How To

Get to green with real-time remediation for AWS CIS v3.0.0

Turn your AWS CIS Benchmark green with auto-remediation guardrails to comply with AWS best practice security standards.

Turbot Team
5 min. read - May 15, 2024
Turn your AWS CIS Benchmark green with auto-remediation guardrails to comply with AWS best practice security standards.

In our previous blog post, Real-time AWS v3.0.0 CIS Benchmark assessments, we showed how Turbot Guardrails enables continuous monitoring of your AWS environment against the CIS v3.0.0 Benchmark. Guardrails discovers changes in real-time, instantly evaluates compliance, sends alerts when misconfigurations are detected, and takes quick actions to immediately apply fixes.

But what if you could automatically fix those misconfigurations and maintain a secure and compliant environment without manual intervention? With Turbot Guardrails' auto-remediation policies, you can.

Effortless CIS compliance with auto-remediation

Traditional security incident management relies on manual processes to address misconfigurations identified in periodic assessments. This approach is time-consuming, error-prone, and leaves your environment vulnerable between scans.

Turbot Guardrails takes CIS assessments to the next level with auto-remediation policies. Guardrails detects configuration drift in real-time, evaluates the change for a misconfiguration, and can automatically take action to fix the issue and bring the resource back into compliance with the AWS CIS v3.0.0 Benchmark.

Key benefits of Turbot Guardrails' auto-remediation policies:

  • Continuous compliance: As soon as a misconfiguration is detected, Guardrails automatically remediates the issue, ensuring your environment remains compliant with CIS recommendations at all times.
  • Reduced security operations overhead: Auto-close incidents. Eliminate the need for manual intervention and free up your team to focus on higher-value tasks. Guardrails handles the heavy lifting of maintaining compliance.
  • Customizable policies: Define auto-remediation policies that align with your organization's specific requirements and risk posture. Set different policies for different accounts, regions, resources, or per specific resource configurations. Set time-based exceptions to ignore recommendations per account or per resource when not applicable.
  • Audit trail: Guardrails keeps a detailed record of all auto-remediation actions taken, providing a complete audit trail for compliance reporting and troubleshooting.
  • Comprehensive coverage: Guardrails provides over 9,000+ security and operational policies OOTB for AWS, Azure, GCP, Kubernetes and ServiceNow, so you can centralize your security posture management efforts across your entire cloud infrastructure.

How to enable auto-remediation for AWS CIS v3.0.0 using Guardrails

Prerequisite: Install the AWS CIS mods

If you haven't already, install the @turbot/cis and the @turbot/aws-cisv3-0 mods, and enable the AWS > CIS v3.0 policy to Check: All CIS Benchmarks as described in our previous blog post. Installing the CIS mods will also ensure you have the appropriate aws-* dependent mods.

Remediation for a control

You can focus on specific CIS Benchmark recommendations and set policies that map to them. For example, 2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' has a number of buckets that are not meeting the related CIS recommendation.

Guardrails CIS section AWS v3 2.1.4

To remediate, use the following AWS > S3 > Bucket > Public Access Block policies to enforce the bucket settings that block public access:

First, set the AWS > S3 > Bucket > Public Access Block > Settings to block each of the four settings:

Guardrails CIS remediation policy settings for section AWS v3 2.1.4

Then set the AWS > S3 > Bucket > Public Access Block to Enforce: Per Public Access Block > Settings:

Guardrails CIS remediation policy enforcement for section AWS v3 2.1.4

Once the policy is set to enforce, Guardrails will immediately remediate all applicable S3 buckets in scope:

Guardrails CIS remediation activity for section AWS v3 2.1.4

All the buckets were remediated and now the CIS recommendation 2.1.4 is showing 'green' for the controls:

Guardrails CIS now green for section AWS v3 2.1.4

Now that enforcement policies are set, Guardrails will continuously monitor and take action whenever a new bucket is created or an existing bucket is misconfigured.

Remediation for a CIS section

While you can set your own policies to remediate CIS recommendations, you can also leverage the collection of open-source policy samples available in the Guardrails Samples repository. These policy samples are Smart Folders.

Guardrails CIS Remediation Smart Folders

In the Acme environment, there are a number of networking resources which don't adhere to the AWS CIS v3.0.0 Section 5 recommendations.

Guardrails CIS Remediation Section 5 Alerts

Using AWS CIS v3.0.0 Section 5 - Networking Smart Folder as an example, we can apply a group of preset policies to cover the Section 5 recommendations.

Guardrails CIS Remediation Section 5 Smart Folder

To apply the Smart Folder policies, you can attach it to any resource. In this case we attach it to the Acme folder which contains a few AWS accounts.

Guardrails CIS Remediation Smart Folder Attachment

Once the Smart Folder is attached, Guardrails will immediately remediate all applicable networking resources in scope:

Guardrails CIS remediation activity for section 5 of AWS v3.0.0

All the networking resources were remediated and now Section 5 of the CIS Benchmark is showing 'green' for the controls:

Guardrails CIS now green for section 5 of AWS v3.0.0

See it in action

Level up your compliance game with Guardrails

Take your AWS CIS v3.0.0 Benchmark compliance to the next level with Turbot Guardrails' auto-remediation policies. With continuous monitoring, instant remediation, and detailed audit trails, Guardrails makes it effortless to maintain a secure and compliant cloud environment.

Try it now with a 14-day free trial and see how easy it is to keep your AWS environment aligned with CIS best practices.

Looking for Azure & GCP CIS guardrails? Guardrails also supports auto-remediation policies and covers the latest CIS benchmark assessments for Azure and GCP.