Get to green with real-time remediation for AWS CIS v3.0.0

In our previous blog post, Real-time AWS v3.0.0 CIS Benchmark assessments, we showed how Turbot Guardrails enables continuous monitoring of your AWS environment against the CIS v3.0.0 Benchmark. Guardrails discovers changes in real-time, instantly evaluates compliance, sends alerts when misconfigurations are detected, and takes quick actions to immediately apply fixes.

But what if you could automatically fix those misconfigurations and maintain a secure and compliant environment without manual intervention? With Turbot Guardrails' auto-remediation policies, you can.

Effortless CIS compliance with auto-remediation

Traditional security incident management relies on manual processes to address misconfigurations identified in periodic assessments. This approach is time-consuming, error-prone, and leaves your environment vulnerable between scans.

Turbot Guardrails takes CIS assessments to the next level with auto-remediation policies. Guardrails detects configuration drift in real-time, evaluates the change for a misconfiguration, and can automatically take action to fix the issue and bring the resource back into compliance with the AWS CIS v3.0.0 Benchmark.

Key benefits of Turbot Guardrails' auto-remediation policies:

• Continuous compliance: As soon as a misconfiguration is detected, Guardrails automatically remediates the issue, ensuring your environment remains compliant with CIS recommendations at all times.
• Reduced security operations overhead: Auto-close incidents. Eliminate the need for manual intervention and free up your team to focus on higher-value tasks. Guardrails handles the heavy lifting of maintaining compliance.
• Customizable policies: Define auto-remediation policies that align with your organization's specific requirements and risk posture. Set different policies for different accounts, regions, resources, or per specific resource configurations. Set time-based exceptions to ignore recommendations per cloud account or per resource when not applicable.
• Audit trail: Guardrails keeps a detailed record of all auto-remediation actions taken, providing a complete audit trail for compliance reporting and troubleshooting.
• Comprehensive coverage: Guardrails provides over 10,000+ security and operational policies OOTB for AWS, Azure, GCP, Kubernetes and ServiceNow, so you can centralize your security posture management efforts across your entire cloud infrastructure.

How to enable auto-remediation for AWS CIS v3.0.0 using Guardrails

Prerequisite: Install the AWS CIS mods

If you haven't already, install the @turbot/cis and the @turbot/aws-cisv3-0 mods, and enable the AWS > CIS v3.0 policy to Check: All CIS Benchmarks as described in our previous blog post. Installing the CIS mods will also ensure you have the appropriate aws-* dependent mods.

Remediation for a control

You can focus on specific CIS Benchmark recommendations and set policies that map to them. For example, 2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' has a number of buckets that are not meeting the related CIS recommendation.

To remediate, use the following AWS > S3 > Bucket > Public Access Block policies to enforce the bucket settings that block public access:

First, set the AWS > S3 > Bucket > Public Access Block > Settings to block each of the four settings:

Then set the AWS > S3 > Bucket > Public Access Block to Enforce: Per Public Access Block > Settings:

Once the policy is set to enforce, Guardrails will immediately remediate all applicable S3 buckets in scope:

All the buckets were remediated and now the CIS recommendation 2.1.4 is showing 'green' for the controls:

Now that enforcement policies are set, Guardrails will continuously monitor and take action whenever a new bucket is created or an existing bucket is misconfigured.

Remediation for a CIS section

While you can set your own policies to remediate CIS recommendations, you can also leverage the collection of open-source policy samples available in the Guardrails Samples repository. These policy samples are Smart Folders which are a collection of policies that can be applied to your cloud resources.

For example, in the Acme environment, there are a number of networking resources which don't adhere to the AWS CIS v3.0.0 Section 5 recommendations.

Using AWS CIS v3.0.0 Section 5 - Networking Smart Folder as an example, we can apply a group of preset policies to cover the Section 5 recommendations.

To apply the Smart Folder policies, you can attach it to any resource. In this case we attach it to the Acme folder which contains a few AWS accounts.

Once the Smart Folder is attached, Guardrails will immediately remediate all applicable networking resources in scope:

All the networking resources were remediated and now Section 5 of the CIS Benchmark is showing 'green' for the controls:

See it in action

Level up your compliance game with Guardrails

Take your AWS CIS v3.0.0 Benchmark compliance to the next level with Turbot Guardrails' auto-remediation policies. With continuous monitoring, instant remediation, and detailed audit trails, Guardrails makes it effortless to maintain a secure and compliant cloud environment.

Try it now with a 14-day free trial and see how easy it is to keep your AWS environment aligned with CIS best practices.

Looking for Azure & GCP CIS guardrails? Guardrails also supports auto-remediation policies and covers the latest CIS benchmark assessments for Azure and GCP.