Automatically remediate misconfiguration and public exposures in your cloud environment.
Radware CNP automated remediation allows you to automatically remediate security findings that the system generates using serverless functions in your cloud environment.
You can create remediation rules with specific configurations to resolve various issues such as public exposures or misconfigurations.
Once the system identifies an exposure or a misconfiguration warning in one of your onboarded cloud accounts, CNP executes the appropriate remediation rule to resolve the issue.
You can choose to enable automated remediation on any of your onboarded accounts.
Initially, you need to set up your primary account which is the account that the AWS Lambda function resides in.
This is the account that CNP interacts with through the cross-account role and assumes the cross-account roles in the secondary accounts, and thus be able to perform the actions on their resources.
After the setup of the primary account, if needed, you can set up additional onboarded accounts by following the secondary account setup.
Once you complete setting up the account you wish to perform automated remediation on, you need to create remediation rules in the CNP portal.
Remediation rules define what and how you want to rectify or remediate security issues.
For example, you can choose to remediate publicly exposed RDS databases in a specific account and specific VPC by using a remediation action that disables the database's publicly accessible flag.
When a new exposure or misconfiguration is detected, CNP evaluates the remediation rules configuration, and if a relevant remediation rule is found, it invokes the Lambda function which runs the applicable remediation action on the entity.
You can review the results of the remediation in the warning itself or the audit section of the module.
You perform primary account setup only once on the account you want the Lambda function to run on.
This setup runs a cloud formation stack that does the following:
- Create the automated remediation Lambda function.
- Create an IAM role which the Lambda function uses.
- Create an IAM policy with the needed permissions to run the remediation actions and attach it to the Lambda role.
- Create a cross-account role which CNP can assume to invoke the Lambda function.
Setup steps:
- Click the
button and change the AWS region to where you want to deploy the Lambda code.
- Fill in the ExternalID parameter which you can take from the CNP portal.
- Under the Capabilities and transforms section, click the following checkboxes:
- I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.
- Click on Create stack.
- Once you created a stack, click the Outputs tab and extract the values of the fields, CrossAccountRoleARN and LambdaARN.
- Go back to the CNP portal, and fill in the cross-account role ARN and Lambda ARN to complete the setup of the primary account.
You perform secondary account setup on any additional accounts you wish to perform automated remediation on.
This setup runs a cloud formation stack that does the following:
- Create a cross-account role that can be assumed by the Lambda function which is deployed in the primary account.
- Create an IAM policy with the needed permissions to run the remediation actions and attach it to the cross-account role.
Setup steps:
- Click the
- Fill in the PrimaryAWSAccountID parameter with the AWS account ID on which you performed the primary account setup.
- Under the Capabilities section, click the I acknowledge that AWS CloudFormation might create IAM resources with custom names. checkbox.
- Click on Create stack.
- Once you created a stack, you completed the necessary account setup.
Radware CNP automatically detects that you completed the setup for this account and allows you to create remediation rules on it.
Please note that it might take up to an hour to recognize the setup.
This project is licensed under the MIT License.