6.2 - PaulDuvall/aws-compliance-workshop GitHub Wiki
6.2 Manually provision an automatic remediation solution using AWS Console
Review and ensure that you have setup your development environment before going through the steps below.
Auto-remediate from the AWS Console
Create an S3 Bucket for CloudTrail Trail
- Go to the S3 console.
- Click the Create bucket button.
- Enter
ccoa-cloudtrail-ACCOUNTIDin the Bucket name field (replacingACCOUNTIDwith your account id). - Click Next on the Configure Options screen.
- Click Next on the Set Permissions screen.
- Click Create bucket on the Review screen.
Create a CloudTrail Trail
- Go to the CloudTrail console.
- Click the Create trail button.
- Enter ccoa-cloudtrail in the Trail name field.
- Choose the checkbox next to Select all S3 buckets in your account in the Data events section.
- Choose the No radio button for the Create a new S3 bucket field in the Storage location section.
- Choose the S3 bucket you just created from the S3 bucket dropdown.
- Click the Create button.
Create an AWS Config Recorder
NOTE: If you have already enabled Config on your AWS account, you do not need to go through these instructions.
- Go to the Config console.
- If it is your first time using Config, click the Get Started button.
- Select the Include global resources (e.g., AWS IAM resources) checkbox.
- In the Amazon S3 bucket section, select the Create a bucket radio button.
- In the AWS Config role section, select the Use an existing AWS Config service-linked role radio button.
- Click the Next button.
- Click the Skip button on the AWS Config rules page.
- Click the Confirm button on the Review page.
NOTE: The above creates one Config Recorder and one Config Delivery Channel.
Create an S3 Bucket in violation
- Go to the S3 console.
- Click the Create bucket button.
- Enter
ccoa-6-s3-violation-ACCOUNTIDin the Bucket name field (replacingACCOUNTIDwith your account id). - Click Next on the Configure Options screen.
- Unselect the Block all public access checkbox and click Next on the Set Permissions screen.
- Click Create bucket on the Review screen.
- Select the
ccoa-6-s3-violation-ACCOUNTIDbucket and choose the Permissions tab. - Click on Bucket Policy and paste the contents from below into the Bucket policy editor text area (replace both
mybucketnamevalues with theccoa-6-s3-violation-ACCOUNTIDbucket you just created). - Click the Save button.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:Abort*",
"s3:DeleteObject",
"s3:GetBucket*",
"s3:GetObject",
"s3:List*",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
You will receive this message:
You have provided public access to this bucket. We highly recommend that you never grant any kind of public access to your S3 bucket.
Create an IAM Policy and Role for Lambda
- Go to the IAM console.
- Click on Policies.
- Click Create policy.
- Click the JSON tab.
- Copy and replace the contents below into the JSON text area.
- Click the Review policy button.
- Enter ccoa-6-s3-policy in the *Name field.
- Click the Create policy button.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteBucketPolicy",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
- Click on Roles.
- Click the Create role button.
- Click Lambda from the Choose the service that will use this role section.
- Click the Next: Permissions button.
- Click ccoa-6-s3-policy in the Filter policies search field.
- Select the checkbox next to ccoa-6-s3-policy and click on the Next: Tags button.
- Click the Next: Review button.
- Enter
ccoa-6-s3-write-rolein the Role name field. - Click the Create role button.
Create a Lambda function
-
Go to the Lambda console.
-
Click the Create function button.
-
Keep the Author from scratch radio button selected and enter
ccoa-6-lambda-s3in the Function name field. -
Choose
Node.js 10.xfor the Runtime. -
Under Permissions choose the Choose or create an execution role.
-
Under Execution role, choose Use an existing role.
-
In the Existing role dropdown, choose
ccoa-6-s3-write-role. -
Click the Create function button.
-
Scroll to the Function code section and within the
index.jspane, copy and replace the code with the contents of this index.js file. -
Click the Save button.
Create a Config Rule (Managed Rule which runs Lambda function)
- Go to the Config console.
- Click Rules.
- Click the Add rule button.
- In the filter box, type
s3-bucket-public-write-prohibited. - Choose the s3-bucket-public-write-prohibited rule.
- Click the Save button.
Cloudwatch Event Rule
- Go to the CloudWatch console.
- Click on Rules.
- Click the Create rule button.
- Choose Event pattern in the Event Source section.
- In the Event Pattern Preview section, click Edit.
- Copy the contents from below and replace in the Event pattern text area.
- Click the Save button.
- Click the Add target button.
- Choose Lambda function.
- Select the
ccoa-6-lambda-s3function you previously created. - Click the Configure details button.
- Enter
ccoa-s3-write-cwein the Name field. - Click the Create rule button.
{
"source":[
"aws.config"
],
"detail":{
"requestParameters":{
"evaluations":{
"complianceType":[
"NON_COMPLIANT"
]
}
},
"additionalEventData":{
"managedRuleIdentifier":[
"S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
]
}
}
}
Verify Compliance
- Go to the Config console.
- Click on Rules.
- Select the s3-bucket-public-write-prohibited rule.
- Click the Re-evaluate button.
- Go back to Rules in the Config console.
- Go to the S3 console and choose the
ccoa-6-s3-violation-ACCOUNTIDbucket. - Click on the Permissions tab.
- Click on the Bucket Policy and ensure that bucket policy has been removed.
- Go back to Rules in the Config console and confirm that the s3-bucket-public-write-prohibited rule is Compliant.
Additional Resources
Cleanup
Go to Cleanup to remove any resources you created in this sublesson.