Setting Up AWS One-Click Remediation

One-Click Remediation allows you to easily remediate some failed findings without having to follow the remediation steps. This saves you time and reduces the chance of human error.

Remediation Onboarding

new scan group

1. Go to Organization Settings

2. Go to Scans.

3. Click Manage beside the scan group you want to edit.

For a new scan action:

Note: Login to the AWS account you want to add to add a scan for.

Add account

  1. Click Add Account.
  2. Follow the instructions on Getting Started with Warden to add the Warden Scanner role.
  3. Proceed to Adding the Warden Remediation Role.

For an existing scan action:

Edit scsn

1. Click Edit beside the account you want to set up One-Click Remediation for.

15

2. Click on Set up / Update Remediate Role ARN.

3. Proceed to Adding the Warden Remediation Role and follow the instructions in that section.

4. Click Update Account.

Adding the Warden Remediation Role (AWS)

  • Do not close the creation screen during the AWS installation.
  • Login to your AWS Account in another browser window. 
  • Make sure the AWS account you are logging in from has Administrator access

CloudFormation Setup (Recommended)

16

1. Click Launch CloudFormation Stack.

17

2. Check "I acknowledge that AWS CloudFormation might create IAM resources." and click Create

3. Once the CloudFormation Stack is "CREATE_COMPLETE", copy "HorangiWardenRemediationRoleARN" from the Outputs tab.

26

4. Go back to Storyfier and paste the Role ARN you just copied in the Paste Role ARN here text box.

5. Click Add.

Manual Setup (for Advanced Users)

For the extra cautious and tinkerers, you can adjust and limit to what degree you want Warden to remediate your AWS cloud assets. The choice is yours.

22

1. Access the IAM Roles section and Create policy.

2. Select the JSON tab

3. Fill in the text editor with the following:

{

  "Version": "2012-10-17",

  "Statement": [

    {

        "Sid": "AllowWardenRemediation",

        "Effect": "Allow",

        "Action": [

            "cloudtrail:AddTags",

            "cloudtrail:CreateTrail",

            "cloudtrail:DescribeTrails",

            "cloudtrail:GetEventSelectors",

            "cloudtrail:GetTrail",

            "cloudtrail:GetTrailStatus",

            "cloudtrail:PutEventSelectors",

            "cloudtrail:StartLogging",

            "cloudwatch:DescribeAlarms",

            "cloudwatch:DescribeAlarmsForMetric",

            "cloudwatch:EnableAlarmActions",

            "cloudwatch:PutMetricAlarm",

            "ec2:CopyImage",

            "ec2:CreateFlowLogs",

            "ec2:DescribeFlowLogs",

            "ec2:DescribeImages",

            "ec2:DescribeSnapshotAttribute",

            "ec2:DescribeSnapshots",

            "ec2:ModifyImageAttribute",

            "ec2:ModifySnapshotAttribute",

            "elasticloadbalancing:DescribeLoadBalancerAttributes",

            "elasticloadbalancing:DescribeLoadBalancers",

            "elasticloadbalancing:ModifyLoadBalancerAttributes",

            "iam:CreateRole",

            "iam:DeactivateMFADevice",

            "iam:DeleteAccessKey",

            "iam:DeleteLoginProfile",

            "iam:DeleteServiceSpecificCredential",

            "iam:DeleteSigningCertificate",

            "iam:DeleteSSHPublicKey",

            "iam:DeleteUser",

            "iam:DeleteUserPolicy",

            "iam:DeleteVirtualMFADevice",

            "iam:DetachUserPolicy",

            "iam:GetAccessKeyLastUsed",

            "iam:GetAccountPasswordPolicy",

            "iam:GetLoginProfile",

            "iam:GetRole",

            "iam:GetUser",

            "iam:ListAccessKeys",

            "iam:ListAttachedUserPolicies",

            "iam:ListGroupsForUser",

            "iam:ListMFADevices",

            "iam:ListServiceSpecificCredentials",

            "iam:ListSigningCertificates",

            "iam:ListSSHPublicKeys",

            "iam:ListUserPolicies",

            "iam:PutRolePolicy",

            "iam:RemoveUserFromGroup",

            "iam:UpdateAccountPasswordPolicy",

            "kinesis:DescribeStream",

            "kinesis:StartStreamEncryption",

            "kms:DescribeKey",

            "kms:EnableKeyRotation",

            "kms:GetKeyRotationStatus",

            "logs:CreateLogGroup",

            "logs:DescribeLogGroups",

            "logs:DescribeMetricFilters",

            "logs:PutMetricFilter",

            "rds:DescribeDBInstances",

            "rds:DescribeDBSnapshotAttributes",

            "rds:DescribeDBSnapshots",

            "rds:ModifyDBInstance",

            "rds:ModifyDBSnapshotAttribute",

            "s3:CreateBucket",

            "s3:GetBucketAcl",

            "s3:GetBucketLocation",

            "s3:GetBucketPolicy",

            "s3:GetEncryptionConfiguration",

            "s3:ListBucket",

            "s3:PutBucketAcl",

            "s3:PutBucketLogging",

            "s3:PutBucketPolicy",

            "s3:PutBucketTagging",

            "s3:PutEncryptionConfiguration",

            "sns:CreateTopic",

            "sns:GetTopicAttributes",

            "sns:ListSubscriptions",

            "sns:ListSubscriptionsByTopic",

            "sns:SetTopicAttributes",

            "sns:Subscribe",

            "sns:TagResource",

            "sqs:GetQueueAttributes",

            "sqs:GetQueueUrl",

            "sqs:SetQueueAttributes"

        ],

        "Resource": "*"

    }

  ]

}

4. Click on Review Policy.

21

5. Under Review Policy, Enter "horangi-warden-remediation-policy" for Name

6. Click Create Policy.

22

7. Access the IAM Roles section and Create role.

23

8. When prompted for the trusted entity type, select Another AWS Account.

9. Enter Horangi's AWS Account Number 396286753434 for the Account ID to trust.

10. Check Require external ID and enter the unique External ID displayed on Step 6 of the step-by-step guide.

11. Do not check Require MFA.

12. Click Next: Permissions.

24

13. Select the "horangi-warden-remediation-policy" IAM policy.

14. Click Next: Tags.

15. Click Next: Review.

16. After the role has been created, go to the role's page here.

25

 

17. Click on the field Maximum CLI/API session duration and change the value from 1 hour to 4 hours.

18. Save your changes.

19. Copy the Role ARN.

26

20. Go back to Storyfier and paste the Role ARN you just copied in the Paste Role ARN here text box.

21. Click Add.