Currently in order to setup auto-remediation for the Cloudwatch controls 1-14 you need to perform some initial configuration.
...
The following information takes you through what needs to be checked in order to perform auto-remediation on Cloudwatch controls 1-14 in AUTOMATE+.
Goal - ability to use Auto-remediation for controls Cloudwatch.1 → Cloudwatch.14
A select number of controls, namely Cloudwatch.1 → Cloudwatch.14 require additional manual effort in order for a customer to leverage the auto-remediation toggle.
IMPORTANT NOTE: Skip the below steps if the controls are already showing as PASSED except for CloudTrail.1
To do this open Review & Fix Misconfigurations
Once the following steps have been completed you may then use “Auto-remediation” with AUTOMATE+ for Cloudwatch.1 → Cloudwatch.14:
...
After AUTOMATE+ deployment, or if you have already deployed AUTOMATE+
a. Check the CloudTrail.1 control:
i. If the control is failed in AUTOMATE+, expand the control on the Automation page and click Remediate in the dropdown. This will create a Multi-region CloudTrail for you.
...
1. Navigate to AWS CloudTrail
2. Click on Dashboard (from the left-hand menu)
3. Click on Create Trail
4. Use CloudTrail name: multi-region-cloud-trail
5. Create new S3 bucket (use automatic name prefilled)
6. SSE-KMS encryption: leave checked
7. KMS Alias: select Existing
8. Select Existing KMS alias: SO0111-SHARR-Remediation-Key
9. Log File Validation: Leave Checked
10. SNS Notification Delivery: Leave unchecked
11. CloudWatch Logs: select Enable
12. Paste in the following CloudWatch log group name: six-pillars-aws-cloudwatch-cloudtrail
13. For Assumed Role, select Existing and choose: SO0111-CloudTrailToCloudWatchLogs
14. Click Next
15. Click Next again
16. Click Create Trail
b. Check CloudTrail.4
i. If the control is FAILED, trigger instance remediation via the Automation page.
c. Check CloudTrail.5
i. if the control is FAILED, trigger instance remediation via the Automation page.
ii. if you created a new trail following step 1.a.ii. Please follow below steps or wait for that resource show up in Cloudtrail.5 as a resource and trigger instance remediation to correct this.
...
1. Go to CloudTrail and select the multi-region-cloud-trail
2. Click EDIT on the Cloudwatch CloudWatch Logs section
a. Check Enabled checkbox
b. Select Existing Log Group and paste in: six-pillars-aws-cloudwatch-cloudtrail
c. Select New IAM Role and paste in: six-pillars-aws-cloudwatch-cloudtrail
d. Click Save Changes
e. CloudTrail.2
...
Once all of the controls above are in a PASSED compliance status, trigger instance remediation on CloudwatchCloudWatch.1 via the Automation page.
The automation of CloudwatchCloudWatch.1 will create an SNS topic named SO0111-SHARR- LocalAlarmNotification you need to create a subscription to this sns SNS topic:
i. Go to SNS topics select topic SO0111-SHARR-LocalAlarmNotification
ii. Click Create Subscription
iii. Select Protocol as Email and then enter your preferred email address or group address.
iv. Click Create subscription
v. Once you have done this you will receive a email to your inbox, you must open and click on the link to accept the subscription.
vi. If you navigate again to SNS topic “SO0111-SHARR-LocalAlarmNotification” you would see a confirmed subscription.
...