AWS Config Custom Rule with Auto Remediation

Automatically Remediate EC2 instance ports accessible to the internet (0.0.0.0/0) with AWS Config and AWS System Manager.

Overview

The project is closely based on the AWS Blog Post How to auto-remediate internet accessible ports with AWS Config and AWS System Manager by Amal AlQhtani. The project simplifies the deployment by giving it a one-click deployment solution. The deployed solution creates:

1. Custom AWS Config rule backed by lambda
2. SSM Automation Document leveraging aws:executeScript with python
3. AWS Config Automated Remediation configuration (ties AWS Config compliance to automated response from SSM Automation document)

For more information review the blog post How to auto-remediate internet accessible ports with AWS Config and AWS System Manager

Note: At this time there is no deviation from the implementation created by Amal AlQhtani. Current work will be in factoring privileges and applying security best practices to the cloudformation.

Prerequisites

The following prerequisites will need to be met to launch solution in your account.

1. Ensure the AWS Config Record configured in specified region
2. Minimum of AWS Config recording EC2 resources in specified region

Deployment

1. Open your web browser and login to your AWS Account.
2. Click this button to launch stack.
3. Fill out parameters

Note: If you want to open the link as a new tab use ctrl+click when clicking the launch Stack button below, or do the two-finger click and select open new tab

AWS CONFIG RECORDER (Prereq)

If you do not have AWS Config setup in your region, then deploy the minimalist AWS Config solution here:

The stack will deploy a simplified version of Config setup to only monitor changes to the EC2 resource type thus reducing costs for testing.

AWS CONFIG CUSTOM MANAGED RULE SOLUTION

Deploy the Config Custom Managed Rule solution for the project: