AWS Config Custom Rule with Auto Remediation
Automatically Remediate EC2 instance ports accessible to the internet (0.0.0.0/0) with AWS Config and AWS System Manager.
Overview
The project is closely based on the AWS Blog Post How to auto-remediate internet accessible ports with AWS Config and AWS System Manager by Amal AlQhtani. The project simplifies the deployment by giving it a one-click deployment solution. The deployed solution creates:
- Custom AWS Config rule backed by lambda
- SSM Automation Document leveraging aws:executeScript with python
- AWS Config Automated Remediation configuration (ties AWS Config compliance to automated response from SSM Automation document)
For more information review the blog post How to auto-remediate internet accessible ports with AWS Config and AWS System Manager
Note: At this time there is no deviation from the implementation created by Amal AlQhtani. Current work will be in factoring privileges and applying security best practices to the cloudformation.
Prerequisites
The following prerequisites will need to be met to launch solution in your account.
- Ensure the AWS Config Record configured in specified region
- Minimum of AWS Config recording EC2 resources in specified region
Deployment
- Open your web browser and login to your AWS Account.
- Click this button to launch stack.
- Fill out parameters
Note: If you want to open the link as a new tab use
ctrl+click
when clicking the launch Stack button below, or do the two-finger click and selectopen new tab
AWS CONFIG RECORDER (Prereq)
If you do not have AWS Config setup in your region, then deploy the minimalist AWS Config solution here:
The stack will deploy a simplified version of Config setup to only monitor changes to the EC2 resource type thus reducing costs for testing.
AWS CONFIG CUSTOM MANAGED RULE SOLUTION
Deploy the Config Custom Managed Rule solution for the project: