{"id":13625930,"url":"https://github.com/mlevit/aws-auto-remediate","last_synced_at":"2025-04-16T10:33:51.796Z","repository":{"id":188197374,"uuid":"184559940","full_name":"mlevit/aws-auto-remediate","owner":"mlevit","description":"Open source application to instantly remediate common security issues through the use of AWS Config","archived":false,"fork":false,"pushed_at":"2020-09-03T22:56:09.000Z","size":266,"stargazers_count":222,"open_issues_count":3,"forks_count":28,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-08-02T22:21:51.779Z","etag":null,"topics":["aws","aws-compliance","aws-security","cloud","lambda","remediation","security","security-tools","serverless","serverless-framework"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mlevit.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-05-02T10:13:56.000Z","updated_at":"2024-07-31T18:05:52.000Z","dependencies_parsed_at":"2023-08-14T08:26:09.133Z","dependency_job_id":"ea80fca0-7682-4f47-ab19-10e27f526665","html_url":"https://github.com/mlevit/aws-auto-remediate","commit_stats":null,"previous_names":["mlevit/aws-auto-remediate"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlevit%2Faws-auto-remediate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlevit%2Faws-auto-remediate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlevit%2Faws-auto-remediate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlevit%2Faws-auto-remediate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mlevit","download_url":"https://codeload.github.com/mlevit/aws-auto-remediate/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223708450,"owners_count":17189780,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-compliance","aws-security","cloud","lambda","remediation","security","security-tools","serverless","serverless-framework"],"created_at":"2024-08-01T21:02:05.996Z","updated_at":"2024-11-08T15:30:47.897Z","avatar_url":"https://github.com/mlevit.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# AWS Auto Remediate\n\n[![Build Status](https://travis-ci.org/servian/aws-auto-remediate.svg?branch=master)](https://travis-ci.org/servian/aws-auto-remediate) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/5bce55175d32494c89f0648b27719f43)](https://www.codacy.com/app/servian/aws-auto-remediate?utm_source=github.com\u0026utm_medium=referral\u0026utm_content=servian/aws-auto-remediate\u0026utm_campaign=Badge_Grade) [![Codacy Badge](https://api.codacy.com/project/badge/Coverage/5bce55175d32494c89f0648b27719f43)](https://www.codacy.com/app/servian/aws-auto-remediate?utm_source=github.com\u0026utm_medium=referral\u0026utm_content=servian/aws-auto-remediate\u0026utm_campaign=Badge_Coverage)\n\n![Release](https://img.shields.io/github/release/servian/aws-auto-remediate.svg) ![Pre-release Date](https://img.shields.io/github/release-date-pre/servian/aws-auto-remediate.svg)\n\n![Language](https://img.shields.io/github/languages/top/servian/aws-auto-remediate.svg) [![serverless](http://public.serverless.com/badges/v3.svg)](http://www.serverless.com) [![Python Black](https://img.shields.io/badge/code%20style-black-000000.svg?label=Python%20code%20style)](https://github.com/python/black) [![code style: prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg?label=Markdown%2FYAML%20code%20style)](https://github.com/prettier/prettier)\n\nOpen source application to instantly remediate common security issues through the use of AWS Config.\n\n![auto-remediate](images/auto-remediate.svg)\n\n## Table of Contents\n\n- [About](#about)\n- [Setup](#setup)\n - [Deployment](#deployment)\n - [Update](#update)\n - [Removal](#removal)\n- [Settings](#settings)\n- [Config Rules](#config-rules)\n - [AWS Config Managed Rules](#aws-config-managed-rules)\n - [AWS Security Hub Rules](#aws-security-hub-rules)\n- [Resources](#resources)\n- [Coverage](#coverage)\n- [Contributing](CONTRIBUTING.md)\n\n## About\n\n### Auto Remediate\n\nThe Auto Remediate function is triggered via an SQS Queue `auto-remediate-config-compliance`. The SQS Queue is populated with a compliance payload from AWS Config via a CloudWatch Event `auto-remediate-config-compliance`. The purpose of the CloudWatch Event is to filter out all non-compliance related messages that AWS Config generates.\n\nOnce the Lambda function has been triggered it will attempt to remediate the security concern. If the remediation was unsuccessful, the event payload will be sent to the dead letter queue (DQL) SQS Queue `auto-remediate-dlq`. Each time a payload is sent is sent to the DLQ, an attribute `try_count` is incremented to the SQS message. Once that count exceeds `RETRYCOUNT` variable attached to the Lambda Function, the message will no longer be sent to the DLQ.\n\nIf no remediation exists for the incoming AWS Config event, the AWS Config payload will be sent to an SNS Topic `auto-remediate-missing-remediation` which can be subscribed to by administrators or other AWS services.\n\n### Auto Remediate DLQ\n\nThe Auto Remediate DLQ function is triggered on a schedule (defined in the `serverless.yml` file). When the function is run, it will retrieve messages from SQS Queue `auto-remediate-dlq` and sends the message to the compliance SQS Queue `auto-remediate-config-compliance`.\n\n### Auto Remediate Setup\n\nThe Auto Remediate Setup function is triggered manually by the user. The purpose of this function is to invoke CloudFormation Stacks for each of the AWS Config Rules that will monitor for security issues as well as create/insert records into the DynamoDB settings table used to control the actions of the Auto Remediate function.\n\n## Setup\n\n### New Account\n\nProceed to the [Deployment](#deployment) section below.\n\n### Existing Account\n\nAuto Remediate utilises the compliance event triggers made by AWS Config. Due to the fact that AWS Config will trigger a compliance event **only** when the compliance status of a resource changes state (i.e., COMPLIANT to NON_COMPLIANT or vice versa) it is advised that you **disable** the `CIS AWS Foundations` compliance standards within AWS Security Hub (and ensure all AWS Config rules starting with `securityhub` are removed from your account) before proceeding.\n\nOnce AWS Config is cleared of all AWS Security Hub related rules, you may proceed to deploy Auto Remediate and enable the `CIS AWS Foundations` compliance standards within AWS Security Hub.\n\n### Deployment\n\n1. Install the [Serverless Framework](https://serverless.com/)\n\n```bash\nnpm install serverless --global\n```\n\n2. Install [AWS CLI](https://aws.amazon.com/cli/)\n\n```bash\npip3 install awscli --upgrade --user\n```\n\n3. Configure the AWS CLI following the instruction at [Quickly Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration). Ensure the user you're configuring has the appropriate IAM permissions to create Lambda Functions, S3 Buckets, IAM Roles, and CloudFormation Stacks. It is best for administrators to deploy Auto Remediate.\n\n4. Install Auto Remediate\n\n```bash\nserverless create --template-url https://github.com/servian/aws-auto-remediate --path aws-auto-remediate\n```\n\n5. Change into the Auto Remediate directory\n\n```bash\ncd aws-auto-remediate\n```\n\n8. Install Serverless plugins needed for deployment\n\n```bash\nserverless plugin install --name serverless-python-requirements\n```\n\n```bash\nnpm install serverless-iam-roles-per-function\n```\n\n9. Deploy Auto Remediate to your AWS account\n\n```bash\nserverless deploy [--region \u003cAWS region\u003e] [--aws-profile \u003cAWS CLI profile\u003e]\n```\n\n10. Invoke Auto Remediate Setup for the first time to create the necessary AWS Config rules and settings\n\n```bash\nserverless invoke -f AutoRemediateSetup [--region \u003cAWS region\u003e] [--aws-profile \u003cAWS CLI profile\u003e]\n```\n\n11. Check Auto Remediate Setup logs\n\n```bash\nserverless logs -f AutoRemediateSetup [--region \u003cAWS region\u003e] [--aws-profile \u003cAWS CLI profile\u003e]\n```\n\n### Update\n\n1. Remove existing Auto Remediate directory\n\n2. Install Auto Remediate\n\n```bash\nserverless create --template-url https://github.com/servian/aws-auto-remediate --path aws-auto-remediate\n```\n\n3. Deploy Auto Remediate update to your AWS account\n\n```bash\nserverless deploy [--region \u003cAWS region\u003e] [--aws-profile \u003cAWS CLI profile\u003e]\n```\n\n4. Invoke Auto Remediate Setup to deploy new AWS Config rules and settings\n\n```bash\nserverless invoke --function AutoRemediateSetup [--region \u003cAWS region\u003e] [--aws-profile \u003cAWS CLI profile\u003e]\n```\n\n### Removal\n\nAuto Remediate is deployed using the Serverless Framework which under the hood creates an AWS CloudFormation Stack allowing for a clean and simple removal process.\n\nTo remove Auto Remediate from your AWS account, follow the below steps:\n\n1. Change into the Auto Remediate directory\n\n```bash\ncd aws-auto-remediate\n```\n\n2. Remove Auto Remediate from your AWS account\n\n```bash\nserverless remove [--region \u003cAWS region\u003e] [--aws-profile \u003cAWS CLI profile\u003e]\n```\n\n## Settings\n\nAuto Remediate uses a DynamoDB settings table `auto-remediate-settings` that allows the user to control which rule should be remediated by the tool. Once Auto Remediate Setup has been run, head on over to DynamoDB and inspect the `rules` key where you can then set the `remediate` key to `false` if you'd like to disable automatic remediate.\n\nFor rules deployed by Auto Remediate Setup (e.g., `auto-remediate-rds-instance-public-access-check`) an extra key `deploy` can be found in the settings table. Although not functional at the moment, this will allow users to control which Auto Remediate deployed rules should be deployed and which should be skipped.\n\n## Config Rules\n\nThe tables below detail the auto remediated rules and scenarios.\n\n:warning: All remediations tagged with a warning symbol may break existing functionality.\n\n### AWS Config Managed Rules\n\n#### Database\n\n| Rule | Description | Remediation |\n| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- |\n| RDS Instance Public Access Check | Check whether the Amazon Relational Database Service instances are not publicly accessible.\u003cbr /\u003eThe rule is NON_COMPLIANT if the `publiclyAccessible` field is true in the instance configuration item. | :warning: Sets `publiclyAccessible` field to `False` |\n\n#### Storage\n\n| Rule | Description | Remediation |\n| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |\n| S3 Bucket Service Side Encryption Enabled | Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies `put-object` requests without server side encryption. | Enables SSE |\n| S3 Bucket SSL Requests Only | Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). | Adds Bucket Policy to force SSL only connections |\n\n### AWS Security Hub Rules\n\n#### Compute\n\n| Rule | Description | Remediation |\n| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- |\n| Restricted RDP | Checks whether the incoming RDP traffic is allowed from `0.0.0.0/0` or `::/0`. This rule is compliant when incoming RDP traffic is restricted. | :warning: Deletes offending inbound rule |\n| Restricted SSH | Checks whether the incoming SSH traffic is allowed from `0.0.0.0/0` or `::/0`. This rule is compliant when incoming SSH traffic is restricted. | :warning: Deletes offending inbound rule |\n\n#### Management and Governance\n\n| Rule | Description | Remediation |\n| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- |\n| CloudTrail CloudWatch Logs Enabled | Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs. | Enables CloudWatch logs to Log Group `cloudtrail/\u003cCloudTrail Name\u003e` |\n| CloudTrail Encryption Enabled | Ensure CloudTrail logs are encrypted at rest using KMS CMKs. | Enables CloudWatch encryption with KMS CMK `cloudtrail/\u003cCloudTrail Name\u003e` |\n| CloudTrail Log File Validation Enabled | Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled. | Enables CloudTrail Validation |\n| Multi Region Cloud Trail Enabled | Checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters. | Enables Multi Region CloudTrail |\n\n#### Network and Content Delivery\n\n| Rule | Description | Remediation |\n| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |\n| VPC Flow Logs Enables | Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC. | Creates new S3 Bucket `\u003cAccount Number\u003e-\u003cRegion\u003e-flow-logs` for logging with a prefix of `\u003cVPC ID\u003e/` |\n| VPC Default Security Group Closed | Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic. | Deletes all egress and ingress rules |\n\n#### Security, Identity \u0026 Compliance\n\n| Rule | Description | Remediation |\n| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Access Keys Rotated | Checks whether the active access keys are rotated within the number of days specified in 90 days. | :warning: Deletes Access Key |\n| Customer Managed Key Rotation Enabled | Checks that key rotation is enabled for customer created customer master key (CMK). | Enables key rotation |\n| IAM Password Policy Ensure Expires | Checks whether the IAM password policy ensures that passwords expire. | Enables password expiration |\n| IAM Password Policy Lowercase Letter Check | Checks whether the IAM password policy enforces the inclusion of a lowercase letter. | Enables \"Require at least one lowercase letter\" option |\n| IAM Password Policy Minimum Length Check | Checks whether the IAM password policy enforces a minimum length. | Sets minimum password length to 14. |\n| IAM Password Policy Number Check | Checks whether the IAM password policy enforces the inclusion of a number. | Enables \"Require at least one number\" option |\n| IAM Password Policy Prevent Reuse Check | Checks whether the IAM password policy prevents password reuse. | Sets number of passwords to remember to 24. |\n| IAM Password Policy Symbol Check | Checks whether the IAM password policy enforces the inclusion of a symbol. | Enables \"Require at least one non-alphanumeric character\" option |\n| IAM Password Policy Uppercase Letter Check | Checks whether the account password policy for IAM users requires at least one uppercase character in password. | Enables \"Require at least one uppercase letter\" option |\n| IAM Policy No Statements with Admin Access | Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access.\u003cbr /\u003eIf any statement has `\"Effect\": \"Allow\"` with `\"Action\": \"*\"` over `\"Resource\": \"*\"`, the rule is NON_COMPLIANT. | :warning: Creates new Policy with offending Statements removed |\n| IAM User No Policies Check | Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. | Detaches Managed Policies from offending IAM User |\n| IAM User Unused Credentials Check | Checks whether AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within 90 days. | :warning: Deletes Access Key / Login Profile |\n| MFA Enabled for IAM Console Access | Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. | :warning: Deletes user's Login Profile only. [Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API.](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html) |\n\n#### Storage\n\n| Rule | Description | Remediation |\n| --------------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------- |\n| S3 Bucket Logging Enabled | Checks whether logging is enabled for your S3 buckets. | Creates new S3 Bucket `\u003cAccount Number\u003e-\u003cRegion\u003e-access-logs` for logging with a prefix of `\u003cBucket Name\u003e/` |\n| S3 Bucket Public Read Prohibited | Checks to see if S3 buckets are publicly readable. | :warning: Sets S3 Bucket ACL to `private` |\n| S3 Bucket Public Write Prohibited | Checks to see if S3 buckets allow public write. | :warning: Sets S3 Bucket ACL to `private` |\n\n## Resources\n\nThe table below details all AWS resources created when deploying the application.\n\n| Service | Resource ID |\n| --------------------- | ---------------------------------------------------------------------------------------------------- |\n| CloudFormation Stack | `auto-remediate` |\n| CloudWatch Event Rule | `auto-remediate-config-compliance` |\n| DynamoDB Table | `auto-remediate-settings` |\n| Lambda Function | `auto-remediate` |\n| | `auto-remediate-dlq` |\n| | `auto-remediate-setup` |\n| SNS Topic | `auto-remediate-log` (not functional [#19](https://github.com/servian/aws-auto-remediate/issues/19)) |\n| | `auto-remediate-missing-remediation` |\n| SQS Queue | `auto-remediate-config-compliance` |\n| | `auto-remediate-dlq` |\n\n## Coverage\n\n[Full list of development and automated testing coverage found here.](COVERAGE.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmlevit%2Faws-auto-remediate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmlevit%2Faws-auto-remediate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmlevit%2Faws-auto-remediate/lists"}