Legacy: Remediation
Sophos Cloud Optix can remediate issues related to S3 buckets, security groups, and IAM password policies, in AWS environments.
This feature helps with administration and management. For example, you can delete unused Security Groups, or make sure your S3 buckets conform to your policies.
To use remediation, you must first grant Sophos Cloud Optix specific write access permissions to your environments. Then turn on automatic or manual remediation.
You can also use webhooks for remediation. Webhooks pass information about Sophos Cloud Optix alerts to your own systems.
Create the remediation role
This section tells you how to create the role needed before you can use remediation.
By default, Sophos Cloud Optix uses read-only permissions that are setup when you add AWS environments.
If you want to use remediation, you must run an additional script first, to provide specific write access permissions to your environment.
After you’ve added an AWS environment, do as follows:
The script creates a remediation role with the following permissions:
- s3:GetBucketAcl
- s3:PutBucketAcl
- s3:GetBucketPolicy
- s3:PutBucketPolicy
- s3:PutEncryptionConfiguration
- iam:GetAccountPasswordPolicy
- iam:UpdateAccountPasswordPolicy
- cloudtrail:UpdateTrail
- ec2:DeleteSecurityGroup
- ec2:DescribeSecurityGroups
- ec2:RevokeSecurityGroupIngress
Automatic remediation
To turn on automatic remediation for a policy, do as follows:
- Go to Policies.
- Find the policy where you want to turn on remediation. Click Customize.
- In the list of rules, there’s a Guardrail column. If the Guardrail option is shown next to a rule, click it to turn on automatic remediation for that rule.
The changes take effect the next time Sophos Cloud Optix performs a scan.
Manual remediation
To manually remediate an issue from an alert, do as follows:
You get a pop-up message about the success or failure of remediation.
Which issues can you remediate?
Sophos Cloud Optix supports remediation for the following rules.
Check IAM Password Policy requirements as follows:
- Contains at least one uppercase letter.
- Contains at least one lowercase letter.
- Contains at least one symbol.
- Contains at least one number.
- Minimum length of at least 14 characters.
- Password reuse prevented.
- Password expiry in at least 90 days.
Check S3 Bucket Encryption and Public Read/Write Permission requirements are as follows:
- Encryption turned on.
- Public read/list permission not allowed.
- Public read/list bucket ACL permissions not allowed.
- Public write permission not allowed.
- Public write bucket ACL permissions not allowed.
Check Incident Management rules as follows:
- Ensure a support role has been created to manage incidents with AWS Support.
Check Sophos Cloud Optix best practice rules as follows
- Flag resource(s) with public IP and Security Group with ingress from any source on any port.