In our previous blog post, Real-time GCP v2.0.0 CIS Benchmark assessments, we showed how Turbot Guardrails enables continuous monitoring of your GCP environment against the CIS v2.0.0 Benchmark. Guardrails discovers changes in real-time, instantly evaluates compliance, sends alerts when misconfigurations are detected, and takes quick actions to immediately apply fixes.
But what if you could automatically fix those misconfigurations and maintain a secure and compliant environment without manual intervention? With Turbot Guardrails' auto-remediation policies, you can.
Effortless CIS compliance with auto-remediation
Traditional security incident management relies on manual processes to address misconfigurations identified in periodic assessments. This approach is time-consuming, error-prone, and leaves your environment vulnerable between scans.
Turbot Guardrails takes CIS assessments to the next level with auto-remediation policies. Guardrails detects configuration drift in real-time, evaluates the change for a misconfiguration, and can automatically take action to fix the issue and bring the resource back into compliance with the GCP CIS v2.0.0 Benchmark.
Key benefits of Turbot Guardrails' auto-remediation policies:
- Continuous compliance: As soon as a misconfiguration is detected, Guardrails automatically remediates the issue, ensuring your environment remains compliant with CIS recommendations at all times.
- Reduced security operations overhead: Auto-close incidents. Eliminate the need for manual intervention and free up your team to focus on higher-value tasks. Guardrails handles the heavy lifting of maintaining compliance.
- Customizable policies: Define auto-remediation policies that align with your organization's specific requirements and risk posture. Set different policies for different accounts, regions, resources, or per specific resource configurations. Set time-based exceptions to ignore recommendations per cloud account or per resource when not applicable.
- Audit trail: Guardrails keeps a detailed record of all auto-remediation actions taken, providing a complete audit trail for compliance reporting and troubleshooting.
- Comprehensive coverage: Guardrails provides over 10,000+ security and operational policies OOTB for AWS, Azure, GCP, Kubernetes and ServiceNow, so you can centralize your security posture management efforts across your entire cloud infrastructure.
How to enable auto-remediation for GCP CIS v2.0.0 using Guardrails
Prerequisite: Install the GCP CIS mods
If you haven't already, install the @turbot/cis and the @turbot/gcp-cisv2-0 mods, and enable the GCP > CIS v2.0 policy to Check: All CIS Benchmarks as described in our previous blog post. Installing the CIS mods will also ensure you have the appropriate gcp-* dependent mods.
Remediation for a control
You can focus on specific CIS Benchmark recommendations and set policies that map to them. For example, 5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled has a number of storage buckets that are not meeting the related CIS recommendation.
To remediate, use the following GCP > Storage > Bucket > Access Control policy to enforce uniform bucket-level access on a bucket:
Once the policy is set to enforce, Guardrails will immediately remediate all applicable GCP storage buckets in scope:
All the buckets were remediated and now the CIS recommendation 5.2 is showing 'green' for the controls:
Now that enforcement policies are set, Guardrails will continuously monitor and take action whenever a new bucket is created or an existing bucket is misconfigured.
Remediation for a CIS section
While you can set your own policies to remediate CIS recommendations, you can also leverage the collection of open-source policy samples available in the Guardrails Samples repository. Included in the repo are Policy Packs which are a collection of policies that can be applied to your cloud resources. Specifically for GCP CIS v2.0.0, there is a collection of GCP CIS v2.0.0 remediation Policy Packs that can be applied to your Guardrails workspace.
In the Acme environment, there are a number of storage buckets which don't adhere to the broader set of GCP CIS v2.0.0 Section 5 recommendations.
Using GCP CIS v2.0.0 Section 5 - Storage Policy Pack as an example, we can apply a group of preset policies to cover the Section 5 recommendations.
To apply the Policy Pack policies, you can attach it to any resource. In this case we attach it to the Acme folder which contains a few GCP projects.
Once the Policy Pack is attached, Guardrails will immediately remediate all applicable storage bucket resources in scope:
All the storage bucket resources were remediated and now Section 5 of the CIS Benchmark is showing 'green' for the controls:
See it in action
Level up your compliance game with Guardrails
Take your GCP CIS v2.0.0 Benchmark compliance to the next level with Turbot Guardrails' auto-remediation policies. With continuous monitoring, instant remediation, and detailed audit trails, Guardrails makes it effortless to maintain a secure and compliant cloud environment.
Try it now with a 14-day free trial and see how easy it is to keep your GCP environment aligned with CIS best practices.
Looking for AWS & Azure CIS guardrails? Guardrails also supports auto-remediation policies and covers the latest CIS benchmark assessments for AWS and Azure.