Configuring Remediation for AWS
You can enable remediation when you create AWS connectors or edit existing connectors. It just takes a couple of minutes.
Enable Remediation for New Connectors
Go to the Configuration > Amazon Web Services tab and then click Manage Connectors.
The Connectors Application appears.
On the Connectors Application, click Create Connector.
Provide a name and description (optional) for your connector. Configure the required settings for the AWS connector. For detailed information on connector creations steps, refer to Configure AWS Connectors.
Select Enable Remediation check box to enable remediation for the connector.
Ensure that the connector has write access to the AWS account for which you enable remediation. For more information on assigning write access, refer to Configuration on AWS Console section.
All the resources detected by this connector will be evaluated. You can then initiate remediation for the failed resources.
Then click Create Connector.
That’s it! The connector will establish a connection with AWS to start discovering resources from each region and evaluate them against policies.
Configuration on AWS Console
You could either use cloud formation template or manually configure the roles and permissions needed for remediation.
Configuration Using CloudFormation TemplateConfiguration Using CloudFormation Template
Download the CloudFormation template from the Create AWS Connector window.
Log on to Amazon Web Services (AWS) and go to CloudFormation.
Create stack & upload the template.
When the stack creation is complete, copy the Role ARN value from the output and paste it into the connector details.
Manual ConfigurationManual Configuration
The manual configuration for remediation includes two parts: creating custom policy and adding the custom policy to the IAM role.
Creating Custom Policy
1. Go to IAM console at https://console.aws.amazon.com/iam/.
2. In the left navigation pane, choose Policies.
3. Click Create policy.
4. Click JSON tab.
5. Paste the following policy document into the JSON tab.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RemediationPermission",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DisassociateIamInstanceProfile",
"ec2:StopInstances",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyImageAttribute",
"s3:PutBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketVersioning",
"rds:ModifyDBInstance",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:ModifyDBCluster",
"redshift:ModifyCluster"
],
"Resource": "*"
}
]
}
6. Click Review policy.
7. On the Review policy page, type a Name and a Description (optional).
8. Click Create policy.
Adding Policy to IAM Role
1. Go to IAM console at https://console.aws.amazon.com/iam/.
2. In the left navigation pane, choose Roles.
3. From the IAM Roles displayed, choose the IAM Role provided during the connector creation step on the Qualys TotalCloud.
4. Go to Permissions tab and choose Attach policies.
5. Select the check box on the left for the Custom policy you created above.
6. Click Attach policy.
Enable Remediation for Existing AWS Connectors
Go to Configuration > Amazon Web Services and select the connector for which you would want to edit the details. From the quick actions menu, select View and go to Connector Information tab and click Edit.
You can now edit the required details. Select the Enable Remediation check box and click Save. Once you edit the connector settings, ensure that you also configure the roles and permissions needed for remediation on the AWS console. For more information on configuration of roles and permissions on AWS console, refer to Configuration on AWS console.
To fetch the updated resources, you need to select Run from the quick actions menu for the AWS connector.
