Currently in AUTOMATE+ has the ability to remediate CloudWatch controls via auto-remediation, however if you would like to follow the process in a more manual way, please leverage the documentation below.
In order to setup auto-remediation (continuous compliance) for the Cloudwatch CloudWatch controls 1-14 you need to perform some initial configuration. We are working on further improving this process, however in the meantime please follow this guide.
NB: The following instructions are for AUTOMATE+ deployments only. If not, any reference to remediating using a runbook below will require manual remediation.
The following information takes you through what needs to be checked in order to perform auto-remediation on Cloudwatch CloudWatch controls 1-14 in AUTOMATE+.
Goal - ability to use Auto-remediation for controls CloudwatchCloudWatch.1 → CloudwatchCloudWatch.14
A select number of controls, namely CloudwatchCloudWatch.1 → CloudwatchCloudWatch.14 require additional manual effort in order for a customer to leverage the auto-remediation toggle.
...
Once the following steps have been completed you may then use “Auto-remediation” with AUTOMATE+ for CloudwatchCloudWatch.1 → CloudwatchCloudWatch.14:
IMPORTANT NOTE: Skip the below steps if the controls are already showing as PASSED except for CloudTrail.1
(To check this, inside AUTOMATE+ SaaS open CyberSecurity → Review & Fix Misconfigurations → type CloudTrail.1 in the search field, and look at the compliance status.)
...
Step 1. After AUTOMATE+ deployment, or if you have already deployed AUTOMATE+
a. Check the CloudTrail.1 control:
i. If the control is failed in AUTOMATE+, expand the control on the Automation page and click Remediate in the dropdown. This will create a Multi-region CloudTrail for you.
...
1. Navigate to AWS CloudTrail
2. Click on Dashboard (from the left-hand menu)
3. Click on Create Trail
4. Use CloudTrail name: multi-region-cloud-trail
5. Create new S3 bucket (use automatic name prefilled)
6. SSE-KMS encryption: leave checked
7. Customer Managed AWS KMS AliasKey: select Existing
8. Select Existing KMS alias: SO0111-SHARR-Remediation-Key
9. Log File Validation: Leave Checked
10. SNS Notification Delivery: Leave unchecked
11. CloudWatch Logs: select Enable
12. Paste in the following CloudWatch log group name: six-pillars-aws-cloudwatchCloudWatch-cloudtrail
13. For Assumed IAM Role, select Existing and choose: SO0111-CloudTrailToCloudWatchLogs
14. Click Next
15. Click Next again
16. Click Create Trail
b. Check CloudTrail.4
i. If the control is FAILED, trigger instance remediation via the Automation page.
c. Check CloudTrail.5
i. if the control is FAILED, trigger instance remediation via the Automation page.
ii. if you created a new trail following step 1.a.ii. Please follow below steps or wait for that resource show up in Cloudtrail.5 as a resource and trigger instance remediation to correct this.
...
a. Check Enabled checkbox
b. Select Existing Log Group and paste in: six-pillars-aws-cloudwatchCloudWatch-cloudtrail
c. Select New IAM Role and paste in: six-pillars-aws-cloudwatchCloudWatch-cloudtrail
d. Click Save Changes e.
d. Check CloudTrail.2
iv. If the control is FAILED, trigger instance remediation via the Automation page.
...
Step 2. Once all of the controls above are in a PASSED compliance status, trigger instance remediation on CloudWatch.1 via the Automation page.
The automation of CloudWatch.1 will create an SNS topic named SO0111-SHARR-LocalAlarmNotification.
Confirm that an SNS topic named SO0111-SHARR-LocalAlarmNotification exists inside your AWS account in SNS → ‘Topics’.
Now to create a subscription to this SNS topic, under ‘Subscriptions’:
i. Go to SNS topics select topic SO0111-SHARR-LocalAlarmNotification
ii. Click Create Subscription
iii. Select Protocol as Email and then enter your preferred email address or group address.
iv. Provide the relevant email in the endpoint field, a verification email will goto the email provided.
v. Click Create subscription
...
vi. Once you have done this you will receive a email to your inbox, you must open and click on the link to accept the subscription.
...
vii. If you navigate again to SNS topic “SO0111-SHARR-LocalAlarmNotification” you would see a confirmed subscription.
If you need help, please contact support@6pillars.ai