Playbooks - AWS Security Hub Automated Response and Remediation

Playbooks

This solution includes the playbook remediations for the security standards defined as part of the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0, AWS Foundation Security Best Practices (AFSBP) v.1.0.0, and Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1. For more details about remediations, review the following list under each playbook.

CIS v1.2.0 playbook

The CIS v1.2.0 playbook includes the following list of remediations for the Center for Internet Security’s (CIS) Amazon Web Services Foundations benchmarks, version 1.2.0, published May 18, 2018. For more information, refer to the CIS Benchmarks.

  • 1.3 – Ensure access keys are rotated every 90 days or less

  • 1.4 – Ensure credentials unused for 90 days or greater are disabled

    This remediation disables active keys that have not been rotated for more than 90 days. It is disruptive and should be used with caution.

  • 1.5 – Ensure IAM password policy requires at least one uppercase letter

  • 1.6 – Ensure IAM password policy requires at least one lowercase letter

  • 1.7 – Ensure IAM password policy requires at least one symbol

  • 1.8 – Ensure IAM password policy requires at least one number

  • 1.9 – Ensure IAM password policy requires a minimum length of 14 or greater

  • 1.10 – Ensure IAM password policy prevents password reuse

  • 1.11 – Ensure IAM password policy expires passwords within 90 days or less

  • 2.1 – Ensure AWS CloudTrail is enabled in all Regions

  • 2.2 – Ensure AWS CloudTrail log file validation is activated

  • 2.3 – Ensure the S3 bucket CloudTrail logs to is not publicly accessible

  • 2.4 – Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs

  • 2.5 – Ensure AWS Config is turned on

  • 2.6 – Ensure S3 bucket access logging is activated on the CloudTrail S3 bucket

  • 2.7 – Ensure CloudTrail logs are encrypted at rest using AWS AWS KMS CMKs

  • 2.8 – Ensure rotation for customer created CMKs is activated

  • 2.9 – Ensure VPC flow logging is activated in all VPCs

    For the following CIS 3.x remediations:

    • You must have a working CloudTrail logging to CloudWatch Logs

    • The name of the CloudWatch Logs group must be configured in the AWS Systems Manager Parameter Store Solutions/SO0111/Metrics_LogGroupName Parameter

    • You must have an active subscription to the SNS topic SO0111-SHARR_LocalAlarmNotification

    • If all of these conditions are not met, the AWS Config rule will not change the finding status to PASSED. This can take up to 12 hours.

  • 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls

  • 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA

  • 3.3 – Ensure a log metric filter and alarm exist for usage of "root" account

  • 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes

  • 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes

  • 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

  • 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

  • 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes

  • 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes

  • 3.10 – Ensure a log metric filter and alarm exist for security group changes

  • 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

  • 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways

  • 3.13 – Ensure a log metric filter and alarm exist for route table changes

  • 3.14 – Ensure a log metric filter and alarm exist for Amazon VPC changes

  • 4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

  • 4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

  • 4.3 – Ensure the default security group of every VPC restricts all traffic

AWS Foundational Security Best Practices v1.0.0 playbook

The AWS Foundational Security Best Practices security standard implements security controls that detect when your AWS accounts and deployed resources do not align with the security best practices defined by AWS security experts, which allows you to monitor your own security posture to ensure that you are using AWS security best practices. These controls closely align to the Top 10 Security Best Practices outlined by AWS Chief Information Security Office, Stephen Schmidt, at AWS re:Invent 2019. For more details, review the following list of remediations.

  • Autoscaling.1 - Auto Scaling groups associated with a load balancer should use load balancer health checks

    Actions: Enables ELB Health Checks on the AutoScaling Group that is the subject of the finding

  • CloudTrail.1 – CloudTrail should be activated and configured with at least one multi-Region trail

    The CloudTrail.1 remediation creates a new, multi-Region CloudTrail in the Security Hub Admin account’s Region. Any existing CloudTrail will not be modified. This might result in duplicate logging, which can drive additional costs in the AWS account. If you have more than one CloudTrail, you should take steps to consolidate them to prevent the additional costs.

    Actions: creates a KMS CMK-encrypted, multi-Region CloudTrail in the Security Hub Admin account’s Region. The new trail logs to an encrypted S3 bucket, so0111-aws-cloudtrail-<accountid>. Access logs for the CloudTrail bucket are logged to so0111-access-logs-<region>-<accountid>. Both buckets have public access blocked.

  • CloudTrail.2 – CloudTrail should have encryption at-rest activated

    Actions: Enables KMS CMK encryption on the CloudTrail logs

  • Config.1 – AWS Config should be activated

    The Config.1 remediation creates a set of resources using reasonable defaults. The Config.1 remediation uses reasonable defaults and resource names that are logical and can be easily related to the solution. You can also reconfigure AWS Config to your own established buckets.

    Actions: The Config.1 remediation creates a set of resources using reasonable defaults. The Config.1 remediation uses reasonable defaults and resource names that are logical and can be easily related to the solution. You can also reconfigure AWS Config to your own established buckets.

    S3 buckets for AWS Config and access logging to the AWS Config bucket use AES-256 server-side encryption. These buckets are created per Region, per account to avoid inter-Region data transfer. You can also reconfigure AWS Config to use their own centralized logging buckets.

    • AWS Config bucket: so0111-aws-config-<region>-<accountid>

    • Access logging bucket: so0111-access-logs-<region>-<accountid>

    • Service-linked role: AWSServiceRoleForConfig

  • EC2.1 - Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

    Actions: An account-level finding, this runbook will make all EBS snapshots private

  • EC2.2 - The VPC default security group should not allow inbound and outbound traffic

    Actions: Removes ALL TRAFFIC inbound and outbound rules on the default Security Group that is the subject of the finding

  • EC2.6 - VPC flow logging should be enabled in all VPCs

    Actions: Enables VPC Flow Logs for the Amazon VPC in the finding

  • EC2.7 - EBS default encryption should be activated

    Actions: Enables EBS encryption as the account-wide default

  • IAM.7 - Password policies for IAM users should have strong configurations

    Actions: Sets default password policy for the account in the finding.

  • IAM.8 - Unused IAM user credentials should be removed

    Actions: Disables credentials unused for more than 90 days.

  • Lambda.1 - Lambda function policies should prohibit public access

    Actions: Removes any Resource Policy statement with “Principal: *” from the Lambda that is the subject of the finding

  • RDS.1 - RDS snapshots should be private

    Actions: Removes public sharing for the RDS snapshot (cluster or database) that is the subject of the finding

  • RDS.6 - Enhanced monitoring should be configured for RDS DB instances and clusters

    Actions: Enables enhanced monitoring for the RDS cluster

  • RDS.7 - RDS clusters should have deletion protection activated

    Actions: Enables deletion protection for the RDS database

  • S3.1 - S3 Block Public Access setting should be turned on

    Actions: Establishes S3 public access blocks by default at the account level

  • S3.2 - S3 buckets should prohibit public read access

  • S3.3 - S3 buckets should prohibit public write access

    Actions: Blocks public read and write access to the bucket in the finding

  • S3.5 - S3 buckets should require requests to use Secure Socket Layer

    Actions: Adds an explicit deny statement to the bucket policy if aws:SecureTransport is not activated in the incoming request

Payment Card Industry Data Security Standards (PCI-DSS) v3.2.1 Playbook

The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This AWS Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements. The PCI DSS playbook allows you to perform automated remediation of findings for many of the following controls.

  • Autoscaling.1 - Auto Scaling groups associated with a load balancer should use load balancer health checks

    Actions: Enables ELB Health Checks on the AutoScaling Group that is the subject of the finding

  • CloudTrail.1 – CloudTrail logs should be encrypted at rest using AWS AWS KMS CMKs

    Actions: Applies encryption to the finding’s CloudTrail using an AWS KMS customer-managed key. The key ID can be obtained from AWS Systems Manager parameter /Solutions/SO0111/CMK_REMEDIATION_ARN (refer to AWS Systems Manager Parameter Store). This key is unique for each Member account.

  • CloudTrail.2 – CloudTrail should be enabled

    The CloudTrail.1 remediation creates a new, multi-Region CloudTrail in the Security Hub Admin account’s Region. Any existing CloudTrail will not be modified. This might result in duplicate logging, which can drive additional costs in the AWS account. If you have more than one CloudTrail, you should take steps to consolidate them to prevent the additional costs.

    Actions: Creates a KMS CMK-encrypted, multi-Region CloudTrail in the Security Hub Admin account’s Region. The new trail logs to an encrypted S3 bucket, so0111-aws-cloudtrail-<accountid>. Access logs for the CloudTrail bucket are logged to so0111-access-logs-<region>-<accountid>. Both buckets have public access blocked.

  • CloudTrail.3 – CloudTrail log file validation should be enabled

    Actions: Enables CloudTrail log file validation for the CloudTrail in the finding

  • CloudTrail.4 – CloudTrail trails should be integrated with CloudWatch Logs

    Actions: Configures CloudTrail to write logs to CloudWatch Logs

  • Config.1 – AWS Config should be activated

    The Config.1 remediation creates a set of resources using reasonable defaults. The Config.1 remediation uses reasonable defaults and resource names that are logical and can be easily related to the solution. You can also reconfigure AWS Config to your own established buckets.

    Actions: The Config.1 remediation creates a set of resources using reasonable defaults. The Config.1 remediation uses reasonable defaults and resource names that are logical and can be easily related to the solution. You can also reconfigure AWS Config to your own established buckets.

    S3 buckets for AWS Config and access logging to the AWS Config bucket use AES-256 server-side encryption. These buckets are created per Region, per account to avoid inter-Region data transfer. You can also reconfigure AWS Config to use their own centralized logging buckets.

    • AWS Config bucket: so0111-aws-config-<region>-<accountid>

    • Access logging bucket: so0111-access-logs-<region>-<accountid>

    • Service-linked role: AWSServiceRoleForConfig

  • CW.1 – A log metric filter and alarm should exist for usage of the “root” user

    Actions: Creates a log metric that counts and alarms on use of the “root” IAM account

  • EC2.1 - Amazon EBS snapshots should not be publicly restorable

    Actions: An account-level finding, this runbook will make all EBS snapshots private

  • EC2.2 - VPC default security group should prohibit inbound and outbound traffic

    Actions: Removes ALL TRAFFIC inbound and outbound rules on the default Security Group that is the subject of the finding

  • EC2.6 - VPC flow logging should be enabled in all VPCs

    Actions: Enables VPC Flow Logs for the Amazon VPC in the finding

  • IAM.7 - IAM user credentials should be disabled if not used within a predefined number of days

    Actions: Disables credentials unused for more than 90 days.

  • IAM.8 - Password policies for IAM users should have strong configurations

    Actions: Sets default password policy for the account in the finding.

  • Lambda.1 - Lambda functions should prohibit public access

    Actions: Removes any Resource Policy statement with “Principal: *” from the Lambda that is the subject of the finding

  • RDS.1 - RDS snapshots should prohibit public access

    Actions: Removes public sharing for the RDS snapshot (cluster or database) that is the subject of the finding

  • S3.1 - S3 buckets should prohibit public write access

  • S3.2 - S3 buckets should prohibit public read access

    Actions: Blocks public read and write access to the bucket in the finding

  • S3.5 - S3 buckets should require requests to use Secure Socket Layer

    Actions: Adds an explicit deny statement to the bucket policy if aws:SecureTransport is not activated in the incoming request

  • S3.6 - S3 Block Public Access setting should be turned on

    Actions: Establishes S3 public access blocks by default at the account level