Deploying CISv1.4.0 Security Benchmark recommended controls with Auto-remediation in an AWS Multi-account setup

This implementation performs near real-time "Automatic" remediation of NON-COMPLIANT resources in an AWS Organizations (multi-account) setup, by using AWS services like Security Hub, Lambda functions, EventBridge rules, etc. It will help in increasing the organization-level security compliance score to protect their cloud environment from cyber-threats.

Last updated - Jan 2024

Proposed Architecture
Required AWS Services & Components
Environment Setup
Remediation Actions
- Unsupported CIS Controls
- Supported CIS Controls
  - Controls that require "Manual" remediation
    - Setup Custom-Action based EventBridge Rule
  - Controls that support "Auto" remediation
Test Results
Conclusion

1. INTRODUCTION

1.1. Introduction

In the ever-evolving landscape of cloud computing, ensuring the security and compliance of cloud infrastructure has become paramount for organizations of all sizes. To address this critical need, the Center for Internet Security (CIS) has developed a set of comprehensive security benchmarks that provide organizations with a structured approach to securing their computer systems.

By deploying the proposed automatic remediation solution for CIS security benchmarks in the AWS cloud, organizations can proactively fortify their infrastructure against potential threats and ensure adherence to industry-standard security configurations. This comprehensive approach will empower organizations to safeguard their sensitive data, maintain regulatory compliance, and foster a secure environment for their cloud operations.

1.2. What are CIS & CIS Benchmarks?

The Center for Internet Security (CIS) is a non-profit organization that develops and promotes best practices for securing IT systems and data, including cloud security. The CIS Benchmarks are a set of globally recognized and consensus-driven guidelines that help organizations protect against emerging cybersecurity risks. These benchmarks are developed with input from a global community of security experts and provide practical guidance for implementing and managing cybersecurity defenses.

1.3. What are CIS AWS Foundations Benchmarks?

The CIS AWS Foundations Benchmark is a set of security best practices for Amazon Web Services (AWS) resources. It provides prescriptive instructions for configuring AWS services to ensure security and integrity. The most recent version is v1.4.0, released in 2021. Following this benchmark helps organizations reduce security risks and maintain compliance with industry regulations.

1.4. Importance of CIS Benchmarks

The CIS Benchmarks are globally recognized and accepted best practice guides for securing IT infrastructure. The benchmarks are freely available for download and implementation, and provide up-to-date, step-by-step instructions for organizations to secure their infrastructure.

The CIS Benchmarks align with major security and data privacy frameworks such as:

National Institute of Standards and Technology (NIST) Cybersecurity Framework
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)

1.5. CISv1.4.0 Recommended Controls

The CISv1.4.0 Control is composed of 4 sections with a total of 58 controls known as “recommendations.” Below are the four sections:

Identity and Access Management – 21 Controls
Storage – 7 Controls
Logging – 11 Controls
Monitoring – 15 Controls
Networking – 4 Controls

1.6. Problem Statement

In an AWS Organization setup with hundreds of accounts, enforcing organization-level security regulations for each resource deployed in various regions is a tedious task. An organization's security team will need to put a lot of effort into taking necessary actions to increase the Compliancy score.

2. PROPOSED ARCHITECTURE

2.1. Security Hub setup in AWS Organizations

In an AWS Organizations setup, there will be a Delegated Administrator Account for Security Hub. This account will act as a Centralized Security Dashboard for the entire organization.

2.2. Remediation Action Flow based on a Security Hub Finding - Simplified

2.3. Remediation Action Flow based on a Security Hub Finding - Detailed

The above architecture will be explained in detail in the Remediation Actions section

3. REQUIRED AWS SERVICES & COMPONENTS

Config - the primary source that performs security configuration checks and sends them to AWS Security Hub.
Security Hub - provides a Centralized Security Dashboard that displays security finding status across all organization member accounts in a prioritized manner. Security Hub currently supports automated checks for standards like,
- AWS Foundational Security Best Practices (FSBP) v1.0.0
- CIS Benchmarks v1.2.0
- CIS Benchmarks v1.4.0
- NIST 800-53 Revision 5
EventBridge - helps in setting up rule-based triggers that will deliver events to selected targets.
Lambda - event-driven serverless compute service that allows us to run our code in response to event triggers like EventBridge rules, without having to provision or manage servers.
IAM Roles - it is an identity that has specific permissions. Unlike an IAM user, an IAM role does not have long-term credentials. when you assume a role, it provides temporary security credentials for the role session. Some AWS Services will assume an IAM role to perform necessary actions.
Simple Notification Service - a fully managed distributed publish-subscribe system allowing mass delivery of emails, messages, and notifications.
CloudFormation StackSet - an Infrastructure-as-a-Code solution that helps in quick deployment of resources across multiple accounts and regions under a single operational management framework.

4. ENVIRONMENT SETUP

Pre-requisite: An AWS Organization setup with multiple member accounts, and a management account. Also, Organization-level services like AWS Config, Security Hub, CloudFormation StackSet, CloudTrail, etc. must be enabled as per your requirement, and setup Delegated Administrator accounts for managing these services if needed.

NOTE: Due to the AWS Organizations setup, whatever control measure implemented at the Organizations level will NOT be enforced on the Management Account (SCPs are applicable to Management account).

4.1. Enable AWS Config

To ensure that Security Hub can access its findings, it is necessary to activate AWS Config in the desired regions across all member accounts within the organization.

In the Organization’s CloudFormation StackSet Delegated Administrator, or the Management account, go to CloudFormation > StackSets > Create StackSet & upload the Enable_AWS_Config.yml template file.
Choose the Parameters values as per your requirements. But let the Include global resource types as FALSE, because because AWS Config need not perform redundant checks for Global resources like IAM in each region unnecessarily.
Set the Deployment options as per your requirement. But for our implementation, we need the deployment targets to be the entire organization.
Set the Auto-deployment options as Activated, so that when a new member is added, AWS Config is enabled as per the setup.
Choose the deployment regions as per your requirement & Click Next > Submit to deploy.

Now, AWS Config will be enabled in all the organization member accounts in the regions you have specified.

4.2. Enable AWS Security Hub:

To enable AWS Security Hub in the organization member accounts, in the Security Hub Delegated Administrator Account’s Security Hub console of your primary region, go to Configuration > Enable Central Configuration.
Choose the Regions which you want to be aggregated, so that all region findings will be shown in the Security Hub dashboard of the primary region. Click Next.
For the Configuration type, you can either choose to use the AWS Recommended setting to enable all standards or choose Customize my Security Hub configuration and choose only CIS AWS Foundations Benchmark v1.4.0
Choose Deploy to all accounts > Next > Submit.

Now, AWS Security Hub will be enabled in the regions that you have mentioned, with controls checks for CIS 1.4.0 enabled. For more information, refer to the AWS Documentation - Security Hub Central Configuration

4.3. Create SNS Topic

To be able to get email notification about the remediation steps taken for an automatically remediated CIS control check or get the steps to perform remediation for a control check that is triggered manually, we need to create an SNS topic in the organization member accounts in whichever region we are performing the remediation.

To do this, use the CIS_Remediation_Notification_Setup.yml file and deploy using CloudFormation StackSets in all organization members in all regions that you want. Also, let the auto-deployment option be in Activated state.
Now, you can have necessary email accounts to subscribe to this SNS topic to receive notification.

4.4. Setup Remediation Lambda Function

In the Security Hub Delegated Administrator account, create the CIS Control Remediation Lambda function with your preferred name (say CIS_Remediation_Master) and choose the Runtime language as Python 3.11, and create the function with default permissions.
Now, upload the codes lambda_function.py and cisPlaybook.py as a zip file.
Go to Configuration > General Configuration and set the Timeout as 5 sec.
To allow this Remediation Lambda function to be able to assume role CIS_Remediator_Role in the member accounts (we will create after we set this function). We need to give it sts:AssumeRole permission policy.

To do this, Create an IAM Policy with your preferred name (say, CIS_Remediator_MemberRoleAssumption) with the below mentioned permission, so that the lambda function can assume the CIS_Remediator_Role role in the member accounts to perform remediation.

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "CrossAccountRemediatorRoleAssumption",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "arn:aws:iam::*:role/CIS_Remediator_Role"
            }
        ]
}

Attach this permission policy to the remediation lambda function’s IAM role, in addition to the default lambda permissions.

4.5. Create an IAM Role in Member Accounts

To allow our lambda function to be able to perform remediation action in the organization member accounts, it needs to have sufficient permissions. For this, we need an IAM role in the member accounts, which will be assumed by our lambda function.

Using the CloudFormation template CIS_Remediator_Role_Deployment.yml, we will create an IAM role named CIS_Remediator_Role with AWS-managed permission AdministratorAccess with ARN arn:aws:iam::aws:policy/AdministratorAccess.

If you wish not to give Administrator Access to the assumed member account IAM role, you need to create an IAM policy with necessary permissions that allows the lambda function to perform the necessary remediation actions for all of the CIS Controls. In this case, you can use your own CloudFormation template to create an IAM policy in all the member accounts, and change the ARN of the policy in "CIS_Remediator_Role_Deployment.yml"

Since IAM is a global resource, choose only one deployment region.
Also, set Auto-deployment option as Activated, so that this IAM role will be created in new member accounts also.
During the deployment, CloudFormation console will prompt you to provide the ARN of the Remediation lambda function’s IAM role, in order to create a trust relationship policy in the Member account IAM role, so that our lambda function can assume it successfully.

4.6. Optional Requirements

For the CIS Control ID – 3.7: CloudTrail Logs should have encryption at-rest enabled, we need a KMS key with sufficient permissions. To be able to automatic remediate this control, use CloudFormation StackSets to deploy CIS_CloudTrail_Encryption_KMS_Key_Deployment.yml across all member accounts in the desired regions.

Additional Resources: If you would like to Disable or Force Enable any of the Security Hub Controls in your organization member accounts, you can implement solutions suggested in the below AWS blog - Disabling Security Hub Controls in a Multi-Account Environment

Now, all the requirements to implement our solution have been setup.

5. REMEDIATION ACTIONS

Out of 58 different remediation controls suggested by CIS, a few are not supported by AWS. For more information, refer to the AWS documentation - Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0

Also, information required to allow you to customize remediation actions by modifying the variable values in lambda_function.py has been provided wherever required, for each of the CISv1.4.0 control

5.1. Unsupported Controls

CIS Controls that are not supported for automated checks done by Security Hub: CIS 1.1, 1.2, 1.3, 1.11, 1.13, 1.18, 1.19, 1.20, 1.21, 2.1.1, 2.1.3, 2.1.4, 4.15, 5.4
CIS Controls that were in CIS v1.2.0, but not supported in CIS v1.4.0, and Controls for which automated control check is disabled by AWS Security Hub for CIS v1.4.0: CIS 1.15, 4.1, 4.2, 5.2

Note: Here, Control ID 5.2 is covered under 5.1 – Network ACL should not allow ingress from 0.0.0.0/0 to remote administration ports.

5.2. Supported Controls

Among the controls supported by AWS for automated checks done by Security Hub, some need manual intervention for remediation (like setting up MFA, Root account setting modifications), while others can be auto-remediated.

As many of the Security Standards recommended supported by Security Hub overlap, AWS has its own set of control ID for each matching standard recommended control ID.

Below is the summary of the remediation action done for each CIS controls:

5.2.1. Controls that require "Manual" remediation

CIS Control ID	AWS Control ID	Control Description	Generator ID
1.4	`IAM.4`	IAM root user access key should not exist	`cis-aws-foundations-benchmark/v/1.4.0/1.4`
1.5	`IAM.9`	MFA should be enabled for the root user	`cis-aws-foundations-benchmark/v/1.4.0/1.5`
1.6	`IAM.6`	Hardware MFA should be enabled for the root user	`cis-aws-foundations-benchmark/v/1.4.0/1.6`
1.10	`IAM.5`	MFA should be enabled for all IAM users that have a console password	`cis-aws-foundations-benchmark/v/1.4.0/1.10`
1.16	`IAM.16`	Ensure that Customer-managed IAM policies should not allow full ":" administrative privileges	`cis-aws-foundations-benchmark/v/1.4.0/1.16`
2.3.1	`RDS.3`	RDS DB instances should have encryption at-rest enabled	`cis-aws-foundations-benchmark/v/1.4.0/2.3.1`

The Generator ID mentioned above, is retrieved from the Security Hub Findings. This will be useful in setting up custom EventBridge rules depending on your requirements.

Setup EventBridge Rule based on Custom Action

For the above controls, EventBridge Rule is set to be triggered only upon clicking Custom Action feature in Security Hub.

To Create a Custom Action, in the Security Hub Delegated Administrator, go to Security Hub > Custom Action > Create Custom Action (say, CIS_Remediation)
Now, go to EventBridge > Rules > Create Rule & Choose your desired rule name (say, CIS_Remediation_Master_CustomAction_Trigger) and give a description.
Choose the EventBridge source as “AWS Events or EventBridge partner events”, and Creation method as Use pattern form.\
Choose the Event pattern as shown below, with Event type as Security Hub Findings – Custom Action & specify the Custom Action ARN you had created.
Click Next & set the Target as Lambda function & choose the name of the Remediation Lambda function.
Click Next & Click on Create Rule.

How to Trigger this?

Choose a FAILED compliancy control check, Click on Action > Name of the Custom Action you had created. This will trigger the Remediation lambda function to send out an email notification with instructions to perform the necessary remediation action, to the emails subscribed to the SNS topic.

Sample Email Notification mentioning steps to perform remediation

Note: If you prefer to use the different SNS topic for each control, you can simply add the sns_topic_arn variable inside the corresponding “if” condition in the lambda_function.py code and mention your SNS topic’s ARN.

5.2.2. Controls that support "Automatic" remediation

For the below controls, the impact status has been given based on the performed automatic-remediation

Symbol	Description
❗	Impactful
⚠️	Possible impact (depending on your setup)
✅	Safe

A) IAM Controls

CIS Control ID	AWS Control ID	Control Description	Generator ID	Action Taken	Impact
1.7	`CloudWatch.1`	Eliminate the use of 'root' user for administrative and daily tasks	`cis-aws-foundations-benchmark/v/1.4.0/1.7`	Remediated under CIS Control 4.3: Ensure Log metric filter and alarm should exist for usage of the "Root" user	✅
1.8	`IAM.15`	Ensure IAM password policy requires minimum password length of 14 or greater	`cis-aws-foundations-benchmark/v/1.4.0/1.8`	Changes password policy	✅
1.9	`IAM.16`	Ensure IAM password policy prevents password reuse	`cis-aws-foundations-benchmark/v/1.4.0/1.9`	Changes password policy	✅
1.12	`IAM.22`	IAM user credentials unused for 45 days should be removed	`cis-aws-foundations-benchmark/v/1.4.0/1.12`	Keys unused for more than 45 days will be deleted	❗
1.14	`IAM.3`	IAM users' access keys should be rotated every 90 days or less	`cis-aws-foundations-benchmark/v/1.4.0/1.14`	Keys older than 90 days will be disabled	⚠️
1.17	`IAM.18`	Ensure a support role has been created to manage incidents with AWS Support	`cis-aws-foundations-benchmark/v/1.4.0/1.17`	Creates an IAM Role with `support:*` access	✅

Note for Customization:

For CIS 1.17 remediation, you can change the name of the IAM role created by modifying the support_role_name variable in lambda_function.py

For CIS 1.8 & CIS 1.9 remediation, you can further customise the password policy based on your requirement by modifying the password_policy variable in cisPlaybook.py

B) Storage Controls

CIS Control ID	AWS Control ID	Control Description	Generator ID	Action Taken	Impact
2.1.2	`S3.5`	S3 buckets should require requests to use Secure Socket Layer, set to deny HTTP requests	`cis-aws-foundations-benchmark/v/1.4.0/2.1.2`	Adds a new statement in the S3 bucket policy to deny HTTP requests	⚠️
2.1.5.1	`S3.1`	S3 Block Public Access setting should be enabled at account level	`cis-aws-foundations-benchmark/v/1.4.0/2.1.5.1`	Enables `"Block all public access"` setting at account-level for S3	❗
2.1.5.2	`S3.8`	S3 Block Public Access Block setting should be enabled at the bucket-level	`cis-aws-foundations-benchmark/v/1.4.0/2.1.5.2`	Enables `"Block all public access"` setting at bucket-level for S3	❗
2.2.1	`EC2.7`	EBS default encryption should be enabled	`cis-aws-foundations-benchmark/v/1.4.0/2.2.1`	Enables `"Always encrypt new EBS volumes"` in EC2 Console settings	✅

Note for Customization:

For CIS 2.2.1 remediation, the Remediation Lambda function’s execution timeout needs to be 5 seconds

C) Logging Controls

CIS Control ID	AWS Control ID	Control Description	Generator ID	Action Taken	Impact
3.1	`CloudTrail.1`	Ensure that CloudTrail is enabled in all regions & set to log read/write events in CloudTrail S3 bucket	`cis-aws-foundations-benchmark/v/1.4.0/3.1`	Enabled CloudTrail in compliancy failed region with CloudTrail S3 bucket logging set to monitor read/write events	✅
3.2	`CloudTrail.4`	CloudTrail log file validation should be enabled	`cis-aws-foundations-benchmark/v/1.4.0/3.2`	Enabled `Log Validation` in compliancy failed trail	✅
3.3	`CloudTrail.6`	Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible	`cis-aws-foundations-benchmark/v/1.4.0/3.3`	Enables `Block all public access` setting at CloudTrail Bucket	✅
3.4	`CloudTrail.5`	CloudTrail trails should be integrated with Amazon CloudWatch Logs	`cis-aws-foundations-benchmark/v/1.4.0/3.4`	Creates CloudWatch log & IAM role (if not exists) with CloudWatch log writing permissions & integrates CloudTrail with CloudWatch Log group	✅
3.5	`Config.1`	AWS Config must be enabled in all regions to monitor all resources	`cis-aws-foundations-benchmark/v/1.4.0/3.5`	No remediation code has been provided for this Control ID. Because, while enabling AWS config at organization level, we have setup `Include Global Resources` as `FALSE` to avoid redundant checks for global resources like IAM. Since AWS Config checks is not allowed for all resources, this control check will be in FAILED state. You can choose to disable this control check if you wish.	-
3.6	`CloudTrail.7`	Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket	`cis-aws-foundations-benchmark/v/1.4.0/3.6`	Enables `Server Access Logging` in CloudTrail S3 bucket’s properties	✅
3.7	`CloudTrail.2`	CloudTrail Logs should have encryption at-rest enabled	`cis-aws-foundations-benchmark/v/1.4.0/3.7`	Enabled `Log file SSE-KMS encryption` using the KMS key created using CloudFormation template CIS_CloudTrail_Encryption_KMS_Key_Deployment.yml earlier.	✅
3.8	`KMS.4`	AWS KMS key rotation should be enabled	`cis-aws-foundations-benchmark/v/1.4.0/3.8`	Enables `Automatically rotate this KMS key every year` option	⚠️
3.9	`EC2.6`	Ensure VPC Flow (reject) logging is enabled in all VPCs	`cis-aws-foundations-benchmark/v/1.4.0/3.9`	Enables VPC flow logging by creating a new CloudWatch Log group, and an IAM role with log group write permissions, to log `REJECT` logs for each VPC.	✅
3.10	`CloudTrail.1`	Ensure that object-level logging for Write events is enabled for S3 buckets	`cis-aws-foundations-benchmark/v/1.4.0/3.10`	Remediated under CIS 3.1	✅
3.11	`CloudTrail.1`	Ensure that object-level logging for Read events is enabled for S3 buckets	`cis-aws-foundations-benchmark/v/1.4.0/3.11`	Remediated under CIS 3.1	✅

Note for Customization:

For CIS 3.4 remediation, you can change the name of the IAM role created by modifying the iam_rolename.

For CIS 3.7 remediation, If you already have a KMS key with necessary permissions, you can add key_alias.

For CIS 3.8 remediation, you can give a list of keywords in exclusion_keywords variable, so that KMS keys with description containing these keywords will not be rotated.

All the above variable changes need to be done in lambda_function.py

D) Monitoring Controls

CIS Control ID	AWS Control ID	Control Description	Generator ID	Action Taken	Impact
4.3	`CloudWatch.1`	Ensure a log metric filter and alarm exist for Usage of 'Root' account	`cis-aws-foundations-benchmark/v/1.4.0/4.3`	Creates a Log metric & Alarm to monitor "Root" usage `{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }`	✅
4.4	`CloudWatch.4`	Ensure a log metric filter and alarm exist for IAM Policy changes	`cis-aws-foundations-benchmark/v/1.4.0/4.4`	Creates a Log metric & Alarm to monitor IAM Policy changes using the filter {($.eventName=DeleteGroupPolicy) \|\| ($.eventName=DeleteRolePolicy) \|\| ($.eventName=DeleteUserPolicy) \|\| ($.eventName=PutGroupPolicy) \|\| ($.eventName=PutRolePolicy) \|\| ($.eventName=PutUserPolicy) \|\| ($.eventName=CreatePolicy) \|\| ($.eventName=DeletePolicy) \|\| ($.eventName=CreatePolicyVersion) \|\| ($.eventName=DeletePolicyVersion) \|\| ($.eventName=AttachRolePolicy) \|\| ($.eventName=DetachRolePolicy) \|\| ($.eventName=AttachUserPolicy) \|\| ($.eventName=DetachUserPolicy) \|\| ($.eventName=AttachGroupPolicy) \|\| ($.eventName=DetachGroupPolicy)}	✅
4.5	`CloudWatch.5`	Ensure a log metric filter and alarm exist for CloudTrail Configuration changes	`cis-aws-foundations-benchmark/v/1.4.0/4.5`	Creates a Log metric & Alarm to monitor CloudTrail Configuration changes using the filter `{ ($.eventName = CreateTrail) \|\| ($.eventName = UpdateTrail) \|\| ($.eventName = DeleteTrail) \|\| ($.eventName = StartLogging) \|\| ($.eventName = StopLogging) }`	✅
4.6	`CloudWatch.6`	Ensure a log metric filter and alarm exist for AWS Management Console Authentication Failures	`cis-aws-foundations-benchmark/v/1.4.0/4.6`	Creates a Log metric & Alarm to monitor Console Authentication Failures using the filter `{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }`	✅
4.7	`CloudWatch.7`	Ensure a log metric filter and alarm exist for Disabling or Scheduled Deletion of customer created CMKs	`cis-aws-foundations-benchmark/v/1.4.0/4.7`	Creates a Log metric & Alarm to monitor deletion/disabling of customer-managed keys using the filter `{ $.eventSource = kms* && $.errorMessage = "* is pending deletion."}`	✅
4.8	`CloudWatch.8`	Ensure a log metric filter and alarm exist for S3 Bucket Policy changes	`cis-aws-foundations-benchmark/v/1.4.0/4.8`	Creates a Log metric & Alarm to monitor S3 bucket policy changes using the filter `{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) \|\| ($.eventName = PutBucketPolicy) \|\| ($.eventName = PutBucketCors) \|\| ($.eventName = PutBucketLifecycle) \|\| ($.eventName = PutBucketReplication) \|\| ($.eventName = DeleteBucketPolicy) \|\| ($.eventName = DeleteBucketCors) \|\| ($.eventName = DeleteBucketLifecycle) \|\| ($.eventName = DeleteBucketReplication)) }`	✅
4.9	`CloudWatch.9`	Ensure a log metric filter and alarm exist for ‘AWS Config’ configuration changes	`cis-aws-foundations-benchmark/v/1.4.0/4.9`	Creates a Log metric & Alarm to monitor ‘AWS Config’ configuration changes using the filter `{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder) \|\| ($.eventName = DeleteDeliveryChannel) \|\| ($.eventName = PutDeliveryChannel) \|\| ($.eventName = PutConfigurationRecorder)) }`	✅
4.10	`CloudWatch.10`	Ensure a log metric filter and alarm exist for Security Group changes	`cis-aws-foundations-benchmark/v/1.4.0/4.10`	Creates a Log metric & Alarm to monitor Security Group changes using the filter `{ ($.eventName = AuthorizeSecurityGroupIngress) \|\| ($.eventName = AuthorizeSecurityGroupEgress) \|\| ($.eventName = RevokeSecurityGroupIngress) \|\| ($.eventName = RevokeSecurityGroupEgress) \|\| ($.eventName = CreateSecurityGroup) \|\| ($.eventName = DeleteSecurityGroup) }`	✅
4.11	`CloudWatch.11`	Ensure a log metric filter and alarm exist for changes to Network Access Control Lists	`cis-aws-foundations-benchmark/v/1.4.0/4.11`	Creates a Log metric & Alarm to monitor NACL changes using the filter `{ ($.eventName = CreateNetworkAcl) \|\| ($.eventName = CreateNetworkAclEntry) \|\| ($.eventName = DeleteNetworkAcl) \|\| ($.eventName = DeleteNetworkAclEntry) \|\| ($.eventName = ReplaceNetworkAclEntry) \|\| ($.eventName = ReplaceNetworkAclAssociation) }`	✅
4.12	`CloudWatch.12`	Ensure a log metric filter and alarm exist for changes to Network Gateways	`cis-aws-foundations-benchmark/v/1.4.0/4.12`	Creates a Log metric & Alarm to monitor Network Gateway changes using the filter `{ ($.eventName = CreateCustomerGateway) \|\| ($.eventName = DeleteCustomerGateway) \|\| ($.eventName = AttachInternetGateway) \|\| ($.eventName = CreateInternetGateway) \|\| ($.eventName = DeleteInternetGateway) \|\| ($.eventName = DetachInternetGateway) }`	✅
4.13	`CloudWatch.13`	Ensure a log metric filter and alarm exist for Route Table changes	`cis-aws-foundations-benchmark/v/1.4.0/4.13`	Creates a Log metric & Alarm to monitor Route Table changes using the filter `{ ($.eventName = CreateRoute) \|\| ($.eventName = CreateRouteTable) \|\| ($.eventName = ReplaceRoute) \|\| ($.eventName = ReplaceRouteTableAssociation) \|\| ($.eventName = DeleteRouteTable) \|\| ($.eventName = DeleteRoute) \|\| ($.eventName = DisassociateRouteTable) }`	✅
4.14	`CloudWatch.14`	Ensure a log metric filter and alarm exist for VPC changes	`cis-aws-foundations-benchmark/v/1.4.0/4.14`	Creates a Log metric & Alarm to monitor VPC changes using the filter `{ ($.eventName = CreateVpc) \|\| ($.eventName = DeleteVpc) \|\| ($.eventName = ModifyVpcAttribute) \|\| ($.eventName = AcceptVpcPeeringConnection) \|\| ($.eventName = CreateVpcPeeringConnection) \|\| ($.eventName = DeleteVpcPeeringConnection) \|\| ($.eventName = RejectVpcPeeringConnection) \|\| ($.eventName = AttachClassicLinkVpc) \|\| ($.eventName = DetachClassicLinkVpc) \|\| ($.eventName = DisableVpcClassicLink) \|\| ($.eventName = EnableVpcClassicLink) }`	✅

Note for Customization: For the all the above Monitoring control remediations, you can modify the following input variables under each control’s if condition in the lambda_function.py

log_group_name – Name of the log group that needs to be monitored.

alarm_sns_topic – SNS topic ARN that needs to be notified when Alarm threshold limit is reached.

threshold_value – Choose your desired threshold limit (default = 1).

D) Networking Controls

CIS Control ID	AWS Control ID	Control Description	Generator ID	Action Taken	Impact
5.1	`EC2.21`	Network ACLs should not allow ingress from 0.0.0.0/0 to remote administration ports	`security-control/EC2.21`	Removes the rule that allows connections from `ANY sources to port 22 & 3389, and also ANY to ANY` Be cautious while removing ANY-ANY inbound rule, as NACL is stateless	❗
5.3	`EC2.2`	VPC default security groups should not allow inbound or outbound traffic	`cis-aws-foundations-benchmark/v/1.4.0/5.3`	Removes all inbound & outbound rules from the Default security group of a VPC	⚠️

Note:

For CIS 5.1 remediation, I am working on modifying the code, so that the auto-remediation is done not by removing the non-compliant resource, but by replacing the source IP as a private IP range. This will ensure that, only users connected to the Organization network directly or via VPN can access services via remote administration ports.

Setup EventBridge Rule for Automatic Remediation

For the above controls, EventBridge Rule is set to be triggered automatically using a EventBridge rule will needs to be created. Follow the first three steps as indicated, while creating the previous Custom-Action based EventBridge rule. Here, only the Event Pattern will change as given below:

Choose the Event type as Security Hub Findings – Imported & Compliance Status as FAILED.
Choose the other Event Type Specifications as per your requirements,and modify the Workflow status as NEW
Now, enter all the GeneratorId of the controls that you want to be automatically remediated.
Click Next & choose the Target as the Remediation Lambda function and Create Rule.

If you want to disable this Automatic Remediation, you can click on the EventBridge Rule you had created, and choose Disable

Note: For all the controls supporting auto-remediation, once a remediation is done, the lambda function will send an email notification to the SNS topic (created earlier using CloudFormation template CIS_Remediation_Notification_Setup.yml) with information about the actions taken.

Sample Email Notification mentioning remediation actions taken

Also, once a control that is in FAILED state has triggered the remediation action, its workflow state will change from NEW into NOTIFIED until otherwise it changes to RESOLVED state, to avoid accidental manual triggers for a remediation that has already happened.

6. TEST RESULTS

Test Case:

CIS Control ID 5.1 - Network ACLs should not allow ingress from 0.0.0.0/0 to Remote Administration ports.

NACL with non-compliant rules
Security Hub Compliance Status showing FAILED
This FAILED & NEW status will automatically trigger the Remediation Lambda function to perform the remediation action in the respective member account, in the region where the non-compliant resource exists. See the below CloudWatch log of the Remediation Lambda for reference.
The below email notification has been sent to the emails subscribed to the SNS topic created created with CloudFormation template CIS_Remediation_Notification_Setup.yml.
Once auto-remediation is performed, you can confirm that the non-compliant rules have been removed from the NACL.
During the next check done by Security Hub, the Compliancy status will become PASSED.

7. CONCLUSION

Future Work Prospectives

Some of the future prospectives of this project includes,

Find a way to perform Security Checks for the controls checks that are not supported by AWS Security Hub (e.g. CIS 1.1, 1.2, etc.)
Design a more adaptable solution, which will also perform remediation for other industry security standards like NIST, PCI DSS, HIPAA, SOC2, etc.
"Fully" automate the deployment of our solution using CloudFormation templates.
Add more remediation conditions for control remediations that "may" cause a production impact

Disclaimer

All the remediation codes provided in this repository have been tested under a Test AWS Organization Environment setup. Before you try to implement this in your environment, make sure you go through the entire documentation, and the code.

Acknowledgements

I would like to express my gratitude to the following individuals for their contributions, support, and inspiration in the development of this project:

Other Contributors:
Mentor:
- Mohammad Reza Bagheri

Contact

For any issues or concerns in the code or implementation procedure, please email me

Name		Name	Last commit message	Last commit date
Latest commit History 153 Commits
CloudFormation_Templates		CloudFormation_Templates
EventBridge_Rules		EventBridge_Rules
main		main
screenshots		screenshots
LICENSE		LICENSE
README.md		README.md

License

prasanna7401/CIS-Benchmarks-AutoRemediation-in-AWS-Organization

Folders and files

Latest commit

History

Repository files navigation