Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/06/22/automated-remediation-level-2-best-practices/
A low-impact workaround
When it comes to automating remediation, the second level we’ll discuss takes a bit of additional planning. This is so that users will see little to no impact in the account fundamentals automation process.
This framework aligns with the Center for Internet Security Amazon Web Services (CIS AWS) benchmark, which helps security organizations assess and improve processes by providing a set of unbiased industry best practices. Again, planning is the key here to calibrate automation properly and maintain hygiene of your cloud security. In this second level, let’s take a look at 3 housekeeping best practices that can have a tremendous impact when it comes to automating remediation.
Organize the unused
Security groups act as a sort of traffic control checkpoint. Specifically, AWS Launch Wizard will automatically create security groups that define inbound traffic. If you’re not careful, many of these groups could go unused and subsequently become vulnerabilities. Think of it this way: if a security group isn’t attached to an instance, why would you leave it hanging around, especially if it can be exploited?
This is why it’s a good idea to perform regular maintenance of these groups. If Launch Wizard is automatically provisioning resources, then the “why” of it all should be understood by all key players so that automation doesn’t create chaos and continues to work for you.
Delete the defaults
You should control and calibrate the rules that best suit the organization and its workflows. As such, a tip from your friendly team at Rapid7 for good housekeeping is to delete default rules for default security groups. In AWS, for example, if you don’t specify a group alignment for an instance, it’ll be assigned to the default security group. A default security group has an inbound default rule and an outbound default rule.
- The inbound default rule opens the gates to inbound traffic from all instances aligned with a default security group.
- The outbound default rule grants permission to all outbound traffic from any instance aligned with the same default security group.
Ensuring you have maximum control and visibility over that inbound and outbound traffic is just good hygiene, and will put checks on the process of creating default instances and any rules associated with them.
Protect AMI privacy
Ensuring the privacy status of an Amazon Machine Image (AMI) is also good hygiene. Essentially, setting an AMI to private enables individual access—so you and only you can use it—or you can assign access privileges to a specific list. This crucial step continues the best practice of closing your monitoring and cloud-security loops to fit the needs of your organization.
Stay in best-practice mode
If it seems like these 3 routines and rhythms are fundamentals of configuring automated remediation, that’s because they are. The thing is—and here’s another mention of the word—constant calibration is key in configuration processes. When there are so many details to lock into place, that’s when automation and its lasting benefits begin to make all the sense.
With that, we’re ready for a deep-dive into the third of 4 Levels of Automated Remediation. You can also read the previous entry in this series here.