn value you noted in step 4):
         aws iam attach-role-policy --role-name 'security-group-ingress-remediation-quarantine-role' --policy-arn                               POLICY_ARN                              
     

You’ve set up all of the infrastructure you need! Shifting to another section, you’ll configure your AWS Config rule to auto-remediate through the use of your newly created Systems Manager automation document.

 

Configure the AWS Config rule to remediate

automatically

You will need to associate the automation document together with your AWS Config configure and rule auto-remediation. This can cause any noncompliant resources to be remediated after they’re defined as noncompliant automatically.

 

To configure the rule for auto-remediation

 

    1. In the AWS Config console, navigate to your AWS Config rules and select the recently created rule.

 

    1. At the very top right, choose Edit , and scroll right down to Choose remediation action .

 

    1. In the Remediation action field, choose the created Systems Manager automation document recently. Be sure to start Auto remediation .

 

    1. Set the Resource ID parameter to ResourceId to point to the Systems Manager document which parameter may be the noncompliant resource ID.

 

    1. Lastly, set the ConfigRuleName parameter to the name of the AWS Config rule ( SECURITY_GROUP_INGRESS_REMEDIATION ) and set the AutomationAssumeRole parameter to the Arn you took note of the role creation response, from step 6 in the aforementioned section.Your configuration should appear to be the main one in Figure 2.

      Figure 2: AWS Config rule remediation configuration

      Figure 2: AWS Config rule remediation configuration

       

 

    1. Save your valuable configuration, and you ought to be ready to go!

 

 

Put everything together

Let’s test the utilization cases our solution attempts to handle.

 

EC2 instance with multiple security groups attached

The initial use case involves an EC2 instance with multiple security groups attached.

 

To check the remediation for the initial use case

 

    1. In the Amazon EC2 console, create an EC2 instance (in the event that you don’t curently have one) and attach a compliant security group with no ports available to the internet.

 

    1. Attach a fresh security group to the instance. Feel absolve to utilize the noncompliant security group you created in the Create the AWS Config Rule step.

 

    1. Await the configuration change to trigger the AWS Config rule. Following the rule runs, the remediation action should run. The Action status field for the resource in the AWS Config rule console view will highlight once the remediation action has run.

      Figure 3: Noncompliant EC2 instance detected

      Figure 3: Noncompliant EC2 instance detected

       

       

 

    1. Demand EC2 instance within the Amazon EC2 console to see the instance’s attached security groups. You need to observe that the noncompliant security group has been detached from the instance.

 

 

EC2 instance with an individual noncompliant security group attached

The next use case involves an EC2 instance with an individual noncompliant security group attached.

 

To check the remediation for the next use case

 

    1. In the Amazon EC2 console, create an EC2 instance (in the event that you don’t curently have one) and attach a noncompliant security group with ports open to the web. Feel free to utilize the noncompliant security group you created in the Create the AWS Config Rule step. It’s recommended to include multiple rules to the security group (some compliant plus some noncompliant) to start to see the behavior of the quarantine functionality.

 

    1. Await the configuration change to trigger the AWS Config rule. Following the rule runs, the remediation action also needs to run.

 

    1. Demand EC2 instance within the Amazon EC2 console to see the instance’s attached security groups. You need to observe that the EC2 instance has been quarantined with the addition of a fresh security group prefixed with the string QUARANTINED . The noncompliant rules within the security group ought to be removed, and only the allowed rules remain.

      Figure 4: EC2 instance remediated with quarantined security group

      Figure 4: EC2 instance remediated with quarantined security group

       

       

 

 

EC2 instance with allowed open ports

The 3rd use case involves an EC2 instance with allowed open ports.

 

To check the remediation for the 3rd use case

 

    1. In the Amazon EC2 console, create an EC2 instance (in the event that you don’t curently have one) and attach a compliant security group with no ports available to the internet.

 

    1. On the Tags tab for the instance, develop a tag on the instance with the main element AllowedPorts and a value of 8443.

      Figure 5: A tag attached to the EC2 instance that indicates an exception

      Figure 5: A tag mounted on the EC2 instance that indicates an exception

       

       

 

    1. Attach a fresh security group to the instance, with a rule allowing port 8443 to most probably to 0.0.0.0/0 .

 

    1. Await the configuration change to trigger the AWS Config rule. Following the rule runs, you need to observe that the instance is marked as compliant, because the port is allowed despite the fact that it’s internet-accessible.

      Figure 6: The EC2 instance with a defined tag-based exception is appropriately marked as compliant

      Figure 6: The EC2 instance with a precise tag-based exception is appropriately marked as compliant

       

       

 

 

Summary

Congratulations on far getting this! Hopefully you’ve now learned all about using AWS Config not merely as a detective mechanism, but an instant responsive one also. The answer we demonstrated in this article solved a real-world problem that impacts the security of several organizations. Hopefully this illustrated ways to use AWS Config, Systems Manager automation documents, and configuration tags as a scalable option. We also hope you learned a little more about how it is possible to develop custom AWS Config rules and remediation actions utilizing the RDK. Additionally, you’ve successfully deployed the next:

 
    1. A custom AWS Config rule, made up of the RDK, that identifies unallowed internet-accessible ports which are mounted on EC2 instances.

 

    1. A remediation action to quarantine noncompliant security groups or Amazon EC2 instances and remove unallowed internet-accessible ports.

 

    1. The underlying infrastructure that’s needed is to aid the preceding items (the Lambda functions, IAM policies, IAM roles, etc).

 

Taking this a step further, we advise that you consider doing the next to better and effectively deploy your solution at scale:

 
    1. Deploy the AWS Config rule and associated remediation action as a conformance pack .

 

    1. Define the infrastructure as code utilizing the AWS Cloud Development Kit (AWS CDK) .

 

    1. Identify open ports utilizing the Amazon Inspector Network Reachability package .

 

When you have feedback concerning this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the discussion forum for AWS Config or AWS Systems Manager or contact AWS Support .

      Want more AWS Security how-to content, news, and show announcements? Follow us on           Twitter          .