Configuring Remediation for AWS

You can enable remediation when you create AWS connectors or edit existing connectors. It just takes a couple of minutes.

Enable Remediation for New Connectors

Go to the Configuration > Amazon Web Services tab and then click Manage Connectors.

The Connectors Application appears.

On the Connectors Application, click  Create Connector.

Provide a name and description (optional) for your connector. Configure the required settings for the AWS connector. For detailed information on connector creations steps, refer to Configure AWS Connectors.

Option to Enable Remediation during connector creation process.

Select Enable Remediation check box to enable remediation for the connector.

Ensure that the connector has write access to the AWS account for which you enable remediation. For more information on assigning write access, refer to Configuration on AWS Console section.

All the resources detected by this connector will be evaluated. You can then initiate remediation for the failed resources.

Then click Create Connector.

That’s it! The connector will establish a connection with AWS to start discovering resources from each region and evaluate them against policies.

Configuration on AWS Console

You could either use cloud formation template or manually configure the roles and permissions needed for remediation. 

Configuration Using CloudFormation TemplateConfiguration Using CloudFormation Template

Download the CloudFormation template from the Create AWS Connector window.

Link to download the cloud formation template for AWS.

Log on to Amazon Web Services (AWS) and go to CloudFormation.

Create stack & upload the template.

When the stack creation is complete, copy the Role ARN value from the output and paste it into the connector details.

Manual ConfigurationManual Configuration

The manual configuration for remediation includes two parts: creating custom policy and adding the custom policy to the IAM role.

Creating Custom Policy

1. Go to IAM console at https://console.aws.amazon.com/iam/.

2. In the left navigation pane, choose Policies.

3. Click Create policy.

4. Click JSON tab.

5. Paste the following policy document into the JSON tab.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RemediationPermission",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:StopInstances",
                "ec2:ModifySnapshotAttribute",
                "ec2:ModifyImageAttribute",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutAccountPublicAccessBlock",
                "s3:PutBucketVersioning",
                "rds:ModifyDBInstance",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:ModifyDBCluster",  
                "redshift:ModifyCluster"            
            ],
            "Resource": "*"
        }
    ]
}

6. Click Review policy.

7. On the Review policy page, type a Name and a Description (optional).

8. Click Create policy.

Adding Policy to IAM Role

1. Go to IAM console at https://console.aws.amazon.com/iam/.

2. In the left navigation pane, choose Roles.

3. From the IAM Roles displayed, choose the IAM Role provided during the connector creation step on the Qualys TotalCloud.

4. Go to Permissions tab and choose Attach policies.

5. Select the check box on the left for the Custom policy you created above.

6. Click Attach policy.

Enable Remediation for Existing AWS Connectors

Go to Configuration > Amazon Web Services and select the connector for which you would want to edit the details. From the quick actions menu, select View and go to Connector Information tab and click Edit.

Option to enable remediation for existing AWS connector

You can now edit the required details. Select the Enable Remediation check box and click Save. Once you edit the connector settings, ensure that you also configure the roles and permissions needed for remediation on the AWS console. For more information on configuration of roles and permissions on AWS console, refer to Configuration on AWS console.

To fetch the updated resources, you need to select Run from the quick actions menu for the AWS connector.