5.1 Describe different ways to perform automatic remediations

You can configure AWS to run automatic remediations based on a schedule or based on events. For example, you can run Lambda to make an AWS resource compliant with the organizational or team directive based on the results of Amazon Inspector Security Findings. You can use Amazon CloudWatch Events to look for changes to certain resources (e.g. Amazon S3 permissions) and trigger Lambda to automatically modify the resource to maintain compliance.

The exercises in this lesson will run auto remediations based on AWS resource changes detected by AWS Config Rules that trigger AWS Systems Manager Automation documents to modify the resource so that it is compliant.

Remediation Scenarios

There are many ways to detect and then remediate noncompliant resources on AWS but most of the actual detection is performed either in a custom or a managed Lambda function. The difference appears in which combination of services are used to trigger the detection and remediation solutions and this can be a combination of AWS Config Rules, CloudWatch Event Rules, and several other services covered later.

Detect with CloudWatch Event Rules and Remediate with Lambda

CloudWatch Event Rules detects noncompliant resource changes and runs a custom Lambda function to remediate these noncompliant resources.

Detect with Config Rules and Remediate using an SSM Automation Remediation Triggered by CloudWatch Event Rules

AWS Config Rules runs a managed Config Rule (written and maintained by AWS in Lambda) to detect the noncompliant resource and an AWS SSM Automation to remediate it (generally requires SSM agent).

Detect with Managed (or Custom) Config Rules and Remediate using a Custom Lambda function triggered by CloudWatch Event Rules

AWS Config Rules runs a managed Config Rule (written and maintained by AWS in Lambda) to detect the noncompliant resource, and CloudWatch Event Rules detects AWS Config Compliance changes and runs a custom Lambda function to remediate it.

Other Auto Remediation Scenarios

There are several other remediation scenarios including:

• CloudWatch Event Rules that call a Lambda function to remediate based on Amazon Inspector findings
• CloudWatch Event Rules that call a Lambda function to remediate based on Amazon GuardDuty findings
• CloudWatch Event Rules that call a Lambda function to remediate based on Amazon Macie alerts

Additional Resources

• How to Remediate Amazon Inspector Security Findings Automatically
• How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events