Skip to main content
McAfee Enterprise MVISION Cloud

Auto-Remediation of AWS Incidents

 Auto-remediation is a triggered response to a policy violation, and it applies to AWS issues.  Auto-remediation is an automated approach to security, applying the appropriate response to a vulnerability in your S3 deployment. It ensures a high level of functionality by continuously monitoring risks and it automates issue remediation. When a policy violation occurs, this instant remediation reduces the window of malicious opportunity.

NOTE: MVISION Cloud requires write/update permissions in AWS to implement Auto-remediation.

Supported Remediation Actions

These are the supported remediation actions for AWS. 

Remediation Actions

Policy Templates

Permissions Required

Email Notification

  • All AWS policy templates
 

Enable AES 256 Encryption

  • Unencrypted S3 Buckets
  • "s3:PutEncryptionConfiguration"

Remove Public Permissions

 

  • RDS Cluster Snapshot with Public Permissions
  • RDS Snapshot with Public Permissions
  • "rds:DescribeDBClusterSnapshotAttributes"
  • "rds:DescribeDBSnapshots"
  • "rds:DescribeDBClusterSnapshots"
  • "rds:ModifyDBClusterSnapshotAttribute"
  • "rds:ModifyDBSnapshotAttribute"
  • "rds:DescribeDBSnapshotAttributes"

Remove Public Read Access

World Readable S3 Buckets

  • "s3:PutBucketAcl"

Remove Unrestricted Access

 

  • Unrestricted CIFS Access
  • Unrestricted DNS Access
  • Unrestricted FTP Access
  • Unrestricted MongoDB Access
  • Unrestricted MSSQL Access
  • Unrestricted MSSQL Database Access (UDP)
  • Unrestricted MySQL Access
  • Unrestricted NetBIOS Access
  • Unrestricted Oracle Database Access
  • Unrestricted PostgreSQL Access
  • Unrestricted Remote Desktop Access
  • Unrestricted RPC Access
  • Unrestricted SMTP Access
  • Unrestricted SSH Access
  • Unrestricted Telnet Access
  • Unrestricted VNC Listener Access
  • Unrestricted VNC Server Access
  • "ec2:RevokeSecurityGroupIngress"
  • "ec2:DescribeSecurityGroups"

Scan Unsecured Resources

 

  • Publicly Writable S3 Buckets
  • Unrestricted Access to S3 Bucket
  • World Readable S3 Buckets

 

  • "iam:ListPolicies",
  • "iam:GetPolicyVersion",
  • "s3:GetObjectAcl",
  • "s3:GetObject",
  • "iam:GetPolicy",
  • "s3:ListAllMyBuckets",
  • "iam:ListAttachedRolePolicies",
  • "s3:ListBucket",
  • "iam:ListRolePolicies",
  • "iam:GetRolePolicy",
  • "cloudtrail:DescribeTrails"
Send to SNS Topic All AWS policy templates
  • "sns:Publish",
  • "sns:GetTopicAttributes",
  • "sns:ListTopics"
Send to SQS Queue All AWS policy templates
  • "sqs:ListQueues",
  • "sqs:GetQueueUrl",
  • "sqs:SendMessageBatch",
  • "sqs:SendMessage"

Setting up Auto-Remediation

Auto-Remediation can be added to any AWS policy. Changes are not applied retroactively.

To add an auto-remediation response:

  1. Choose Policy > Configuration Audit.
  2. Choose Edit from the affected policy. It is under the Actions column to the right of the policy you'd like to customize.configAudit2.png
  1. From the Responses section, select Edit.policy edit.png
  2. The following screen will appear. Select Add then press the Next button.generate incident.png
  3. Select the response from the drop-down list then select Next.remove public read access.png
  4. Verify that your desired response is shown in the Response section then select Done.incident - done.png
  • Was this article helpful?